LDAP support in the Sysdig platform allows user authentication using credentials in your own directory server. LDAP support is not currently available the cloud-based (SaaS) Sysdig platform.

The configuration and functionality of LDAP has changed significantly in recent releases of the platform. Ensure that you upgrade to the newest on-prem release to take advantage of improvements. However, if you are running an older release and cannot yet upgrade, contact Sysdig Support for assistance.

General LDAP Tips

Small typos in fields such as search filters can cause failures that are difficult to debug. You may want to perfect your more complex configurations before applying them via the helper scripts. This will help “divide & conquer” as to whether an issue is generic to LDAP syntax and/or the directory vs. a possible bug in the Sysdig platform.

If you have an Ubuntu Linux host at your disposal that can access your directory server via LDAP, install the ldap-utils package:

# sudo apt install ldap-utils

If accessing LDAP over SSL/TLS, edit the file /etc/ldap/ldap.conf and add the following line:


Then, copy the CA certificate (the same one that was uploaded in the Settings of the Replicated console) to a location on the host, such as /tmp/cert.pem .

Now, you can run arbitrary queries via generic LDAP and study their success or failure. For instance, the following command-line uses some of the settings from LDAP Authentication Configuration (for Platform v. 963 - 1091) examples:

# LDAPTLS_CACERT=/tmp/cert.pem ldapsearch -H ldaps:// -M -b "DC=example,DC=local" -D "cn=Administrator,cn=Users,dc=example,dc=local" -w "myMgrPassword" "(&(objectClass=organizationalPerson)(sAMAccountName=jdoe))"

# John Doe, Users, example.local
dn: CN=John Doe,CN=Users,DC=example,DC=local

Excluding Classes of Users

Per this post, Active Directory admins may leverage certain queries to easily exclude certain classes of users from being able to authenticate to the Sysdig platform. For example, the following will filter out users whose accounts have been disabled in Active Directory.


This can be combined with other config via AND logic, such as by extending one of our searchFilter examples:

"searchFilter": "(&(objectClass=organizationalPerson)(sAMAccountName={0})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"