Stay organized with collections
Save and categorize content based on your preferences.
Version 4.0.25.14 (latest)
Test the user authentication settings for an LDAP configuration.
This test accepts a full LDAP configuration along with a username/password pair and attempts to authenticate the user with the LDAP server. The configuration is validated before attempting the authentication.
Looker will never return an auth_password. If this request omits the auth_password field, then the auth_password value from the active config (if present) will be used for the test.
test_ldap_user and test_ldap_password are required.
Operations the current user is able to perform on this object
alternate_email_login_allowed
boolean
Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.
auth_password
string
(Write-Only) Password for the LDAP account used to access the LDAP server
auth_requires_role
boolean
Users will not be allowed to login at all unless a role for them is found in LDAP if set to true
auth_username
string
Distinguished name of LDAP account used to access the LDAP server
(Read-only) Has the password been set for the LDAP account used to access the LDAP server
merge_new_users_by_email
boolean
Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.
modified_at
lock
string
When this config was last modified
modified_by
lock
string
User id of user who last modified this config
set_roles_from_groups
boolean
Set user roles in Looker based on groups from LDAP
test_ldap_password
string
(Write-Only) Test LDAP user password. For ldap tests only.
test_ldap_user
string
(Write-Only) Test LDAP user login id. For ldap tests only.
user_attribute_map_email
string
Name of user record attributes used to indicate email address field
user_attribute_map_first_name
string
Name of user record attributes used to indicate first name
user_attribute_map_last_name
string
Name of user record attributes used to indicate last name
user_attribute_map_ldap_id
string
Name of user record attributes used to indicate unique record id
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-20 UTC."],[],[],null,["# Test LDAP User Auth\n\nVersion 4.0.25.14 (latest)\n\n### Test the user authentication settings for an LDAP configuration.\n\nThis test accepts a full LDAP configuration along with a username/password pair and attempts to authenticate the user with the LDAP server. The configuration is validated before attempting the authentication.\n\nLooker will never return an **auth_password** . If this request omits the **auth_password** field, then the **auth_password** value from the active config (if present) will be used for the test.\n\n**test_ldap_user** and **test_ldap_password** are required.\n\nThe active LDAP settings are not modified.\n\nCalls to this endpoint may be denied by [Looker (Google Cloud core)](https://cloud.google.com/looker/docs/r/looker-core/overview).\n\nRequest\n-------\n\nPUT /ldap_config/test_user_auth \nDatatype \nDescription \nRequest \nHTTP Request \nbody \nHTTP Body \nExpand HTTP Body definition... \nbody \n[LDAPConfig](/looker/docs/reference/looker-api/latest/types/LDAPConfig) \nLDAP Config\nExpand LDAPConfig definition... \ncan \n*lock* \nobject \nOperations the current user is able to perform on this object \nalternate_email_login_allowed \nboolean \nAllow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled. \nauth_password \nstring \n(Write-Only) Password for the LDAP account used to access the LDAP server \nauth_requires_role \nboolean \nUsers will not be allowed to login at all unless a role for them is found in LDAP if set to true \nauth_username \nstring \nDistinguished name of LDAP account used to access the LDAP server \nconnection_host \nstring \nLDAP server hostname \nconnection_port \nstring \nLDAP host port \nconnection_tls \nboolean \nUse Transport Layer Security \nconnection_tls_no_verify \nboolean \nDo not verify peer when using TLS \ndefault_new_user_group_ids \nstring\\[\\] \ndefault_new_user_groups \n[Group](/looker/docs/reference/looker-api/latest/types/Group)\\[\\] \ndefault_new_user_role_ids \nstring\\[\\] \ndefault_new_user_roles \n[Role](/looker/docs/reference/looker-api/latest/types/Role)\\[\\] \nenabled \nboolean \nEnable/Disable LDAP authentication for the server \nforce_no_page \nboolean \nDon't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it. \ngroups \n[LDAPGroupRead](/looker/docs/reference/looker-api/latest/types/LDAPGroupRead)\\[\\] \ngroups_base_dn \nstring \nBase dn for finding groups in LDAP searches \ngroups_finder_type \nstring \nIdentifier for a strategy for how Looker will search for groups in the LDAP server \ngroups_member_attribute \nstring \nLDAP Group attribute that signifies the members of the groups. Most commonly 'member' \ngroups_objectclasses \nstring \nOptional comma-separated list of supported LDAP objectclass for groups when doing groups searches \ngroups_user_attribute \nstring \nLDAP Group attribute that signifies the user in a group. Most commonly 'dn' \ngroups_with_role_ids \n[LDAPGroupWrite](/looker/docs/reference/looker-api/latest/types/LDAPGroupWrite)\\[\\] \nhas_auth_password \n*lock* \nboolean \n(Read-only) Has the password been set for the LDAP account used to access the LDAP server \nmerge_new_users_by_email \nboolean \nMerge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user. \nmodified_at \n*lock* \nstring \nWhen this config was last modified \nmodified_by \n*lock* \nstring \nUser id of user who last modified this config \nset_roles_from_groups \nboolean \nSet user roles in Looker based on groups from LDAP \ntest_ldap_password \nstring \n(Write-Only) Test LDAP user password. For ldap tests only. \ntest_ldap_user \nstring \n(Write-Only) Test LDAP user login id. For ldap tests only. \nuser_attribute_map_email \nstring \nName of user record attributes used to indicate email address field \nuser_attribute_map_first_name \nstring \nName of user record attributes used to indicate first name \nuser_attribute_map_last_name \nstring \nName of user record attributes used to indicate last name \nuser_attribute_map_ldap_id \nstring \nName of user record attributes used to indicate unique record id \nuser_attributes \n[LDAPUserAttributeRead](/looker/docs/reference/looker-api/latest/types/LDAPUserAttributeRead)\\[\\] \nuser_attributes_with_ids \n[LDAPUserAttributeWrite](/looker/docs/reference/looker-api/latest/types/LDAPUserAttributeWrite)\\[\\] \nuser_bind_base_dn \nstring \nDistinguished name of LDAP node used as the base for user searches \nuser_custom_filter \nstring \n(Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses. \nuser_id_attribute_names \nstring \nName(s) of user record attributes used for matching user login id (comma separated list) \nuser_objectclass \nstring \n(Optional) Name of user record objectclass used for finding user during login id \nallow_normal_group_membership \nboolean \nAllow LDAP auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login. \nallow_roles_from_normal_groups \nboolean \nLDAP auth'd users will be able to inherit roles from non-reflected Looker groups. \nallow_direct_roles \nboolean \nAllows roles to be directly assigned to LDAP auth'd users. \nurl \n*lock* \nstring \nLink to get this item\n\nResponse\n--------\n\n### 200: Result info.\n\nDatatype \nDescription \n(object) \n[LDAPConfigTestResult](/looker/docs/reference/looker-api/latest/types/LDAPConfigTestResult) \ndetails \n*lock* \nstring \nAdditional details for error cases \nissues \n[LDAPConfigTestIssue](/looker/docs/reference/looker-api/latest/types/LDAPConfigTestIssue)\\[\\] \nExpand LDAPConfigTestIssue definition... \nseverity \n*lock* \nstring \nSeverity of the issue. Error or Warning \nmessage \n*lock* \nstring \nMessage describing the issue \nmessage \n*lock* \nstring \nShort human readable test about the result \nstatus \n*lock* \nstring \nTest status code: always 'success' or 'error' \ntrace \n*lock* \nstring \nA more detailed trace of incremental results during auth tests \nuser \n*lock* \n[LDAPUser](/looker/docs/reference/looker-api/latest/types/LDAPUser) \nUser details from LDAP server for auth tests\nExpand LDAPUser definition... \nall_emails \nstring\\[\\] \nattributes \n*lock* \nobject \nDictionary of user's attributes (name/value) \nemail \n*lock* \nstring \nPrimary email address \nfirst_name \n*lock* \nstring \nFirst name \ngroups \nstring\\[\\] \nlast_name \n*lock* \nstring \nLast Name \nldap_dn \n*lock* \nstring \nLDAP's distinguished name for the user record \nldap_id \n*lock* \nstring \nLDAP's Unique ID for the user \nroles \nstring\\[\\] \nurl \n*lock* \nstring \nLink to ldap config \nurl \n*lock* \nstring \nLink to ldap config\n\n### 400: Bad Request\n\nDatatype \nDescription \n(object) \n[Error](/looker/docs/reference/looker-api/latest/types/Error) \nmessage \n*lock* \nstring \nError details \ndocumentation_url \n*lock* \nstring \nDocumentation link\n\n### 403: Permission Denied\n\nDatatype \nDescription \n(object) \n[Error](/looker/docs/reference/looker-api/latest/types/Error) \nmessage \n*lock* \nstring \nError details \ndocumentation_url \n*lock* \nstring \nDocumentation link\n\n### 404: Not Found\n\nDatatype \nDescription \n(object) \n[Error](/looker/docs/reference/looker-api/latest/types/Error) \nmessage \n*lock* \nstring \nError details \ndocumentation_url \n*lock* \nstring \nDocumentation link\n\n### 422: Validation Error\n\nDatatype \nDescription \n(object) \n[ValidationError](/looker/docs/reference/looker-api/latest/types/ValidationError) \nmessage \n*lock* \nstring \nError details \nerrors \n[ValidationErrorDetail](/looker/docs/reference/looker-api/latest/types/ValidationErrorDetail)\\[\\] \nExpand ValidationErrorDetail definition... \nfield \n*lock* \nstring \nField with error \ncode \n*lock* \nstring \nError code \nmessage \n*lock* \nstring \nError info message \ndocumentation_url \n*lock* \nstring \nDocumentation link \ndocumentation_url \n*lock* \nstring \nDocumentation link\n\n### 429: Too Many Requests\n\nDatatype \nDescription \n(object) \n[Error](/looker/docs/reference/looker-api/latest/types/Error) \nmessage \n*lock* \nstring \nError details \ndocumentation_url \n*lock* \nstring \nDocumentation link"]]
