LDAP support in the Sysdig software platform allows user authentication using credentials in a customer’s own directory server. LDAP support is not currently available the cloud-based (SaaS) Sysdig platform.
The configuration and functionality of LDAP has changed significantly in recent releases of the platform. It is recommended to upgrade to the newest on-prem release to take advantage of improvements. However, if you are running an older release and cannot yet upgrade, contact Sysdig Support if you need further assistance.
General LDAP Tips
Testing Configurations With ldapsearch
Small typos in fields such as search filters can cause failures that are difficult to debug. You may want to perfect your more complex configurations before applying them via the helper scripts. This will help “divide & conquer” as to whether an issue is generic to LDAP syntax and/or the directory vs. a possible bug in the Sysdig platform.
If you have an Ubuntu Linux host at your disposal that can access your
directory server via LDAP, install the
# sudo apt install ldap-utils
If accessing LDAP over SSL/TLS, edit the file
and add the following line:
Then copy the CA certificate (the same one that was uploaded in the
Settings of the Replicated console) to a location on the host, such as
Now you can run arbitrary queries via generic LDAP and study their success or failure. For instance, the following command-line uses some of the settings from LDAP Authentication Configuration (for Platform v. 963 - 1091) examples:
# LDAPTLS_CACERT=/tmp/cert.pem ldapsearch -H ldaps://172.16.0.1:636 -M -b "DC=example,DC=local" -D "cn=Administrator,cn=Users,dc=example,dc=local" -w "myMgrPassword" "(&(objectClass=organizationalPerson)(sAMAccountName=jdoe))" ... # John Doe, Users, example.local dn: CN=John Doe,CN=Users,DC=example,DC=local ...
Excluding Classes of Users (e.g. Disabled Accounts)
Per this post, Active Directory admins may leverage certain queries to easily exclude certain classes of users from being able to authenticate to the Sysdig platform. For example, the following will filter out users whose accounts have been disabled in Active Directory.
This can be combined with other config via AND logic, such as by
extending one of our
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.