Set up LDAP Authentication

Vectra Cognito's LDAP Authentication supports the following configurations:

  • Active Directory (AD) or any LDAP server such as OpenLDAP
  • STARTTLS and PLAINTEXT are supported.


  • LDAPS ( usually on port 636) is not supported as it's considered to be deprecated
  • Authorization via LDAP is not supported. User and roles and RBAC must be defined locally in the Cognito Detect appliance.


  • STARTTLS is an extension to the LDAP protocol which uses the TLS protocol to encrypt communication. It works by establishing a normal - i.e. unsecured - connection with the LDAP server before a handshake negotiation between the server and Cognito is carried out. The server sends its certificate to prove its identity before the secure connection is established. 
  • On Active directory, to support STARTTLS, the AD server must have an SSL certificate installed


Obtain the required information from your LDAP/AD Administrator:

  • Bind DN/Password
  • Base DN
  • LDAP server URI and port
  • Search filter
  • STARTTLS - Yes/No
  • Ensure firewalls are opened for the LDAP connection, outbound LDAP port from Brain, inbound on LDAP server

Setup Steps:

  1. Login to Cognito using an 'admin' account
  2. Click on Manage - External Authentication
  3. Create a new LDAP Profile

    The following form will appear, please provide the following information:

    • Profile Name: User-defined - must use only letters, numbers, dashes, periods, and colons
    • : Exampleuid=cognito,dc=vectra,dc=com , for Active Directory the path may look like : cn=cognito, dc=vectra,dc=com.  
    • To verify the path on Active directory server -> Choose the Organization Unit OU ->
    • Screen_Shot_2018-06-19_at_11.26.43.png
    • Password:  password for BIND DN account
    • Use TLS (STARTTLS) - (Yes or No) use Yes only if  STARTTLS is supported on your LDAP Server. Otherwise, connection will fail.
    • : Example:  dc=example,dc=com
    • URI:  Example ldap://ldap-server:port  If no port is defined we will use default TCP 389. The prefix ldap:// must be included. ldaps:// is not accepted.
    • Search Filter: Search filter can't be blank. Example values include: uid, cn , dc, sAMAccountName. In Active Directory, the 'sAMAccountName' is the 'User Logon Name (pre-Windows 2000)' field. The User Logon Name field is referenced by 'cn'.
      CN format is typically CN=Cool\Joe.  sAMAccountName is used for user names such as jcool.


    Full Active Directory example :


Full LDAP Example:


Creating new users

To create new users or replace existing users:

  1. Go to the Manage - Users tab.
  2. Make sure to select User Type - LDAP and select the appropriate profile and role.

For further troubleshooting information refer to the companion article: Troubleshooting LDAP Authentication





Was this article helpful?
2 out of 2 found this helpful

Download PDF


Article is closed for comments.