# OpenLDAP as Active Directory proxy

When using the sAMAccount account type in combination with OpenLDAP as an Active Directory proxy,
ntopng authentication will not work because the "memberOf" attribute used by ntopng is not found.
In fact, OpenLDAP does not understand the "memberOf" attribute of AD and so it creates a
MEMBEROF (uppercase) pseudo attribute, which is not standard.

In order to make this setup work properly, the following should be added to the OpenLDAP config:

```
attributetype ( 1.2.840.113556.1.2.102
  NAME 'memberOf'
  SYNTAX '1.3.6.1.4.1.1466.115.121.1.12'
)
```

*IMPORTANT*

When using POSIX accounts, the LDAP server should be configured as follows in order
to work correctly with ntopng:

- Into the LDAP user configuration, note down the "uid" parameter (called "User Name"
  in OpenLDAP, not to be confused with "UidNumber"). You will need it below.

- Into the LDAP group configuration, you should add a new custom field "memberUid", with
  the same value of the user "uid" field above.

As an example, supposing there is a group "usersGroup" and a user "ntopngUser" as uid,
a new field "memberUid" should be added to the "usersGroup" configuration with "ntopngUser" as
value.

The *memberUid* (ntopngUser in this case) is the username to use for the ntopng authentication.