LDAP

LDAP support in the Sysdig platform allows user authentication using credentials in your own directory server. LDAP support is not currently available the cloud-based (SaaS) Sysdig platform.

The configuration and functionality of LDAP has changed significantly in recent releases of the platform. Ensure that you upgrade to the newest on-prem release to take advantage of improvements. However, if you are running an older release and cannot yet upgrade, contact Sysdig Support for assistance.

General LDAP Tips

Testing Configurations with LDAP Search

Small typos in fields such as search filters can cause failures that are difficult to debug. You may want to perfect your more complex configurations before applying them via the helper scripts. This will help “divide & conquer” as to whether an issue is generic to LDAP syntax and/or the directory vs. a possible bug in the Sysdig platform.

If you have an Ubuntu Linux host at your disposal that can access your directory server via LDAP, install the ldap-utils package:

# sudo apt install ldap-utils

If accessing LDAP over SSL/TLS, edit the file /etc/ldap/ldap.conf and add the following line:

TLS_REQCERT allow

Then, copy the CA certificate (the same one that was uploaded in the Settings of the Replicated console) to a location on the host, such as /tmp/cert.pem .

Now, you can run arbitrary queries via generic LDAP and study their success or failure. For instance, the following command-line uses some of the settings from LDAP Authentication Configuration (for Platform v. 963 - 1091) examples:

# LDAPTLS_CACERT=/tmp/cert.pem ldapsearch -H ldaps://172.16.0.1:636 -M -b "DC=example,DC=local" -D "cn=Administrator,cn=Users,dc=example,dc=local" -w "myMgrPassword" "(&(objectClass=organizationalPerson)(sAMAccountName=jdoe))"

...
# John Doe, Users, example.local
dn: CN=John Doe,CN=Users,DC=example,DC=local
...

Excluding Classes of Users

Per this post, Active Directory admins may leverage certain queries to easily exclude certain classes of users from being able to authenticate to the Sysdig platform. For example, the following will filter out users whose accounts have been disabled in Active Directory.

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

This can be combined with other config via AND logic, such as by extending one of our searchFilter examples:

"searchFilter": "(&(objectClass=organizationalPerson)(sAMAccountName={0})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"

Topics in This Section

Mapping LDAP Users to Sysdig Teams

LDAP/SAML Hybrid Authentication

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.