LDAP Authentication on Apache Superset 2026

Configure LDAP / Active Directory on Apache Superset: bind user, mapping, groups, MFA.

9 May 2026 · Tuvalu Tech OÜ

LDAP / Active Directory authentication is still used by many on-premise organizations. Apache Superset supports LDAP via Flask-AppBuilder. This guide details configuration and best practices in 2026.

1. LDAP vs SAML vs OIDC

Protocol	Use case
LDAP	On-premise, legacy AD
SAML	Classic enterprise SSO
OIDC	Modern standard, SaaS

Prefer OIDC or SAML for new setups. LDAP remains useful for organizations without modern IdP.

If you want preconfigured LDAP, TVL Managed Superset offers LDAP setup on Pro+ dedicated instance.

2. Prerequisites

An accessible LDAP / Active Directory server;
A bind account (read-only);
The python-ldap library installed in Superset.

3. Install python-ldap

# System (libldap required)
apt-get install libldap2-dev libsasl2-dev

# Python
uv pip install python-ldap

4. superset_config.py configuration

from flask_appbuilder.security.manager import AUTH_LDAP

AUTH_TYPE = AUTH_LDAP
AUTH_LDAP_SERVER = "ldaps://ldap.example.com:636"
AUTH_LDAP_USE_TLS = True

# Bind user for searches
AUTH_LDAP_BIND_USER = "CN=superset_bind,OU=Service Accounts,DC=example,DC=com"
AUTH_LDAP_BIND_PASSWORD = os.environ["LDAP_BIND_PASSWORD"]

# Search base
AUTH_LDAP_SEARCH = "OU=Users,DC=example,DC=com"
AUTH_LDAP_SEARCH_FILTER = "(&(objectClass=user)(memberOf=CN=Superset Users,OU=Groups,DC=example,DC=com))"

# Mapping
AUTH_LDAP_UID_FIELD = "sAMAccountName"
AUTH_LDAP_FIRSTNAME_FIELD = "givenName"
AUTH_LDAP_LASTNAME_FIELD = "sn"
AUTH_LDAP_EMAIL_FIELD = "mail"

# Automatic creation
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Gamma"

5. Role mapping from AD groups

AUTH_LDAP_GROUP_FIELD = "memberOf"
AUTH_ROLES_MAPPING = {
    "CN=Superset Admins,OU=Groups,DC=example,DC=com": ["Admin"],
    "CN=Superset Power Users,OU=Groups,DC=example,DC=com": ["Alpha"],
    "CN=Superset Users,OU=Groups,DC=example,DC=com": ["Gamma"],
}
AUTH_ROLES_SYNC_AT_LOGIN = True

This configuration is applied by default on TVL Managed Superset, which follows community best practices.

6. LDAP security

LDAPS mandatory (port 636), never LDAP in clear (389);
Dedicated bind user with read-only;
Strict filter: only users from the Superset group can connect;
Lockout managed on AD side, not Superset;
MFA impossible without IdP (LDAP limit).

7. Test the LDAP connection

# From the Superset pod
ldapsearch -H ldaps://ldap.example.com:636 \
  -D "CN=superset_bind,OU=Service Accounts,DC=example,DC=com" \
  -w "$LDAP_BIND_PASSWORD" \
  -b "OU=Users,DC=example,DC=com" \
  "(sAMAccountName=jsmith)"

8. Migration to OIDC

If possible, migrate LDAP to OIDC:

Deploy Keycloak in front of AD (federation);
Keycloak exposes OIDC;
Superset authenticates via Keycloak OIDC;
Benefits: MFA possible, centralized audit, modern cookies.

See SSO OIDC.

9. Common pitfalls

LDAPS certificate: if self-signed, add to Python truststore;
Bind user locked by lockout policy after failures;
SearchFilter too broad: any AD user can connect, even unauthorized ones;
Group mapping broken on an AD rename;
No MFA: LDAP doesn't natively support it.

10. Conclusion

LDAP remains functional and stable for Apache Superset, particularly in on-premise organizations with AD. For new setups, consider OIDC via Keycloak in front of AD to benefit from MFA and modern audit. Pure LDAP is suitable when the stack remains closed.

Want the benefits of Apache Superset without the friction of installation and maintenance? Deploy your instance in 3 clicks with TVL Managed Superset, hosted in Europe (OVHcloud, Roubaix, France).

For more: SSO OIDC, SAML, Superset hardening.