LDAP Login - Modifying login flow


We have an on-premise installation of OS. Since we've originally configured everything, Users is managed in Lifetime and not the Users application (according to the messages I see in Service Center).

Right now, it appears that logging into an application with LDAP credentials works.In Lifetime, under the Authentication Mode tab, External Authentication Providers are configured and testing works.

I now need to limit who can login where. Specifically, if a user does not have roles in an application - I would like to block them. Secondly, after logging in with LDAP credentials in an application, I want to lookup the user's LDAP groups and add/remove roles from the user on the application.

I'm not quite sure where to start. Do I have to create my own User provider? Or can I simply modify the login page's login screen action with instructions to get the LDAP groups the user is part of, etc.

Any information would be greatly appreciated.

Thank you,



Hi David,

There are two types of users and I think you might be getting them confused.  Developer/DevOps users are managed in Lifetime.

Application Users are managed in the <enironmnet>/Users application.    If you want your application to block users that don't have roles in an application - simply make sure to set the screens permission levels to require one of the roles and not simply registered.

If you want to try to tie OutSystems user roles to LDAP information, the most common way is to build a synchronization utility that maps users and roles based on a mapping that you have built.


Hi Stacey,

Thank you for your response.

I'm aware of IT vs Application users, but wasn't sure how the Users application came into play. 

I think I have enough info now to continue where I left off, will repost if I stumble on something.

Thanks again,