LDAP troubleshooting and recovery

Quick Checks

  • In the setup application, confirm the LDAP configuration’s fields are all correct.

  • Ensure the user you are logging in with has been created in the Continuous Compliance, exists in LDAP and is in scope of the Base DN and search filter.

  • If login still fails, check Masking logs for LDAP errors/ settings and adjust accordingly.

  • Confirm whether the Continuous Compliance engine is containerized or appliance-based, as this determines whether LDAP is centrally managed in the setup application or locally configured.

Recovering from an LDAP lockout

If LDAP is enabled and logins to the Continuous Compliance Engine fail due to misconfiguration or missing users, use the steps below to regain access. For non-containerized engines, LDAP configuration and enablement are managed in the setup application; save any changes there and restart the Continuous Compliance engine to apply them at startup.

Case 1 - Connection OK, user not found (no restart)

  1. In LDAP, create/use an account with the exact username as the Masking admin configured during setup (e.g., admin) and ensure it matches the Base DN and filter.

  2. Sign in to Continuous Compliance with that LDAP username/password.

  3. In Application Settings → LDAP, correct or disable LDAP as needed.

Case 2 - Connection invalid (restart may be required)

  1. In the admin application, point LDAP settings to a known-good directory.

  2. For LDAPS, import and accept the server certificate on the engine.

  3. Click Test Connection to verify basic connectivity. This performs a bind test that validates all LDAP settings except the filter.

  4. Restart the Continuous Compliance Engine to reapply the centrally managed LDAP configuration from the setup application.

  5. Log in with a valid LDAP user and finalize LDAP settings in Continuous Compliance Engine.

Caveats

  • For non-containerized Continuous Compliance engines, LDAP is enabled or disabled only through the setup application. LDAP settings are not visible or configurable in the Continuous Compliance UI or API.

  • Changing or clearing LDAP in the setup application does not update or clear previously synced settings until the engine is restarted.

  • Containerized Continuous Compliance deployments do not sync LDAP settings and continue to manage them locally within the engine.