product icon

LastPass Universal Proxy 4.x LDAP configuration using command line on Windows

    Before you begin:
    Note: Requirements for the configuration process:
    • Microsoft Windows operating system
    • Windows PowerShell 3.0 or higher
    About this task:
    Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?
    1. Configure the following parameters. Available selections are in brackets, and default selections are in parentheses.
      Select the protocol [LDAP, LDAPS, RADIUS]:
      LDAP
      Select the challenge mode [LP, PLP, SFA]:
      Enter the server mode of the Universal Proxy.

      For more information on server modes, see Server Modes.

    2. Configure the LDAP server setup.
      • LastPass MFA Authentication [LP]
        Enter the LDAP server type [auto, ms, openldap] (auto):
        The default LDAP server type is auto, which determines the LDAP server type based on the operating system. Setting this value to ms means that Active Directory attributes will be used, whereas setting this value to openldap means that OpenLDAP attributes will be used.
        Enter the listening port of the Universal Proxy (389):
        The default value is 389. This is the port on which the Universal Proxy listens to for incoming requests. This value can be changed.
        Enter the name of your company:
        The company name that appears in the end users MFA application when they receive a push notification from your system.
        Enter the CLS integration key:
        The LastPass CLS integration key that you retrieved from the LastPass new Admin Console. For more information, see Find the integration key.
        Enter the CLS integration secret:
        The LastPass CLS integration secret that you retrieved from the LastPass new Admin Console.
        Enter the preferred method of default authentication [push, call] (push):
        The default authentication factor. The default factor is push.
        Enter the distinguished name of the LDAP admin user:
        The distinguished name of the LDAP administrator, in the following format: CN=admin,CN=Users,DC=example,DC=com.
        Enter the Admin password:
        The password of the LDAP administrator.
      • LastPass MFA or password authentication [PLP]
        Enter the LDAP server type [auto, ms, openldap] (auto):
        The default LDAP server type is auto, which determines the LDAP server type based on the operating system. Setting this value to ms means that Active Directory attributes will be used, whereas setting this value to openldap means that OpenLDAP attributes will be used.
        Enter the listening port of the Universal Proxy (389):
        The default value is 389. This is the port on which the Universal Proxy listens to for incoming requests. This value can be changed.
        Enter the name of your company:
        The company name that appears in the end users MFA application when they receive a push notification from your system.
        Enter the CLS integration key:
        The LastPass CLS integration key that you retrieved from the LastPass new Admin Console. For more information, see Find the integration key.
        Enter the CLS integration secret:
        The LastPass CLS integration secret that you retrieved from the LastPass new Admin Console.
        Enter the preferred method of default authentication [push, call] (push):
        The default authentication factor. The default factor is push.
        Enter the LDAP server IP address:
        The IP address or a DNS name of your Active Directory server.
        Enter the LDAP server port (389):
        This is the port on which the Active Directory listens to for incoming requests.
        Enter the distinguished name of the LDAP admin user:
        The distinguished name of the LDAP administrator, in the following format: CN=admin,CN=Users,DC=example,DC=com.
      • Both LastPass MFA and password authentication [SFA]
        Enter the LDAP server type [auto, ms, openldap] (auto):
        The default LDAP server type is auto, which determines the LDAP server type based on the operating system. Setting this value to ms means that Active Directory attributes will be used, whereas setting this value to openldap means that OpenLDAP attributes will be used.
        Enter the listening port of the Universal Proxy (389):
        The default value is 389. This is the port on which the Universal Proxy listens to for incoming requests. This value can be changed.
        Enter the name of your company:
        The company name that appears in the end users MFA application when they receive a push notification from your system.
        Enter the CLS integration key:
        The LastPass CLS integration key that you retrieved from the LastPass new Admin Console. For more information, see Find the integration key.
        Enter the CLS integration secret:
        The LastPass CLS integration secret that you retrieved from the LastPass new Admin Console.
        Enter the preferred method of default authentication [push, call] (push):
        The default authentication factor. The default factor is push.
        Enter the LDAP server IP address:
        The IP address or a DNS name of your Active Directory server.
        Enter the LDAP server port (389):
        This is the port on which the Active Directory listens to for incoming requests.
        Enter the distinguished name of the LDAP admin user:
        The distinguished name for the LDAP administrator, in the following format: CN=admin,CN=Users,DC=example,DC=com.
    3. Once configured, you must restart the Windows service for the LastPass Universal Proxy as follows:

      Open PowerShell and execute the following command:

      uproxy -restart
      Important: You can check the service status in the following ways:
      • In the Services window, the Status of LastPass Universal Proxy must be listed as Running, and the Startup Type should be listed as Automatic. In case the server must reboot, the LastPass Universal Proxy service will automatically start.
      • In the Task Manager window under the Services tab, the Status of Universal Proxy must be listed ad Running.
      • Open PowerShell and execute the following command: 
        uproxy -status
    What to do next: It is highly recommended to restrict access to the configuration file that has been created as a result of configuring the LastPass Universal Proxy. For the specific steps, see Restrict access to my configuration file for the LastPass Universal Proxy 4.x on Windows