LDAP
LDAP support in the Sysdig platform allows user authentication using credentials in your own directory server. LDAP support is not currently available the cloud-based (SaaS) Sysdig platform.
The configuration and functionality of LDAP has changed significantly in recent releases of the platform. Ensure that you upgrade to the newest on-prem release to take advantage of improvements. However, if you are running an older release and cannot yet upgrade, contact Sysdig Support for assistance.
General LDAP Tips
Testing Configurations with LDAP Search
Small typos in fields such as search filters can cause failures that are difficult to debug. You may want to perfect your more complex configurations before applying them via the helper scripts. This will help “divide & conquer” as to whether an issue is generic to LDAP syntax and/or the directory vs. a possible bug in the Sysdig platform.
If you have an Ubuntu Linux host at your disposal that can access your
directory server via LDAP, install the ldap-utils
package:
# sudo apt install ldap-utils
If accessing LDAP over SSL/TLS, edit the file /etc/ldap/ldap.conf
and add the following line:
TLS_REQCERT allow
Then, copy the CA certificate (the same one that was uploaded in the
Settings
of the Replicated console) to a location on the host, such as
/tmp/cert.pem
.
Now, you can run arbitrary queries via generic LDAP and study their success or failure. For instance, the following command-line uses some of the settings from LDAP Authentication Configuration (for Platform v. 963 - 1091) examples:
# LDAPTLS_CACERT=/tmp/cert.pem ldapsearch -H ldaps://172.16.0.1:636 -M -b "DC=example,DC=local" -D "cn=Administrator,cn=Users,dc=example,dc=local" -w "myMgrPassword" "(&(objectClass=organizationalPerson)(sAMAccountName=jdoe))"
...
# John Doe, Users, example.local
dn: CN=John Doe,CN=Users,DC=example,DC=local
...
Excluding Classes of Users
Per this post, Active Directory admins may leverage certain queries to easily exclude certain classes of users from being able to authenticate to the Sysdig platform. For example, the following will filter out users whose accounts have been disabled in Active Directory.
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
This can be combined with other config via AND logic, such as by
extending one of our searchFilter
examples:
"searchFilter": "(&(objectClass=organizationalPerson)(sAMAccountName={0})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.