Update LDAP Configuration

Version 4.0.24.18

Update the LDAP configuration.

Configuring LDAP impacts authentication for all users. This configuration should be done carefully.

Only Looker administrators can read and update the LDAP configuration.

LDAP is enabled or disabled for Looker using the enabled field.

It is highly recommended that any LDAP setting changes be tested using the APIs below before being set globally.

See the Looker LDAP docs for additional information.

Calls to this endpoint may be denied by Looker (Google Cloud core).

Request

PATCH /ldap_config
Datatype
Description
Request
HTTP Request
body
HTTP Body
Expand HTTP Body definition...
body
LDAP Config
Expand LDAPConfig definition...
can
object
Operations the current user is able to perform on this object
alternate_email_login_allowed
boolean
Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.
auth_password
string
(Write-Only) Password for the LDAP account used to access the LDAP server
auth_requires_role
boolean
Users will not be allowed to login at all unless a role for them is found in LDAP if set to true
auth_username
string
Distinguished name of LDAP account used to access the LDAP server
connection_host
string
LDAP server hostname
connection_port
string
LDAP host port
connection_tls
boolean
Use Transport Layer Security
connection_tls_no_verify
boolean
Do not verify peer when using TLS
default_new_user_group_ids
string[]
default_new_user_groups
Group[]
default_new_user_role_ids
string[]
default_new_user_roles
Role[]
enabled
boolean
Enable/Disable LDAP authentication for the server
force_no_page
boolean
Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it.
groups
groups_base_dn
string
Base dn for finding groups in LDAP searches
groups_finder_type
string
Identifier for a strategy for how Looker will search for groups in the LDAP server
groups_member_attribute
string
LDAP Group attribute that signifies the members of the groups. Most commonly 'member'
groups_objectclasses
string
Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches
groups_user_attribute
string
LDAP Group attribute that signifies the user in a group. Most commonly 'dn'
groups_with_role_ids
has_auth_password
boolean
(Read-only) Has the password been set for the LDAP account used to access the LDAP server
merge_new_users_by_email
boolean
Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.
modified_at
string
When this config was last modified
modified_by
string
User id of user who last modified this config
set_roles_from_groups
boolean
Set user roles in Looker based on groups from LDAP
test_ldap_password
string
(Write-Only) Test LDAP user password. For ldap tests only.
test_ldap_user
string
(Write-Only) Test LDAP user login id. For ldap tests only.
user_attribute_map_email
string
Name of user record attributes used to indicate email address field
user_attribute_map_first_name
string
Name of user record attributes used to indicate first name
user_attribute_map_last_name
string
Name of user record attributes used to indicate last name
user_attribute_map_ldap_id
string
Name of user record attributes used to indicate unique record id
user_attributes
user_attributes_with_ids
user_bind_base_dn
string
Distinguished name of LDAP node used as the base for user searches
user_custom_filter
string
(Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses.
user_id_attribute_names
string
Name(s) of user record attributes used for matching user login id (comma separated list)
user_objectclass
string
(Optional) Name of user record objectclass used for finding user during login id
allow_normal_group_membership
boolean
Allow LDAP auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login.
allow_roles_from_normal_groups
boolean
LDAP auth'd users will be able to inherit roles from non-reflected Looker groups.
allow_direct_roles
boolean
Allows roles to be directly assigned to LDAP auth'd users.
url
string
Link to get this item

Response

200: New state for LDAP Configuration.

Datatype
Description
(object)
can
object
Operations the current user is able to perform on this object
alternate_email_login_allowed
boolean
Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.
auth_password
string
(Write-Only) Password for the LDAP account used to access the LDAP server
auth_requires_role
boolean
Users will not be allowed to login at all unless a role for them is found in LDAP if set to true
auth_username
string
Distinguished name of LDAP account used to access the LDAP server
connection_host
string
LDAP server hostname
connection_port
string
LDAP host port
connection_tls
boolean
Use Transport Layer Security
connection_tls_no_verify
boolean
Do not verify peer when using TLS
default_new_user_group_ids
string[]
default_new_user_groups
Group[]
Expand Group definition...
can
object
Operations the current user is able to perform on this object
can_add_to_content_metadata
boolean
Group can be used in content access controls
contains_current_user
boolean
Currently logged in user is group member
external_group_id
string
External Id group if embed group
externally_managed
boolean
Group membership controlled outside of Looker
id
string
Unique Id
include_by_default
boolean
New users are added to this group by default
name
string
Name of group
user_count
integer
Number of users included in this group
default_new_user_role_ids
string[]
default_new_user_roles
Role[]
Expand Role definition...
can
object
Operations the current user is able to perform on this object
id
string
Unique Id
name
string
Name of Role
permission_set
(Read only) Permission set
Expand PermissionSet definition...
can
object
Operations the current user is able to perform on this object
all_access
boolean
built_in
boolean
id
string
Unique Id
name
string
Name of PermissionSet
permissions
string[]
url
string
Link to get this item
permission_set_id
string
(Write-Only) Id of permission set
model_set
(Read only) Model set
Expand ModelSet definition...
can
object
Operations the current user is able to perform on this object
all_access
boolean
built_in
boolean
id
string
Unique Id
models
string[]
name
string
Name of ModelSet
url
string
Link to get this item
model_set_id
string
(Write-Only) Id of model set
url
string
Link to get this item
users_url
string
Link to get list of users with this role
enabled
boolean
Enable/Disable LDAP authentication for the server
force_no_page
boolean
Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it.
groups
Expand LDAPGroupRead definition...
id
string
Unique Id
looker_group_id
string
Unique Id of group in Looker
looker_group_name
string
Name of group in Looker
name
string
Name of group in LDAP
roles
Role[]
Expand Role definition...
can
object
Operations the current user is able to perform on this object
id
string
Unique Id
name
string
Name of Role
permission_set
(Read only) Permission set
permission_set_id
string
(Write-Only) Id of permission set
model_set
(Read only) Model set
model_set_id
string
(Write-Only) Id of model set
url
string
Link to get this item
users_url
string
Link to get list of users with this role
url
string
Link to ldap config
groups_base_dn
string
Base dn for finding groups in LDAP searches
groups_finder_type
string
Identifier for a strategy for how Looker will search for groups in the LDAP server
groups_member_attribute
string
LDAP Group attribute that signifies the members of the groups. Most commonly 'member'
groups_objectclasses
string
Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches
groups_user_attribute
string
LDAP Group attribute that signifies the user in a group. Most commonly 'dn'
groups_with_role_ids
Expand LDAPGroupWrite definition...
id
string
Unique Id
looker_group_id
string
Unique Id of group in Looker
looker_group_name
string
Name of group in Looker
name
string
Name of group in LDAP
role_ids
string[]
url
string
Link to ldap config
has_auth_password
boolean
(Read-only) Has the password been set for the LDAP account used to access the LDAP server
merge_new_users_by_email
boolean
Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.
modified_at
string
When this config was last modified
modified_by
string
User id of user who last modified this config
set_roles_from_groups
boolean
Set user roles in Looker based on groups from LDAP
test_ldap_password
string
(Write-Only) Test LDAP user password. For ldap tests only.
test_ldap_user
string
(Write-Only) Test LDAP user login id. For ldap tests only.
user_attribute_map_email
string
Name of user record attributes used to indicate email address field
user_attribute_map_first_name
string
Name of user record attributes used to indicate first name
user_attribute_map_last_name
string
Name of user record attributes used to indicate last name
user_attribute_map_ldap_id
string
Name of user record attributes used to indicate unique record id
user_attributes
Expand LDAPUserAttributeRead definition...
name
string
Name of User Attribute in LDAP
required
boolean
Required to be in LDAP assertion for login to be allowed to succeed
user_attributes
Expand UserAttribute definition...
can
object
Operations the current user is able to perform on this object
id
string
Unique Id
name
string
Name of user attribute
label
string
Human-friendly label for user attribute
type
string
Type of user attribute ("string", "number", "datetime", "yesno", "zipcode", "advanced_filter_string", "advanced_filter_number")
default_value
string
Default value for when no value is set on the user
is_system
boolean
Attribute is a system default
is_permanent
boolean
Attribute is permanent and cannot be deleted
value_is_hidden
boolean
If true, users will not be able to view values of this attribute
user_can_view
boolean
Non-admin users can see the values of their attributes and use them in filters
user_can_edit
boolean
Users can change the value of this attribute for themselves
hidden_value_domain_whitelist
string
Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
url
string
Link to ldap config
user_attributes_with_ids
Expand LDAPUserAttributeWrite definition...
name
string
Name of User Attribute in LDAP
required
boolean
Required to be in LDAP assertion for login to be allowed to succeed
user_attribute_ids
string[]
url
string
Link to ldap config
user_bind_base_dn
string
Distinguished name of LDAP node used as the base for user searches
user_custom_filter
string
(Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses.
user_id_attribute_names
string
Name(s) of user record attributes used for matching user login id (comma separated list)
user_objectclass
string
(Optional) Name of user record objectclass used for finding user during login id
allow_normal_group_membership
boolean
Allow LDAP auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login.
allow_roles_from_normal_groups
boolean
LDAP auth'd users will be able to inherit roles from non-reflected Looker groups.
allow_direct_roles
boolean
Allows roles to be directly assigned to LDAP auth'd users.
url
string
Link to get this item

400: Bad Request

Datatype
Description
(object)
message
string
Error details
documentation_url
string
Documentation link

403: Permission Denied

Datatype
Description
(object)
message
string
Error details
documentation_url
string
Documentation link

404: Not Found

Datatype
Description
(object)
message
string
Error details
documentation_url
string
Documentation link

422: Validation Error

Datatype
Description
(object)
message
string
Error details
Expand ValidationErrorDetail definition...
field
string
Field with error
code
string
Error code
message
string
Error info message
documentation_url
string
Documentation link
documentation_url
string
Documentation link

429: Too Many Requests

Datatype
Description
(object)
message
string
Error details
documentation_url
string
Documentation link