Users - LDAP tab

To support single sign-on solutions, configure AppMon to authenticate users according to credentials stored on an LDAP server.

If a user unknown to the AppMon Server logs in, a local user account is created automatically with the Use LDAP Authentication setting selected. The user information (name and email address) is retrieved from LDAP and is subsequently kept in sync. Credentials stored locally at the AppMon Server are ignored; only mappings to local user groups are used from the AppMon Server. User memberships in LDAP groups are verified and updated with current LDAP settings at login.

Note

Default LDAP integration with AppMon includes the LDAP primary group Domain Users, which is specific for the Microsoft Active Directory LDAP system. This may cause login problems with AppMon. To prevent these problems, <DT_HOME>/dtserver.ini must contain the following:

-Dcom.dynatrace.diagnostics.includePrimaryGroupForLDAPActiveDirectory=false

To be allowed to log in, a user with a valid LDAP account must be the member of at least one LDAP group that is configured in AppMon. Note that users must be able to access their member attribute to confirm their membership.

However, to allow users to log in without verification of a group membership, add the following to <DT_HOME>/dtserver.ini:

-Dcom.dynatrace.diagnostics.strictLDAPAuthentication=false

Use the LDAP tab in the Dynatrace Server Settings dialog box to configure the LDAP connection and search attributes.

LDAP tab
LDAP tab

Configuring the LDAP connection

To configure the LDAP connection:

  1. Enter the LDAP Host that runs the LDAP service and the LDAP Port (the non-SSL default is 389).
  2. If the LDAP server requires it, select Use SSL Connection (the default port 636).
  3. Specify a Bind DN (such as cn=dtd, ou=users, dc=company, dc=com) and a Bind Password if anonymous search for users is not supported. Anonymous search is used to find users if Bind DN and Bind Password are left blank.
  4. When you configure an SSL connection, the certificate from the LDAP server may need to be accepted once by the administrator. Click Test Connection: if the certificate is unknown, you are prompted to accept it.

LDAP SSL Certificate Management

Accepting SSL certificates

  1. After configuring a LDAP connection using SSL as described above click Test Connection.
  2. The following two scenarios are possible:
    • Root CA certificate is trusted:
      If the Root CA certificate of the LDAP server certificate's certificate chain is trusted, which means it is already imported to the JRE's trusted key store (jre/lib/security/cacerts), the LDAP server certificate is validated automatically and doesn't have to be accepted or imported.
    • Root CA certificate is NOT trusted:
      1. The LDAP Server Certificate Chain dialog box displays the certificate of the LDAP server. Certificate of LDAP server needs to be verified
      2. Click Accept to import the certificate to a trusted key store file to the AppMon Server (server/conf/jssecacerts)
  3. If the connection test was successful, you can choose to use the server's default naming context and attributes by clicking Yes in the popup message.
    LDAP connection was successful
  4. The Test Connection button should now have a green checkmark LDAP SSL connection successful and the View Certificate Chain button is available.

Deleting the LDAP SSL Certificate

Note

Only applicable if Root CA certificate of LDAP server certificate is not trusted and LDAP server certificate was imported as described above.

To delete LDAP SSL Certificate:

  1. In the LDAP Connection pane click View Certificate Chain.
  2. Click Delete to delete the certificate from the trusted key store on the AppMon Server (server/conf/jssecacerts).

Updating the LDAP SSL Certificate

Note

Only applicable if Root CA certificate of LDAP server certificate is not trusted and LDAP server certificate was imported as described above.

To update the certificate, delete the current one as described in the Deleting the LDAP SSL Certificate section, then import a new one, as described in the Accepting SSL certificates section.

Load Balanced Environments - LDAP Cluster - "Forests" - Multiple Domains

If there are multiple LDAP servers with different host certificates, the Root CA certificate must be added to the trusted key store.

  1. Open the server/conf/jssecacerts key store file with a key store explorer like http://keystore-explorer.org.
  2. The default password is changeit.
  3. Import the Root CA certificate of the LDAP server's certificate to this key store.
  4. Save the key store file.
  5. Continue as described in the Accepting SSL certificates > Root CA certificate is trusted section.

Configuring LDAP search attributes

Use the LDAP Search Attributes area to map LDAP attributes to AppMon user accounts:

  • Base DN: The LDAP name of the root node to search for user credentials, such as ou=users,dc=company,dc=com.
  • Account Attribute: The user's login name, for example uid, or sAMAccountName for ActiveDirectory.
  • Name Attribute: The user's name.
  • Email Attribute: The user's email address.
  • Member Attribute: The group membership for the user account.
  • Group objectClass: The attribute used to identify groups in the LDAP system.
  • Description Attribute: The group's description.

These attributes may vary depending on the LDAP server being used. The default settings apply to Microsoft Active Directory.

Use the Test Connection button to verify the LDAP connection after you define the search attributes. This check does not verify whether the LDAP search attributes are valid.

IBM Tivoli Directory Server

The following shows an example configuration with according attributes for an IBM TDS.

LDAP performance

The connection timeout to the LDAP server depends on the current network settings. By default, it is the network (TCP) timeout, which is usually a few minutes.

If the LDAP server is down completely, LDAP users cannot log in. However, successful user authentications are cached on the AppMon Server for 10 minutes by default. If the same user logs in within this time frame, no LDAP request is sent again and the user's authentication timeout is prolonged. The user's group membership is not verified or updated within this time frame.

You can configure the authentication timeout by changing the value of the following system property in the dtserver.ini file:

-Dcom.dynatrace.diagnostics.ldapAuthenticationTimeout=600