Configuring authentication against Active Directory

New in version 1.5: Enterprise


Feature only available with WAPT Enterprise.

By default, the WAPT Server is configured with a single SuperAdmin account whose password is setup during initial post-configuration.

On large and security-minded network, this SuperAdmin account should not be used since it cannot provide the necessary traceability for administrative actions that are done on the network.

It is thus necessary to configure authentication against the Organization’s Active Directory for the Administrators and the Package Deployers; this will allow to use named accounts for administrative tasks.


  • Active Directory authentication is used to authenticate access to the inventory via the WAPT Console;

  • however, all actions on the WAPT equipped remote devices are based on X.509 signatures, so an Administrator will need both an Active Directory login AND a private key whose certificate is recognized by the remote devices to manage his installed base of devices using WAPT;

  • only the SuperAdmin account and the members of the Active Directory security group waptadmins will be allowed to upload packages on the main repository (authentication mode by login and password);

Enabling Active Directory authentication

  • to enable authentication of the WAPT server on Active Directory, configure the file /opt/wapt/conf/waptserver.ini as follows:







    DN to the group name. All members of this group will be able to connect to WAPT



    LDAP server that will be used by WAPT



    DN for the search



    Default value: True

  • restart waptserver with systemctl restart waptserver;


For Microsoft Active Directory, Microsoft has announced that SimpleBind authentication on MS-AD without SSL/TLS will be blocked by default from April 2020. If you don’t have a certificate installed, you’ll have to modify a registry key to have authentication working.


By default Samba-AD does not allow SimpleBind authentication without SSL/TLS. If you do not have a valid certificate you’ll need to modify the ldap server require strong auth parameter in /etc/samba/smb.conf. For more information you may refer to Tranquil IT documentation on

Enabling SSL/ TLS support for the LDAP connection to the Active Directory Domain Controller

By default, authentication on Active Directory relies on LDAP SSL (default port 646).

SSL/ TLS is not enabled by default on Microsoft Active Directory until a SSL certificate has been configured for the Domain Controller.


The WAPT Server uses the Certificate Authority bundles from the operating system (CentOS) for validating the SSL/ TLS connection to Active Directory.

If the Active Directory certificate is self-signed or has been signed by an internal CA, you’ll need to add these certificates to the certificate store of CentOS.

Add a Certificate Authority in the /etc/pki/ca-trust/source/anchors/ and update the CA store.

cp cainterne.pem /etc/pki/ca-trust/source/anchors/cainterne.pem
  • once you have setup LDAP SSL/ TLS on your Active Directory (please refer to Microsoft documentation for that), then you can enable support for SSL/ TLS security for AD in /opt/wapt/conf/waptserver.ini:

    ldap_auth_ssl_enabled = True
  • restart waptserver with systemctl restart waptserver;