Skip to main content
Documentation & User Guides | Fotoware

Suppressing LDAP queries during AD lookup


In very complex domain setups, you may experience that the user lookup during login to FotoWeb times out before the user can be located, making it impossible to log in.

To this end, it is possible to manage which parts of the domain FotoWeb queries during login by adding the undesired parts of the domain to an exclusion list that will not be queried.


Note: Active Directory integration via LDAP in FotoWeb is set to End of Life from January 1st, 2024, and will be removed from our software in a future version. We strongly recommend switching your identity provider as soon as possible.

Fotoware currently supports a variety of other identity providers, such as Microsoft Entra ID (formerly Azure Active Directory), ADFS + SAML, or any other SAML 2.0 compatible provider, such as Okta, OneLogin, and many more.

Contact Fotoware Support or your Fotoware Partner if you need assistance migrating to a new identity provider.

Defining an exclusion list 

  1. From the Tools menu (cogwheel icon), go to Site Configuration Security > Single Sign-on.
  2. On the General tab, turn on the Enable Single Sign-on toggle.
  3. From the Authentication provider drop-down list, select Windows Active Directory.
  4. Select Exclusion list.

  5. Select Add to define the areas of the domain that should be exempt from lookups.
  6. Select OK to save your changes.


Note: Entries are added using .

The exclusion list contains regular expressions (Wikipedia, external link) matched against LDAP distinguished names (DN).

An LDAP DN looks like this:

CN=ACME Promotion Team,OU=Sales,OU=Germany,DC=bestacmesales,DC=com


A regex that blocks the lookup of anyone in the Sales organizational unit will look like this:


With this entry in the exclusion list, groups in Sales are invisible to FotoWeb, which is OK as long as none of these groups have been imported into FotoWeb. Since these lookups are not being made, login can be faster.