# Authenticating via LDAP

An alternative to managing users locally is to use LDAP authentication. LDAP authentication is set up manually by providing an access manager plugin in the console’s configuration.properties file. Please see Console server configuration below for more information.

Within the LDAP server itself, the following attributes must be set for each user:

```
sn=[User's surname]
givenName=[User's given name]
mail=[User's email address]
```

In addition, each user must be a member of (memberOf) one of the following groups:

```
TomorrowUserType_Admin
TomorrowUserType_Security
TomorrowUserType_Super
TomorrowUserType_User
```

Optionally, the user can also be a member of the following group:

```
TomorrowUserRole_[A valid and defined user role within the console]
```

For example, if a role named Tester exists, then the user can be enrolled into that role by setting:

```
memberOf= TomorrowUserRole_Tester
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tomorrowx.com/cap/product-reference/administration-functions/authenticating-via-ldap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.