Documentation forKiwi Syslog Server
Legacy KSS reached its End of Service Life on March 28, 2026. Users should migrate to the next generation of KSS. See the release history for the latest version.

Configure LDAP and LDAPS in KSS NG

LDAP enables KSS NG to authenticate users and authorize access via Active Directory groups. LDAPS and StartTLS add encryption to protect credentials and directory data in transit.

Configure LDAP by navigating to Settings > Authentication > LDAP.

Selecting Enable LDAP authentication enable Active Directory-based sign in. When disabled, local accounts or other authentication methods apply.

LDAP server configuration fields
LDAP server

The hostname or IP of a domain controller or LDAP proxy.

DNS names are preferred for LDAPS to match certificates.
LDAP port

The default port for StartTLS is 389.

The default port for LDAPS is 636.
Operation timeout (ms)

The maximum time after connection establishment for an LDAP operation to complete.

Increase the value on slow networks. Reduce the value to fail fast.
Security mode
Plain No encryption. Use only for isolated test labs.
StartTLS

Begins unencrypted on port 389 then upgrades to TLS.
LDAPS

Encrypted from the start on port 636. Requires a valid server certificate.
Validate server certificate When selected, enforces trust chain validation and hostname/IP match.
Allow unencrypted if TLS fails (StartTLS only)

When selected, the security mode will fall back to Plain if the TLS upgrade fails.

Keep disabled for security.
Directory scope fields
Domain

The NetBIOS or Active Directory domain. This is used with negotiate/SSPI flows and UPN resolution.
Base DN

Starting point for directory searchs.

Make sure this matches your Active Directory forest structure.
Groups OU

The organizational unit where your security groups reside.

If groups are spread across multiple OUs, consider a higher-level DN.
Authentication type

  • Basic: Username and password are sent to the server. This authentication type must be paired with StartTLS or LDAPS to encrypt.

  • Negotiate: Uses Kerberos/NTLM via SSPI when possible. This authentication type is recommended for Active Directory in Windows environments.

Best practices for LDAP configuration

The following is the recommended configuration:

  • Security mode: StartTLS (389) or LDAPS (636)

  • Validate server certificate: True

  • Allow unencrypted if TLS fails: False

  • Use DNS names that match certificate SAN.

  • Use negotiate for the authentication type whenever possible.