---
title: "LDAP Authentication on Sensu Server"
slug: "fortanix-dsm-for-ldap-authentication-on-sensu-server"
updated: 2026-04-01T07:29:56Z
published: 2025-09-17T16:14:01Z
canonical: "support.fortanix.com/fortanix-dsm-for-ldap-authentication-on-sensu-server"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# LDAP Authentication on Sensu Server

## 1.0 Introduction

The purpose of this article is to describe the procedure to set up LDAP or Active Directory (AD) authentication on the Sensu server. By connecting Sensu with LDAP/AD, you can use your existing directory users and groups for login and access.

## 2.0 Terminology References

- AD - Active Directory
- LDAP - Lightweight Directory Access Protocol
- API - Application Programming Interface

## 3.0 Configure AD or LDAP Authentication

This section describes the procedure to configure AD or LDAP authentication on the Sensu server.

Perform the following steps:

1. Run the following command to create a YAML file for the AD configuration on the Sensu server:

```bash
vi ad.yml
```

Add the following content to the file (update placeholders with your environment details):

```bash
type: ad 
api_version: authentication/v2 
metadata: 
  name: ActiveDirectory 
spec: 
  groups_prefix: ad 
  servers: 
  - binding: 
      password: <bind account password> 
      user_dn: cn=<bindaccount>,ou=<group>,dc=<domain>,dc=com 
    default_upn_domain: <domain.com> 
    include_nested_groups: true 
    host: <domain controller FQDN> 
    insecure: true 
    port: 636 
    security: tls 
    trusted_ca_file: /etc/ssl/certs/downstairs-root-ca.pem 
    user_search: 
      attribute: sAMAccountName 
      base_dn: <DN for root of search> 
      name_attribute: displayName 
      object_class: user 
    group_search: 
      attribute: member 
      base_dn: ou=groups,dc=downstairs,dc=com 
      name_attribute: cn 
      object_class: group 
  username_prefix: ad
```
2. Run the following command to create the authentication (auth) resource defined in the `ad.yml` file on the Sensu server:

```bash
sensuctl create --file /location/ad.yml
```
3. Run the following command to verify that the auth resource was created successfully:

```bash
sensuctl auth list
```
  1. Log in with a user account that is within the search root.
  2. The user will be able to log in, but will not see any namespaces or other resources until roles are assigned.
4. Run the following command to restart `sensu-backend` without `systemd` to monitor interactions in real time, or use it for troubleshooting by checking logs:

```bash
journalctl -xe | grep sensu
```
5. Run the following command to create a resource role that determines permissions:

```bash
sensuctl role create djuser --namespace sdkms --resource=checks,entities,events --verb=get,list
```
6. Run the following command to create a role binding between an AD group and the role:

```bash
sensuctl role-binding create djuser --role=djuser --group=ad:sensu --namespace sdkms
```
7. Run the following command to list the roles:

```bash
sensuctl role list
```