> ## Documentation Index > Fetch the complete documentation index at: https://auth0.com/llms.txt > Use this file to discover all available pages before exploring further. > Reference the configuration file schema for the Auth0 AD/LDAP Connector, including supported settings, values, description, and defaults. # AD/LDAP Connector Configuration File Schema The AD/LDAP Connector's main configuration file is `config.json`. You can modify this file to make changes that are not available via the AD/LDAP **Connector Admin Console**. You can also view this file to determine which tenant is using a particular Connector. The file is located in the install directory for the AD/LDAP Connector, which (for Windows) is usually found at `C:\Program Files (x86)\Auth0\AD LDAP Connector`. The following settings are supported in this file: | Setting | Description | Default | | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | | `AD_HUB` | The Auth0 endpoint to which the connector will connect. This value is maintained by the connector. | | | `CA_CERT` | An authority certificate or array of authority certificates to check the remote host against. | | | `CLIENT_CERT_AUTH` | Specifies if **Client Certificate Authentication** is enabled or not. This value is configured in Auth0 and maintained by the connector. | | | `CONNECTION` | The name of the connection in Auth0 which is linked to this instance of the connector. This value is maintained by the connector. | | | `CONNECTIONS_API_V2_KEY` | A Management API token used to call the Get a connection endpoint. Set this when you need to troubleshoot the connector. This compares the local certificate to the one configured in Auth0 and detects a possible mismatch. | | | `FIREWALL_RULE_CREATED` | Set to `true` once the Firewall rule has been created for the Kerberos Server (only when Kerberos is enabled). | | | `GROUPS` | Include the user's groups when enriching the profile. | `true` | | `GROUP_PROPERTY` | The attribute of the group object used when adding the groups to a user. | `cn` | | `GROUPS_CACHE_SECONDS` | Total time in seconds to cache a user's groups. | 600 seconds. | | `GROUPS_TIMEOUT_SECONDS` | The timeout in seconds for searching all groups a user belongs to. | 20 seconds | | `HTTP_PROXY` | The proxy server URL if one is required to connect from the AD/LDAP Connector to Auth0. | | | `KERBEROS_AUTH` | Set if **Kerberos Authentication** is enabled or not. This value is configured in Auth0 and maintained by the connector. | | | `LAST_SENT_THUMBPRINT` | Thumbprint of the last certificate which was sent to Auth0. | | | `LDAP_BASE` | Defines the location in the directory where the LDAP search begins. For example: `DC=fabrikam,DC=local`. | | | `LDAP_BASE_GROUPS` | Defines the location in the directory where the LDAP groups search begins. | | | `LDAP_BIND_PASSWORD` | The password of the LDAP user. This setting is automatically removed after the connector initializes. | | | `LDAP_BIND_CREDENTIALS` | The encrypted password of the LDAP user. This setting is automatically added after the connector initializes. | | | `LDAP_BIND_USER` | The user for binding a connection to LDAP. | | | `LDAP_HEARTBEAT_SEARCH_QUERY` | The LDAP search query used for heartbeat checks. | `(&(objectclass=user)(\|(sAMAccountName=foo)(UserPrincipalName=foo)))` | | `LDAP_HEARTBEAT_SECONDS` | Time in seconds to keep the LDAP connection open. | | | `LDAP_SEARCH_ALL_QUERY` | The LDAP query used to list all users in the LDAP store. | `(objectCategory=person)` | | `LDAP_SEARCH_GROUPS` | The LDAP query used to find groups in the LDAP store. For example: `(&(objectCategory=group)(member={0}))` | `(member:1.2.840.113556.1.4.1941:={0})` | | `LDAP_SEARCH_QUERY` | The LDAP query used to find users in the LDAP store. This query requires [filters](https://github.com/auth0/ad-ldap-connector/blob/master/lib/users.js#L364) for the search to work correctly. If you do not configure filters, Auth0 does not send [blocked account](/docs/secure/attack-protection/brute-force-protection#email) notification emails. | `(&(objectCategory=person)(anr={0}))` | | `LDAP_USER_BY_NAME` | The LDAP query used to find the user during authentication. This setting lets you specify which attribute is considered the user's username. For example, like the common name: the sAMAccountName, UPN, et cetera. This setting also supports multiple values for an OR search, for example: `(\|(sAMAccountName={0})(userPrincipalName={0}))` | `(sAMAccountName={0})` | | `LDAP_URL` | The LDAP connection string. For example: `ldap://fabrikam-dc.fabrikam.local`. | | | `PORT` | The port the server runs on when Kerberos or Client Certificate Authentication is enabled. | | | `PROVISIONING_TICKET` | The Auth0 provisioning ticket used to communicate with Auth0. | | | `REALM` | The Auth0 realm, for example: `urn:auth0:fabrikam`. This value is maintained by the connector. | | | `SERVER_URL` | The default connector URL will be `server-name:port`, but this setting allows you to overwrite this. For example: `connector.mycompany.com`. | | | `SESSION_SECRET` | The session secret used to encrypt the session cookie. | | | `SITE_NAME` | When Client Certificate Authentication is enabled, but not possible the AD Connector will show a fallback login page. This setting allows you to specify the title that will show on top of the page. | Name of the AD connection. | | `SSL_CA_PATH` | Absolute path to the base directory where the CA certificate file(s) are located. | | | `SSL_KEY_PASSWORD` | The password for the SSL certificate. | | | `SSL_PFX` | Base64 encoded certificate to use for SSL. | | | `TENANT_SIGNING_KEY` | Your Auth0 tenant used to verify JWTs. | | | `WSFED_ISSUER` | The issuer being set in the WS-Federation responses. If a connection is configured with email domains, the first email domain configured in Auth0 will be used as issuer. | `urn:auth0` | See [Active Directory: LDAP Syntax Filters](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx) for information about LDAP queries.