Note: The `default-authentication-flow` validates MFA by default, and currently everything but SMS-based devices are supported by LDAP. If you plan to use only dedicated service accounts to bind to LDAP, or don't use SMS-based authenticators, then you can use the default flow and skip the extra steps below and continue at [Create LDAP Provider](https://goauthentik.io/docs/providers/ldap/generic_setup#create-ldap-provider)
### LDAP Flow[](https://goauthentik.io/docs/providers/ldap/generic_setup#ldap-flow "Direct link to LDAP Flow") #### Create Custom Stages[](https://goauthentik.io/docs/providers/ldap/generic_setup#create-custom-stages "Direct link to Create Custom Stages") 1. Create a new identification stage. *Flows & Stage* -> *Stages* -> *Create*  2. Name it something meaningful like `ldap-identification-stage`. Select User fields Username and Email (and UPN if it is relevant to your setup).  3. Create a new password stage. *Flows & Stage* -> *Stages* -> *Create*  4. Name it something meaningful like `ldap-authentication-password`. Leave the defaults for Backends.  5. Create a new user login stage. *Flows & Stage* -> *Stages* -> *Create*  6. Name it something meaningful like `ldap-authentication-login`.  #### Create Custom Flow[](https://goauthentik.io/docs/providers/ldap/generic_setup#create-custom-flow "Direct link to Create Custom Flow") 1. Create a new authentication flow under *Flows & Stage* -> *Flows* -> *Create*, and name it something meaningful like `ldap-authentication-flow`  2. Click the newly created flow and choose *Stage Bindings*.  3. Click `Bind Stage` choose `ldap-identification-stage` and set the order to `10`.  4. Click `Bind Stage` choose `ldap-authentication-login` and set the order to `30`.  5. Edit the `ldap-identification-stage`.  6. Change the Password stage to `ldap-authentication-password`.  ### Create LDAP Provider[](https://goauthentik.io/docs/providers/ldap/generic_setup#create-ldap-provider "Direct link to Create LDAP Provider") 1. Create the LDAP Provider under *Applications* -> *Providers* -> *Create*.  2. Name is something meaningful like `LDAP`, bind the custom flow created previously (or the default flow, depending on setup) and specify the search group created earlier.  ### Create LDAP Application[](https://goauthentik.io/docs/providers/ldap/generic_setup#create-ldap-application "Direct link to Create LDAP Application") 1. Create the LDAP Application under *Applications* -> *Applications* -> *Create* and name it something meaningful like `LDAP`. Choose the provider created in the previous step.  ### Create LDAP Outpost[](https://goauthentik.io/docs/providers/ldap/generic_setup#create-ldap-outpost "Direct link to Create LDAP Outpost") 1. Create (or update) the LDAP Outpost under *Applications* -> *Outposts* -> *Create*. Set the Type to `LDAP` and choose the `LDAP` application created in the previous step. INFO The LDAP Outpost selects different providers based on their Base DN. Adding multiple providers with the same Base DN will result in inconsistent access
### ldapsearch Test[](https://goauthentik.io/docs/providers/ldap/generic_setup#ldapsearch-test "Direct link to ldapsearch Test") Test connectivity by using ldapsearch.INFO ldapsearch can be installed on Linux system with these commands
``` sudo apt-get install ldap-utils -y # Debian-based systems sudo yum install openldap-clients -y # CentOS-based systems ``` ``` ldapsearch \ -x \ -h