Note that you are viewing Looker documentation. For Looker Studio documentation, visit https://support.google.com/looker-studio.

Get LDAP Configuration

Version 4.0.24.6 (latest)

Get the LDAP configuration.

Looker can be optionally configured to authenticate users against an Active Directory or other LDAP directory server. LDAP setup requires coordination with an administrator of that directory server.

Only Looker administrators can read and update the LDAP configuration.

Configuring LDAP impacts authentication for all users. This configuration should be done carefully.

Looker maintains a single LDAP configuration. It can be read and updated. Updates only succeed if the new state will be valid (in the sense that all required fields are populated); it is up to you to ensure that the configuration is appropriate and correct).

LDAP is enabled or disabled for Looker using the enabled field.

Looker will never return an auth_password field. That value can be set, but never retrieved.

See the Looker LDAP docs for additional information.

Calls to this endpoint may be denied by Looker (Google Cloud core).

Request

GET /ldap_config

Datatype

Description

Request

HTTP Request

Response

200: LDAP Configuration.

Datatype

Description

(object)

LDAPConfig

can

object

Operations the current user is able to perform on this object

alternate_email_login_allowed

boolean

Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.

auth_password

string

(Write-Only) Password for the LDAP account used to access the LDAP server

auth_requires_role

boolean

Users will not be allowed to login at all unless a role for them is found in LDAP if set to true

auth_username

string

Distinguished name of LDAP account used to access the LDAP server

connection_host

string

LDAP server hostname

connection_port

string

LDAP host port

connection_tls

boolean

Use Transport Layer Security

connection_tls_no_verify

boolean

Do not verify peer when using TLS

default_new_user_group_ids

string[]

default_new_user_groups

Group[]

Expand Group definition...

can

object

Operations the current user is able to perform on this object

can_add_to_content_metadata

boolean

Group can be used in content access controls

contains_current_user

boolean

Currently logged in user is group member

external_group_id

string

External Id group if embed group

externally_managed

boolean

Group membership controlled outside of Looker

string

Unique Id

include_by_default

boolean

New users are added to this group by default

name

string

Name of group

user_count

integer

Number of users included in this group

default_new_user_role_ids

string[]

default_new_user_roles

Role[]

Expand Role definition...

can

object

Operations the current user is able to perform on this object

string

Unique Id

name

string

Name of Role

permission_set

PermissionSet

(Read only) Permission set

Expand PermissionSet definition...

can

object

Operations the current user is able to perform on this object

all_access

boolean

built_in

boolean

string

Unique Id

name

string

Name of PermissionSet

permissions

string[]

url

string

Link to get this item

permission_set_id

string

(Write-Only) Id of permission set

model_set

ModelSet

(Read only) Model set

Expand ModelSet definition...

can

object

Operations the current user is able to perform on this object

all_access

boolean

built_in

boolean

string

Unique Id

models

string[]

name

string

Name of ModelSet

url

string

Link to get this item

model_set_id

string

(Write-Only) Id of model set

url

string

Link to get this item

users_url

string

Link to get list of users with this role

enabled

boolean

Enable/Disable LDAP authentication for the server

force_no_page

boolean

Don't attempt to do LDAP search result paging (RFC 2696) even if the LDAP server claims to support it.

groups

LDAPGroupRead[]

Expand LDAPGroupRead definition...

string

Unique Id

looker_group_id

string

Unique Id of group in Looker

looker_group_name

string

Name of group in Looker

name

string

Name of group in LDAP

roles

Role[]

Expand Role definition...

can

object

Operations the current user is able to perform on this object

string

Unique Id

name

string

Name of Role

permission_set

PermissionSet

(Read only) Permission set

permission_set_id

string

(Write-Only) Id of permission set

model_set

ModelSet

(Read only) Model set

model_set_id

string

(Write-Only) Id of model set

url

string

Link to get this item

users_url

string

Link to get list of users with this role

url

string

Link to ldap config

groups_base_dn

string

Base dn for finding groups in LDAP searches

groups_finder_type

string

Identifier for a strategy for how Looker will search for groups in the LDAP server

groups_member_attribute

string

LDAP Group attribute that signifies the members of the groups. Most commonly 'member'

groups_objectclasses

string

Optional comma-separated list of supported LDAP objectclass for groups when doing groups searches

groups_user_attribute

string

LDAP Group attribute that signifies the user in a group. Most commonly 'dn'

groups_with_role_ids

LDAPGroupWrite[]

Expand LDAPGroupWrite definition...

string

Unique Id

looker_group_id

string

Unique Id of group in Looker

looker_group_name

string

Name of group in Looker

name

string

Name of group in LDAP

role_ids

string[]

url

string

Link to ldap config

has_auth_password

boolean

(Read-only) Has the password been set for the LDAP account used to access the LDAP server

merge_new_users_by_email

boolean

Merge first-time ldap login to existing user account by email addresses. When a user logs in for the first time via ldap this option will connect this user into their existing account by finding the account with a matching email address. Otherwise a new user account will be created for the user.

modified_at

string

When this config was last modified

modified_by

string

User id of user who last modified this config

set_roles_from_groups

boolean

Set user roles in Looker based on groups from LDAP

test_ldap_password

string

(Write-Only) Test LDAP user password. For ldap tests only.

test_ldap_user

string

(Write-Only) Test LDAP user login id. For ldap tests only.

user_attribute_map_email

string

Name of user record attributes used to indicate email address field

user_attribute_map_first_name

string

Name of user record attributes used to indicate first name

user_attribute_map_last_name

string

Name of user record attributes used to indicate last name

user_attribute_map_ldap_id

string

Name of user record attributes used to indicate unique record id

user_attributes

LDAPUserAttributeRead[]

Expand LDAPUserAttributeRead definition...

name

string

Name of User Attribute in LDAP

required

boolean

Required to be in LDAP assertion for login to be allowed to succeed

user_attributes

UserAttribute[]

Expand UserAttribute definition...

can

object

Operations the current user is able to perform on this object

string

Unique Id

name

string

Name of user attribute

label

string

Human-friendly label for user attribute

type

string

Type of user attribute ("string", "number", "datetime", "yesno", "zipcode", "advanced_filter_string", "advanced_filter_number")

default_value

string

Default value for when no value is set on the user

is_system

boolean

Attribute is a system default

is_permanent

boolean

Attribute is permanent and cannot be deleted

value_is_hidden

boolean

If true, users will not be able to view values of this attribute

user_can_view

boolean

Non-admin users can see the values of their attributes and use them in filters

user_can_edit

boolean

Users can change the value of this attribute for themselves

hidden_value_domain_whitelist

string

Destinations to which a hidden attribute may be sent. Once set, cannot be edited.

url

string

Link to ldap config

user_attributes_with_ids

LDAPUserAttributeWrite[]

Expand LDAPUserAttributeWrite definition...

name

string

Name of User Attribute in LDAP

required

boolean

Required to be in LDAP assertion for login to be allowed to succeed

user_attribute_ids

string[]

url

string

Link to ldap config

user_bind_base_dn

string

Distinguished name of LDAP node used as the base for user searches

user_custom_filter

string

(Optional) Custom RFC-2254 filter clause for use in finding user during login. Combined via 'and' with the other generated filter clauses.

user_id_attribute_names

string

Name(s) of user record attributes used for matching user login id (comma separated list)

user_objectclass

string

(Optional) Name of user record objectclass used for finding user during login id

allow_normal_group_membership

boolean

Allow LDAP auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login.

allow_roles_from_normal_groups

boolean

LDAP auth'd users will be able to inherit roles from non-reflected Looker groups.

allow_direct_roles

boolean

Allows roles to be directly assigned to LDAP auth'd users.

url

string

Link to get this item

403: Permission Denied

Datatype

Description

(object)

Error

message

string

Error details

documentation_url

string

Documentation link

404: Not Found

Datatype

Description

(object)

Error

message

string

Error details

documentation_url

string

Documentation link

429: Too Many Requests

Datatype

Description

(object)

Error

message

string

Error details

documentation_url

string

Documentation link