Skip to main content
CFDaddio2
CFDaddio2
Participant
February 13, 2026
Question

Using LDAP group authentication within ColdFusion 2023 Admin console

  • February 13, 2026
  • 1 reply
  • 104 views

Environment: Windows-based, using ColdFusion 2023. 

When creating admin console “users,” has anyone setup external authentication (using LDAP) using groups instead of individual users?  

Due to a recently released ColdFusion STIG I’m now required to create admin console users who are externally authenticated (no local user accounts). In my case, that means using LDAP to authenticate the users from Active Directory (AD). 

My preference is to configure this using an AD group instead of individual users.I’m struggling trying to determine what data goes in what fields during the setup.  

I have the LDAP configured and verifying the connection. I’m using the correct LDAP filter in the Group Configuration field; I know it’s correct because when I test it using the CFLDAP tag, it returns the users who are assigned to the target group.  

But, in the User Manager (User Detail), the ‘User name’ field is required and I’m not sure what to enter. I’ve tried several different things, but always get the response, “Unable to create user: this user doesn’t exist in server.”  

If anyone has configured CF admin console access in this way or has something to suggest, I’d appreciate the help. Thank you. 

 

    1 reply

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    February 16, 2026

    I shall start by saying that I’ve never before had to use LDAP in this way. But I am curious to know how this works. 

    I think you keep getting “Unable to create user: this user doesn’t exist in server“ for the following reason. During the "Add User" step, ColdFusion attempts to validate a specific individual user object against your LDAP search base, rather than simply accepting a group DN.

     

    But ColdFusion Administrator’s LDAP integration does not create group-based admin accounts by itself. Even when using external authentication (LDAP/AD), ColdFusion still requires a user object to exist in LDAP for each Admin user you create in the Administrator.

     

    So, one way to Implement STIG-compliant LDAP Admin access (Using AD Group Control) would be to treat the group itself as the "User" entry in the User Manager.

    CFDaddio2
    CFDaddio2Author
    Participant
    February 17, 2026

    Thanks for the response, BKBK. 

     

    I’m not clear. Are you saying it would be nice to be able to treat the group itself as the “User” entry or are you saying it is possible?  

     

    I’d be fine having to do this at the User-level, although it would be more secure to allow group-level control. But I’m stuck trying to meet the STIG requirement because the group way doesn’t seem possible and the user way, for now, isn’t working because our Active Directory ‘username’ uses dot notation, e.g., Lastname.Firstname.etc., but the user detail screen won’t accept non-alphanumeric characters… so, it won’t accept the ‘.’ separator. I probably need to try finding another unique value that will work and just go with the user-level lookup. 

     

    This page -- https://helpx.adobe.com/coldfusion/using/integrate-saml-ldap-coldfusion-administrator.html -- claims that you can integrate the users *or groups* of an LDAP server from within the Administrator yet I’m just not finding any documentation/guidance (even from Support) how to actually do that. 

     

    Thanks again. 

    CFDaddio2
    CFDaddio2Author
    Participant
    February 17, 2026

    As an update here… I wish I had a screenshot for my observation that the ‘username’ field cannot have a non-alphanumeric value. While working with CF Support today, I was able to get that to work, so scratch that comment. 

     

    I do mostly have user-level LDAP accounts working now, but still would love the ability to authenticate based on User Group(s) to more securely and efficiently manage CFAdmin users. 

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices