What a LDAP integration gives you.
Users log in once to LDAP and gain access to the storefront, trade portal, and internal systems without re-entering credentials. Session state is consistent across all touchpoints.
Trade-account permissions, approval workflows, and cost-centre rules are driven by LDAP group membership so that changes in the directory propagate without manual portal administration.
When employees resign or contractors end, their LDAP record is disabled and all commerce platform access, trade portals and linked customer accounts are locked immediately.
Trade customers, employees and call-centre staff who exist in LDAP are also recognized in the ecommerce system. Orders, accounts and support history are visible to staff without account-linking gaps.
Login events, permission changes and session terminations are logged and traceable so that access governance and segregation-of-duties rules can be demonstrated to auditors.
Where a LDAP integration earns its place.
If two or more of these are true, the integration usually pays for itself quickly.
Where off-the-shelf connectors fall short.
Vendor connectors are fine for simple cases. Here's where the real ones need more.
LDAP authentication alone does not map corporate users to ecommerce customer records (accounts, orders, addresses, credit). Manual customer master data syndication or a separate identity-mapping layer is needed.
LDAP provides authentication and group membership; it does not carry cost-centre, spending limits, contract pricing or approval thresholds. These must be maintained separately in the ERP or OMS and synced in parallel.
LDAP does not log failed logins, permission mismatches or orphaned sessions across multiple storefronts. Session state and exception handling must be instrumented at the commerce or middleware layer.
LDAP supports passwords and some MFA schemes, but commerce platforms may have different MFA requirements (TOTP, email codes, hardware tokens). Policy conflicts require customization.
When a user is disabled in LDAP, active sessions on the storefront may persist until the cache expires. Immediate logout and session termination require integration logic.
Access governance fails silently when deprovisioning is delayed or when account-linking mismatches leave trade customers locked out. The integration must make permission changes and session termination observable.
Where this integration sits in your estate.
LDAP holds the commercial record. The iWeb integration layer manages the rules, mappings, monitoring and exceptions. The commerce platform presents the customer-facing experience. The estate map helps agree ownership before anything is built.
Built for your platform, not a specific one. LDAP integrates with any ecommerce core through the same contract.
- User identity records and profile data
- Group membership and directory roles
- Authentication credentials (masked in LDAP)
- Cost-centre and organizational attributes
- User enabled/disabled status
- Session tokens and active-session state
- Derived commerce roles and permissions
- Account linking between LDAP user and ecommerce customer
- Commerce-specific user preferences and settings
- Trade-account access and customer-record visibility
Systems this integration usually sits next to.
Examples, not a closed list. iWeb is platform-agnostic on both sides: we wire this integration into whatever ecommerce platform and surrounding systems your estate already runs.
- Adobe Commerce
- Magento Open Source
- Shopify Plus
- BigCommerce
- Other storefronts
- Active Directory / LDAP directory
- ERP (for customer master and approval rules)
- OMS (for trade-account order routing and approval)
- CRM (for customer identity and support access)
- Secrets vault (for credential management)
- Security monitoring and audit logging
- Email and notification systems
- Session cache or Redis
Not sure if this works with your stack?
Tell us what you’re using and what needs to connect. We’ll give you a straight view on what’s possible, what might be awkward, and the safest way to approach it.
The data flows we wire.
Each flow has a direction and an owner. We agree both before a line of code is written.
How iWeb configures the integration around your business.
Same method on every integration. The decisions come before the code.
- 01Design LDAP authentication flows
iWeb maps LDAP bind requests, group queries and token refresh cycles into the commerce platform so that users authenticate against the directory without the platform storing passwords.
- 02Build customer account linking logic
iWeb matches LDAP user records to ecommerce customers using email, employee ID or cost-centre rules so that online and offline identities merge. Trade-account details flow to the commerce platform.
- 03Synchronize permissions and cost-centre rules
iWeb reads LDAP groups and maps them to commerce roles, approval workflows and spending limits. Permission changes propagate without requiring a re-login or manual portal administration.
- 04Implement deprovisioning and session handling
iWeb builds logic to detect disabled LDAP accounts and immediately revoke commerce platform access, terminate active sessions and lock trade-account records.
- 05Monitor and troubleshoot access issues
iWeb instruments LDAP bind failures, permission mismatches, account-linking gaps and session termination so that access issues are surfaced and resolved before they impact users.
Who owns what.
The single most important table in any integration. One system owns each field; everything else reads it.
Built LDAP identity integrations before
iWeb has designed and delivered LDAP authentication and account-linking integrations across multiple commerce platforms. We understand the mechanics of directory queries, group-to-role mapping, session handling and deprovisioning logic.
What we test before launch.
Every one of these is rehearsed before a customer ever sees the integration.
Common risks and where they bite.
We name these on day one. A risk written down is a risk you can plan around.
If the commerce platform caches LDAP group membership for too long, a user who is added to a trade group in the directory may not see new permissions until the cache expires, breaking urgent approvals.
LDAP deprovisioning does not automatically log out active sessions. If a resigning employee logs in before the deprovisioning job runs, they may have hours of access after leaving the company.
If the matching logic between LDAP user records and ecommerce customers is fragile (e.g. email-based matching when emails change), a trade customer's online account may become unreachable from their LDAP identity or support staff may not see their history.
When a user's LDAP group membership changes and they are removed from a trade-account approval role, they may attempt to approve an order and fail without understanding why. Audit trails and user-facing messaging must be explicit.
The service account used by the commerce platform to query LDAP may have a rotated password that is not updated in the platform configuration. Authentication stops working until the credential is manually refreshed.
If the enterprise uses multiple LDAP forests (separate directory instances for acquisitions or geographies), the integration may not query all forests consistently. Users in one forest may not authenticate while others do.
Relevant services and sectors.
Common questions about LDAP integrations.
How does LDAP authentication work in the commerce platform?
When a user enters their username and password on the login page, the commerce platform connects to LDAP using a bind request. If the credentials are valid, LDAP returns the user's profile (email, full name, groups, cost centre). The commerce platform then creates or updates a session and maps the user's groups to commerce roles.
How do LDAP groups map to commerce permissions?
iWeb defines a mapping table that associates LDAP group names (e.g. SALES_APPROVERS, FINANCE_TEAM) with commerce roles and permissions (e.g. can approve orders up to £10,000, can view invoices). When a user logs in, their LDAP groups are read and commerce permissions are set accordingly. The mapping must be maintained when groups are created or renamed.
What happens when a user's LDAP group membership changes?
A scheduled sync job queries LDAP at regular intervals (e.g. every 15 minutes) and reads all group memberships. If a user is added to or removed from a group, the commerce platform updates their permissions. Users may need to log out and log back in to see the new permissions, or permissions may refresh silently at the next token refresh.
How are disabled LDAP users locked out of the commerce platform?
When a user is disabled in LDAP (e.g. on resignation), the next sync job detects the disabled status and removes the user from the commerce platform or marks them inactive. Active sessions are terminated if the integration is configured to do so. Without explicit termination logic, sessions may persist until they expire naturally.
How is a trade customer linked to an LDAP user record?
iWeb uses a matching key (usually email or employee ID) to connect an LDAP user to an existing ecommerce customer record. When the match is found, the user gains access to that customer account's orders, invoices and trade-specific permissions. If the matching fails, the user can authenticate but cannot see the linked account.
What happens if the LDAP server is unavailable during login?
The commerce platform cannot validate credentials and login will fail. If a fallback is configured, cached authentication may be allowed with reduced permissions. Otherwise, users cannot log in. The integration should alert operations so that LDAP availability is restored quickly.
How are LDAP bind credentials stored and rotated?
The service account used by the commerce platform to query LDAP is stored in a secrets vault (e.g. AWS Secrets Manager, HashiCorp Vault) and injected into the platform at runtime. The credential is rotated on a schedule (e.g. quarterly) and both LDAP and the platform are updated simultaneously. Rotation failures must be monitored so that authentication does not break.
Can users have different permissions on different storefronts?
Yes. iWeb can configure separate permission mappings for each commerce platform or storefront. An LDAP user's groups determine their permissions on the main storefront, the B2B portal and the mobile app independently. However, the mappings must be kept synchronized across all platforms.
How are LDAP login failures logged and who investigates them?
Failed LDAP bind attempts (wrong password, user not found, disabled user) are logged with timestamps and usernames. Logs are aggregated in a central security or audit system. Operations and IT security teams use these logs to investigate login incidents and detect brute-force attacks.
Can LDAP be used alongside other identity providers (e.g. Azure AD or Okta)?
Yes, but each provider must be configured separately and users must be assigned to one or the other. Some organizations migrate identity to a cloud IdP over time and need both LDAP and the new provider to work in parallel until migration is complete. iWeb can support a phased transition.
What is the difference between LDAP and LDAPS?
LDAP is the protocol over plain TCP; LDAPS wraps it in TLS encryption. LDAPS is more secure and is recommended for production. The commerce platform and LDAP server must both support LDAPS. If the server uses a self-signed certificate, the certificate must be added to the commerce platform's certificate store.
How are cost centres and approval limits synchronized from LDAP?
LDAP can carry custom user attributes (e.g. cost_centre, manager_id) beyond standard groups. iWeb maps these attributes to commerce fields so that cost-centre rules and approval limits flow from the directory. If the ERP owns the approval limits, those are synced separately from the ERP.
What if a user forgets their LDAP password?
Password resets are handled by the LDAP administrator using Active Directory tools, not by the commerce platform. The commerce platform does not store passwords and cannot reset them. Users must contact their IT helpdesk.
How does the integration handle multi-forest or multi-domain LDAP environments?
If the enterprise has multiple LDAP forests (e.g. separate directories for subsidiaries), iWeb configures the integration to query multiple forests in parallel or fall back between them. Users must be in at least one forest. Ambiguous identities (same username in two forests) are resolved using a priority order or user specification.



