fix: DOCS-5395 (#962)

BcnCarlos · nick-gagliardi · web-flow · commit 3f7c5c3e7e73 · 2026-04-16T15:55:16.000+02:00
* fix: clarify LDAP_SEARCH_QUERY config and blocked account notification requirement (DOCS-5395) - Expand LDAP_SEARCH_QUERY schema entry with {0} token explanation, filter requirement note, and blocked account notification warning - Fix grammar, modal verb, code block attributes, and phrasing in OpenLDAP overview section * Update ad-ldap-connector.mdx * Update ad-ldap-connector-config-file-schema.mdx * Apply suggestion from @nick-gagliardi Co-authored-by: Nick Gagliardi <133918568+nick-gagliardi@users.noreply.github.com> * Update ad-ldap-connector.mdx --------- Co-authored-by: Nick Gagliardi <133918568+nick-gagliardi@users.noreply.github.com>
diff --git a/main/docs/authenticate/identity-providers/enterprise-identity-providers/active-directory-ldap/ad-ldap-connector.mdx b/main/docs/authenticate/identity-providers/enterprise-identity-providers/active-directory-ldap/ad-ldap-connector.mdx
@@ -35,15 +35,17 @@ Each instance of the high-availability cluster will be always up and running and
 
 ## OpenLDAP directories
 
-The Connector comes by default highly optimized for Active Directory. To configure it any other LDAP directories (such as OpenLDAP) you will have to customize these settings in the `config.json` file:
+The Connector comes by default highly optimized for Active Directory. To configure it for any other LDAP directories (such as OpenLDAP) you must customize these settings in the `config.json` file:
 
-```json lines
+```json config.json lines
 "LDAP_USER_BY_NAME": "(cn={0})",
 "LDAP_SEARCH_QUERY": "(&(objectClass=person)(cn={0}))",
 "LDAP_SEARCH_ALL_QUERY": "(objectClass=person)",
 ```
 
-In some cases, instead of `cn` it might be better to use `uid`.
+<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
+In some cases, `uid` may be a better attribute to use than `cn`.
+</Callout>
 
 ### OpenDJ example
 
@@ -60,4 +62,4 @@ In this example John's `cn` is **johndoe** and the `mail` field is set to **john
 * [Configure AD/LDAP Connector Authentication with Client Certificates](/docs/authenticate/identity-providers/enterprise-identity-providers/active-directory-ldap/ad-ldap-connector/configure-ad-ldap-connector-client-certificates)
 * [Configure AD/LDAP Connector Authentication with Kerberos](/docs/authenticate/identity-providers/enterprise-identity-providers/active-directory-ldap/ad-ldap-connector/configure-ad-ldap-connector-with-kerberos)
 * [Import and Export AD/LDAP Connector Configurations](/docs/authenticate/identity-providers/enterprise-identity-providers/active-directory-ldap/ad-ldap-connector/import-export-ad-ldap-connector-configs)
-* [Troubleshoot AD/LDAP Connector](/docs/troubleshoot/integration-extensibility-issues/troubleshoot-ad-ldap-connector)
+* [Troubleshoot AD/LDAP Connector](/docs/troubleshoot/integration-extensibility-issues/troubleshoot-ad-ldap-connector)
diff --git a/main/docs/authenticate/identity-providers/enterprise-identity-providers/active-directory-ldap/ad-ldap-connector/ad-ldap-connector-config-file-schema.mdx b/main/docs/authenticate/identity-providers/enterprise-identity-providers/active-directory-ldap/ad-ldap-connector/ad-ldap-connector-config-file-schema.mdx
@@ -28,7 +28,7 @@ The AD/LDAP Connector's main configuration file is `config.json`. You can modify
 | `LDAP_HEARTBEAT_SECONDS` | Time in seconds to keep the LDAP connection open. |   |
 | `LDAP_SEARCH_ALL_QUERY` | The LDAP query used to list all users in the LDAP store. | `(objectCategory=person)` |
 | `LDAP_SEARCH_GROUPS` | The LDAP query used to find groups in the LDAP store. For example: `(&(objectCategory=group)(member={0}))` | `(member:1.2.840.113556.1.4.1941:={0})` |
-| `LDAP_SEARCH_QUERY` | The LDAP query used to find users in the LDAP store. | `(&(objectCategory=person)(anr={0}))` |
+| `LDAP_SEARCH_QUERY` | The LDAP query used to find users in the LDAP store. This query requires [filters](https://github.com/auth0/ad-ldap-connector/blob/master/lib/users.js#L364) for the search to work correctly. If you do not configure filters, Auth0 does not send [blocked account](/docs/secure/attack-protection/brute-force-protection#email) notification emails. | `(&(objectCategory=person)(anr={0}))` |
 | `LDAP_USER_BY_NAME` | The LDAP query used to find the user during authentication. This setting lets you specify which attribute is considered the user's username. For example, like the common name: the sAMAccountName, UPN, et cetera. This setting also supports multiple values for an OR search, for example: `(\|(sAMAccountName={0})(userPrincipalName={0}))` | `(sAMAccountName={0})` |
 | `LDAP_URL` | The LDAP connection string. For example: `ldap://fabrikam-dc.fabrikam.local`. |   |
 | `PORT` | The port the server runs on when Kerberos or Client Certificate Authentication is enabled. |   |
