Skip to main content



Configure LDAP for Active Directory


Explains what the feature is or what its benefits are to the user or customer.


Use this procedure to set up integration with LDAP using Active Directory.

Before you configure LDAP for Active Directory, collect this information:

  • URL to connect to Active Directory.

    For example, ldap://

  • Default LDAP domain.

    The default domain is the domain under which users who want to be authenticated against Active Directory reside. When a user logs in with a username, the default domain is added to the username before sending it to the LDAP server. If users reside in multiple domains, you can still designate one of them as the default. Users belonging to a non-default domain will have to explicitly qualify their username when they log in, for example:

  • Whether you will use SSL.

    If yes, you'll need the certificate from the issuing authority.

  • Also use ThoughtSpot internal authentication?

    If you choose 'yes' for this, when a user logs in, ThoughtSpot will first attempt to authenticate the user against LDAP. If that attempt fails, it will then attempt to authenticate the user against ThoughtSpot. If either of these succeed, then the user is successfully logged in. This option is useful in scenarios where some users are not in LDAP and are created only in ThoughtSpot.

  • Automatically add LDAP users in ThoughtSpot?

    If you choose 'yes' for this, when a user is authenticated against LDAP, if that user does not exist in ThoughtSpot, then the user is automatically created. When users are created in this way, their passwords exist only in LDAP and are not stored in ThoughtSpot.

    In order to log in to ThoughtSpot, the user has to exist in ThoughtSpot independent of whether that user is authenticated against LDAP or against ThoughtSpot's internal authentication. If you choose 'no' for this, users who will authenticate against LDAP have to be manually created with a dummy password as a placeholder in ThoughtSpot before they can log in. The username you specify when creating the LDAP authenticated user manually in ThoughtSpot has to be domain qualified, for example:

Use the tscli command line to configure LDAP for Active Directory:

  1. Create a user called tsadmin on your LDAP server. This is the pre-defined superuser in ThoughtSpot, and its name is required to be tsadmin.
  2. Log In to the Linux Shell Using SSH.
  3. Run the command to configure LDAP:
    $ tscli ldap configure
  4. Answer the prompts using the information you collected. For example:
    Choose the LDAP protocol:
    [1] Active Directory
    [2] OpenLDAP
    Option number: 1
    Configuring Active Directory
    URL to connect to Active Directory. (Example: ldap:// ldap://
    Default domain (Example:
    Use SSL (LDAPS) (y/n): n
    Also use ThoughtSpot internal authentication (y/n): y
    Automatically add LDAP users in ThoughtSpot (y/n): y
  5. Add the search base information that allows ThoughtSpot to find user properties such as email and displayname from LDAP. Do this step if you are configuring LDAP for the first time, or if you are upgrading from a prior version of ThoughtSpot. Use this tscli command, specifying the structure under the domain name where user properties are stored for <search_base>.
    $ tscli --adv service add-javaopt tomcat.tomcat D orion.ldapSearchBase <search_base>
    For example, for the configuration shown here:

    LDAP user properties in Active Directory

    The command to set the search base would be:
    $ tscli --adv service add-javaopt tomcat.tomcat D orion.ldapSearchBase "OU=Users,OU=Active,OU=IT"
  6. If you are using SSL, Add the SSL Certificate for LDAP.
  7. If you want to remove the LDAP configuration, issue:
    $ tscli ldap purge-configuration
  • Was this article helpful?