# LDAP Protocol

{% hint style="info" %}
**Editing your IAM configuration**

With the exception of the IAM ID (also called the display name), any of these [settings](https://documentation.immuta.com/saas/configuration/people/reference-guides/ldap-protocol#configuration-options) can be changed after an IAM is configured. To edit IAM settings, click the dropdown arrow next to the IAM listed in the identity management section on the app settings page and then make your changes.
{% endhint %}

For details about the configuration options below and additional configuration options, see the [LDAP protocol reference guide](https://documentation.immuta.com/saas/configuration/people/reference-guides/ldap-protocol#configuration-options).

1. Navigate to the Immuta <i class="fa-gear">:gear:</i> **App Settings** page.
2. Scroll to the **Identity Management** section and click **Add IAM**.
3. Complete the **Display Name** field and select **LDAP/Active Directory** from the **Identity Provider Type** dropdown.
4. Complete the required fields in the **Credentials** and **Options** sections. *Note: Either **User Attribute** OR **User Search Filter** is required, not both. Completing one of these fields disables the other.*
5. Opt to **Enable Debug Logging** or **Enable SSL** by clicking the checkboxes.
6. In the **Profile Schema** section, map attributes in LDAP/Active Directory to automatically fill in a user's Immuta profile. *Fields that you specify in this schema will not be editable by users within Immuta.*\
   If usernames in your data platform align with usernames in an external IAM and those accounts align with an IAM attribute, enter the IAM attribute in the field that corresponds to your data platform:
   1. **User's Databricks Username**
   2. **User's Snowflake Username**
   3. **User's Trino Username**
   4. **User's Azure Synapse Analytics Username**
   5. **User's Redshift Username**
   6. **User's BigQuery Username**
   7. **User's AWS User**. After entering the IAM attribute in the User's AWS User field, click the **Select AWS User Type** from the dropdown and select one of the types belo&#x77;**.** This is used by the Amazon S3 Integration to map users in Immuta to the corresponding user type in AWS.
      * **None** (fallback to Immuta username): When selecting this option, the AWS username is assumed to be the same as the Immuta username.
      * [**AWS IAM role**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-roles): Only a single Immuta user can be mapped to an IAM role. This restriction prohibits enforcing policies on AWS users who could assume that role. Therefore, if using role principals, create a new user in Immuta that represents the role so that the role then has the permissions applied specifically to it.
      * [**AWS IAM user**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-users)
      * **AWS Identity Center user IDs**: You must use the numeric `User ID` value found in AWS IAM Identity Center, not the user's email address.
   8. **User's PostgreSQL Username**
   9. **User's Teradata Username**
7. **Enable scheduled LDAP Sync support for LDAP/Active Directory** and **Enable pagination for LDAP Sync**.
   1. Once enabled, confirm the sync schedule written in [Cron rule](https://crontab.guru/#0_*/1_*_*_*); the default is every hour.
   2. Confirm the LDAP page size for pagination; the default is 1,000.
8. [**Sync groups from LDAP/Active Directory to Immuta**](https://documentation.immuta.com/saas/configuration/people/reference-guides/ldap-protocol#group-mapping). Once enabled, map attributes in LDAP/Active Directory to automatically pull information about the groups into Immuta.
9. [**Sync attributes from LDAP/Active Directory to Immuta**](https://documentation.immuta.com/saas/configuration/people/reference-guides/ldap-protocol#attribute-mapping). Once enabled, add attribute mappings in the attribute schema. The desired attribute prefix should be mapped to the relevant schema URN.
10. Then click the **Test Connection** button.
11. Once the connection is successful, click the **Test User Login** button. *Because this test button attempts to log in, a user or group must exist in your identity provider that you have login access for.*
12. Click the **Test LDAP Sync** button.
13. **Save** your configuration.

{% hint style="warning" %}
**Multiple user accounts cannot have the same email address**

If you register user accounts that have the same email address as an existing Immuta user account, the email field for the subsequent user accounts will be left empty. For more details, see the [Identity managers reference guide](https://documentation.immuta.com/saas/configuration/people/reference-guides/index#limitations).
{% endhint %}