> ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Test connection using the ldap SSO configuration saved in the account. > Test connection using the ldap SSO configuration saved in the account. ## OpenAPI ````json POST /sys/v1/ldap/test { "openapi": "3.0.0", "info": { "title": "Fortanix DSM REST API", "description": "This is a set of REST APIs for accessing the Fortanix Data Security Manager. This includes APIs for managing accounts, and for performing cryptographic and key management operations. \n\n **Note:** \n- All binary input should be base64-encoded. These fields are marked with `format: byte`. \n- For forward compatibility, any API client is expected to ignore any fields in the response not explicitly mentioned in the documentation. We reserve the right to add new fields at any time to provide new functionality without affecting existing API clients.", "termsOfService": "https://www.fortanix.com/legal/terms/", "contact": { "name": "Fortanix Support", "url": "https://support.fortanix.com/", "email": "support@fortanix.com" }, "license": { "name": "Apache 2.0", "url": "http://www.apache.org/licenses/LICENSE-2.0.html" }, "version": "0.1.0-20260526" }, "servers": [ { "url": "https://amer.smartkey.io" } ], "paths": { "/sys/v1/ldap/test": { "post": { "operationId": "TestLdapConfig", "tags": [ "Misc" ], "security": [ { "bearerToken": [] }, { "apiKeyAuth": [] } ], "summary": "Test connection using the ldap SSO configuration saved in the account.", "description": "Test connection using the ldap SSO configuration saved in the account.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/LdapTestRequest" } } } }, "responses": { "204": { "description": "Nothing is returned on success" } } } } }, "components": { "schemas": { "LdapTestRequest": { "allOf": [ { "type": "object", "properties": { "ldap": { "$ref": "#/components/schemas/AuthConfigLdap" }, "test_credentials": { "$ref": "#/components/schemas/LdapTestCredentials" } }, "required": [ "ldap" ] } ] }, "AuthConfigLdap": { "allOf": [ { "type": "object", "description": "LDAP authentication settings.", "properties": { "name": { "type": "string", "description": "A user-visible name to give this LDAP integration." }, "icon_url": { "type": "string", "description": "The URL hosting an image to display for this LDAP integration.\nAn empty string can also be specified (to indicate that no\nicon needs to be displayed)." }, "ldap_url": { "type": "string", "description": "The URL of the LDAP server, e.g., \"ldap://example.org\"." }, "dn_resolution": { "$ref": "#/components/schemas/LdapDnResolution" }, "tls": { "$ref": "#/components/schemas/TlsConfig" }, "base_dn": { "type": "string", "nullable": true, "description": "The subtree from which to perform LDAP searches; for example,\n\"OU=users,DC=example,DC=org\"." }, "user_object_class": { "type": "string", "nullable": true, "description": "The LDAP object class (e.g., \"User\") to use when looking up\nDSM users trying to authenticate. This field is required if\nthe DN resolution method is search-by-mail or if authorization\nsettings are enabled for this LDAP integraton." }, "service_account": { "$ref": "#/components/schemas/LdapServiceAccount" }, "authorization": { "$ref": "#/components/schemas/LdapAuthorizationConfig" } }, "required": [ "name", "icon_url", "ldap_url", "dn_resolution", "tls" ] } ] }, "LdapTestCredentials": { "allOf": [ { "type": "object", "properties": { "password": { "type": "string" }, "account_role": { "$ref": "#/components/schemas/LdapAccountRole" } }, "required": [ "password" ] }, { "$ref": "#/components/schemas/LdapPrincipal" } ] }, "LdapDnResolution": { "description": "Distinguished Name (DN) resolution method. Given a user's email address, a DN resolution method\nis used to find the user's DN in an LDAP directory.", "oneOf": [ { "$ref": "#/components/schemas/LdapDnResolutionVariantConstruct" }, { "$ref": "#/components/schemas/LdapDnResolutionVariantSearchByMail" }, { "$ref": "#/components/schemas/LdapDnResolutionVariantUserPrincipalName" } ], "discriminator": { "propertyName": "method", "mapping": { "construct": "LdapDnResolutionVariantConstruct", "search-by-mail": "LdapDnResolutionVariantSearchByMail", "upn": "LdapDnResolutionVariantUserPrincipalName" } } }, "TlsConfig": { "description": "TLS client settings.", "oneOf": [ { "$ref": "#/components/schemas/TlsConfigVariantDisabled" }, { "$ref": "#/components/schemas/TlsConfigVariantOpportunistic" }, { "$ref": "#/components/schemas/TlsConfigVariantRequired" } ], "discriminator": { "propertyName": "mode", "mapping": { "disabled": "TlsConfigVariantDisabled", "opportunistic": "TlsConfigVariantOpportunistic", "required": "TlsConfigVariantRequired" } } }, "LdapServiceAccount": { "allOf": [ { "type": "object", "description": "Credentials used by the service to authenticate itself to an LDAP server.", "properties": { "dn": { "type": "string", "description": "Distinguished name of the service account." }, "password": { "type": "string", "description": "The password for the service account." } }, "required": [ "dn", "password" ] } ] }, "LdapAuthorizationConfig": { "allOf": [ { "type": "object", "description": "LDAP authorization settings.", "properties": { "valid_for": { "type": "integer", "description": "Number of seconds after which the authorization should be checked again." }, "require_role": { "type": "object", "additionalProperties": { "type": "string" }, "nullable": true, "description": "A map from account roles to distinguished names of LDAP groups.\nIf a DN is specified for an account role, entities with that role\nmust be a member of the specified LDAP group." }, "user_self_provisioning": { "$ref": "#/components/schemas/LdapUserSelfProvisioningConfig" }, "role_conflict_resolution": { "$ref": "#/components/schemas/LdapRoleConflictResolution" } }, "required": [ "valid_for" ] } ] }, "LdapAccountRole": { "description": "Role of a user or app in an account for the purpose of LDAP configurations.", "oneOf": [ { "$ref": "#/components/schemas/LegacyLdapAccountRole" }, { "type": "string", "format": "uuid" } ] }, "LdapPrincipal": { "oneOf": [ { "$ref": "#/components/schemas/LdapPrincipalUnresolved" }, { "$ref": "#/components/schemas/LdapPrincipalResolved" } ] }, "LdapDnResolutionVariantConstruct": { "allOf": [ { "type": "object", "properties": { "method": { "type": "string", "enum": [ "construct" ] } }, "required": [ "method" ] }, { "$ref": "#/components/schemas/LdapDnResolutionConstruct" } ] }, "LdapDnResolutionVariantSearchByMail": { "allOf": [ { "type": "object", "properties": { "method": { "type": "string", "enum": [ "search-by-mail" ] } }, "required": [ "method" ] }, { "type": "object", "properties": {} } ] }, "LdapDnResolutionVariantUserPrincipalName": { "allOf": [ { "type": "object", "properties": { "method": { "type": "string", "enum": [ "upn" ] } }, "required": [ "method" ] }, { "type": "object", "properties": {} } ] }, "TlsConfigVariantDisabled": { "allOf": [ { "type": "object", "properties": { "mode": { "type": "string", "enum": [ "disabled" ] } }, "required": [ "mode" ] }, { "type": "object", "properties": {} } ] }, "TlsConfigVariantOpportunistic": { "allOf": [ { "type": "object", "properties": { "mode": { "type": "string", "enum": [ "opportunistic" ] } }, "required": [ "mode" ] }, { "type": "object", "properties": {} } ] }, "TlsConfigVariantRequired": { "allOf": [ { "type": "object", "properties": { "mode": { "type": "string", "enum": [ "required" ] } }, "required": [ "mode" ] }, { "$ref": "#/components/schemas/TlsConfigRequired" } ] }, "LdapUserSelfProvisioningConfig": { "allOf": [ { "type": "object", "description": "LDAP user self-provisioning settings. Currently, the only\nsetting available for configuration is the mapping from\nLDAP users to DSM account roles.", "properties": { "role_assignment": { "$ref": "#/components/schemas/LdapUserSelfProvisioningRole" } }, "required": [ "role_assignment" ] } ] }, "LdapRoleConflictResolution": { "description": "Controls how we resolve conflicting role assignments with LDAP authorization.\n\nWhen users are authorized through LDAP, their DSM group memberships are\ndetermined by their LDAP groups and the external role mappings created in\nDSM. For example, if the user belongs to 3 LDAP groups A, B and C, and these\nLDAP groups are mapped to DSM groups G1 and G2 in the following way:\n- A -> G1 as \"group auditor\"\n- B -> G1 as \"group administrator\"\n- C -> G2 as \"group administrator\"\nThen which role should be assigned to this user in G1?\n\nThe answer to this question used to be simple before the introduction of\ncustom user roles in DSM: we took the maximum of the roles. Note that the\nlegacy roles (group admin/auditor) formed a strict \"more powerful than\"\nrelation, i.e. group administrator is strictly more powerful than group\nauditor (and same is true for legacy account roles). However, custom user\nroles do not have that relationship anymore. Moreover, the legacy behavior\nis not quite square with the role exclusivity rules either since the legacy\nbehavior can also be regarded as assigning multiple exclusive roles in the\nsame group.\n\nAfter the introduction of custom user roles, we allow a user to have\nmultiple roles in one group as long as none of the roles are marked as\nexclusive. That rule is easily enforceable in the user Invite API. With LDAP\nauthorization, the group memberships are computed dynamically when the\nSelect Account API is called and it is possible that we run into conflicting\nrole assignments due to user's LDAP group membership and current mappings\nbetween external roles (i.e. LDAP groups) and DSM groups.", "type": "string", "enum": [ "backcompat_legacy_roles_only", "disregard_exclusive_roles" ] }, "LegacyLdapAccountRole": { "description": "Role of a user or app in an account for the purpose of LDAP configurations.", "type": "string", "enum": [ "ADMIN_USER", "MEMBER_USER", "AUDITOR_USER", "ADMIN_APP", "CRYPTO_APP" ] }, "LdapPrincipalUnresolved": { "allOf": [ { "type": "object", "properties": { "email": { "type": "string", "format": "email" } }, "required": [ "email" ] } ] }, "LdapPrincipalResolved": { "allOf": [ { "type": "object", "properties": { "dn": { "type": "string" } }, "required": [ "dn" ] } ] }, "LdapDnResolutionConstruct": { "allOf": [ { "type": "object", "description": "Transform the user email through a pattern to derive the DN.", "properties": { "domain_format": { "type": "object", "additionalProperties": { "type": "string" }, "description": "For example: \"example.com\" => \"uid={},ou=users,dc=example,dc=com\"." } }, "required": [ "domain_format" ] } ] }, "TlsConfigRequired": { "allOf": [ { "type": "object", "properties": { "validate_hostname": { "type": "boolean" }, "ca": { "$ref": "#/components/schemas/CaConfig" }, "client_key": { "type": "string", "format": "byte" }, "client_cert": { "type": "string", "format": "byte" } }, "required": [ "validate_hostname", "ca" ] } ] }, "LdapUserSelfProvisioningRole": { "description": "A structure indicating how self-provisioned LDAP users will\nbe assigned account roles.", "oneOf": [ { "$ref": "#/components/schemas/LdapUserSelfProvisioningRoleVariantFixed" } ], "discriminator": { "propertyName": "$type", "mapping": { "Fixed": "LdapUserSelfProvisioningRoleVariantFixed" } } }, "CaConfig": { "description": "CA settings.", "oneOf": [ { "title": "CaConfigVariantCaSet", "type": "object", "properties": { "ca_set": { "$ref": "#/components/schemas/CaSet" } }, "required": [ "ca_set" ] }, { "title": "CaConfigVariantPinned", "type": "object", "properties": { "pinned": { "type": "array", "items": { "type": "string", "format": "byte" } } }, "required": [ "pinned" ] } ] }, "LdapUserSelfProvisioningRoleVariantFixed": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "Fixed" ] } }, "required": [ "$type" ] }, { "$ref": "#/components/schemas/LdapUserSelfProvisioningRoleFixed" } ] }, "CaSet": { "description": "Predefined CA sets.", "type": "string", "enum": [ "global_roots" ] }, "LdapUserSelfProvisioningRoleFixed": { "allOf": [ { "type": "object", "description": "Map all self-provisioned users to a single specified account role.\n(Note that this setting only determines the role that a self-\nprovisioned user starts with; an account admin can change any user's\nrole at a later time.) A \"state enabled\" flag will be implicitly added,\nand any specified \"pending invite\" flag will be removed.", "properties": { "role": { "$ref": "#/components/schemas/UserAccountFlags" } }, "required": [ "role" ] } ] }, "UserAccountFlags": { "description": "User's role(s) and state in an account.", "allOf": [ { "type": "array", "uniqueItems": true, "items": { "$ref": "#/components/schemas/UserAccountFlagOrRole" } } ] }, "UserAccountFlagOrRole": { "description": "User account flag or legacy user account role name or custom role id", "oneOf": [ { "$ref": "#/components/schemas/UserAccountFlag" }, { "$ref": "#/components/schemas/LegacyUserAccountRole" }, { "type": "string", "format": "uuid" } ] }, "UserAccountFlag": { "description": "User account flag", "type": "string", "enum": [ "STATEENABLED", "PENDINGINVITE" ] }, "LegacyUserAccountRole": { "description": "Legacy user account role", "type": "string", "enum": [ "ACCOUNTADMINISTRATOR", "ACCOUNTMEMBER", "ACCOUNTAUDITOR" ] } } } } ````