Users - LDAP tab

To support single sign-on solutions, configure AppMon to authenticate users according to credentials stored on an LDAP server.

If a user unknown to the AppMon Server logs in, a local user account is created automatically with the Use LDAP Authentication setting selected. The user information (name and email address) is retrieved from LDAP and is subsequently kept in sync. Credentials stored locally at the AppMon Server are ignored; only mappings to local user groups are used from the AppMon Server. User memberships in LDAP groups are verified and updated with current LDAP settings at login.

Note

Default LDAP integration with AppMon includes the LDAP primary group Domain Users, which is specific for the Microsoft Active Directory LDAP system. This may cause login problems with AppMon. To prevent these problems, <DT_HOME>/dtserver.ini must contain the following:

-Dcom.dynatrace.diagnostics.includePrimaryGroupForLDAPActiveDirectory=false

To be allowed to log in, a user with a valid LDAP account must be the member of at least one LDAP group that is configured in AppMon. Note that users must be able to access their member attribute to confirm their membership.

However, to allow users to log in without verification of a group membership, add the following to <DT_HOME>/dtserver.ini:

-Dcom.dynatrace.diagnostics.strictLDAPAuthentication=false

Use the LDAP tab in the Dynatrace Server Settings dialog box to configure the LDAP connection and search attributes.

LDAP tab
LDAP tab

Configuring the LDAP connection

To configure the LDAP connection:

  1. Enter the LDAP Host that runs the LDAP service and the LDAP Port (the non-SSL default is 389).
  2. If the LDAP server requires it, select Use SSL Connection (the default port 636).
  3. Specify a Bind DN (such as cn=dtd, ou=users, dc=company, dc=com) and a Bind Password if anonymous search for users is not supported. Anonymous search is used to find users if Bind DN and Bind Password are left blank.
  4. When you configure an SSL connection, the certificate from the LDAP server may need to be accepted once by the administrator. Click Test Connection: if the certificate is unknown, you are prompted to accept it.

Configuring LDAP search attributes

Use the LDAP Search Attributes area to map LDAP attributes to AppMon user accounts:

  • Base DN: The LDAP name of the root node to search for user credentials, such as ou=users,dc=company,dc=com.
  • Account Attribute: The user's login name, for example uid, or sAMAccountName for ActiveDirectory.
  • Name Attribute: The user's name.
  • Email Attribute: The user's email address.
  • Member Attribute: The group membership for the user account.
  • Group objectClass: The attribute used to identify groups in the LDAP system.
  • Description Attribute: The group's description.

These attributes may vary depending on the LDAP server being used. The default settings apply to Microsoft Active Directory.

Use the Test Connection button to verify the LDAP connection after you define the search attributes. This check does not verify whether the LDAP search attributes are valid.

IBM Tivoli Directory Server

The following shows an example configuration with according attributes for an IBM TDS.

LDAP performance

The connection timeout to the LDAP server depends on the current network settings. By default, it is the network (TCP) timeout, which is usually a few minutes.

If the LDAP server is down completely, LDAP users cannot log in. However, successful user authentications are cached on the AppMon Server for 10 minutes by default. If the same user logs in within this time frame, no LDAP request is sent again and the user's authentication timeout is prolonged. The user's group membership is not verified or updated within this time frame.

You can configure the authentication timeout by changing the value of the following system property in the dtserver.ini file:

-Dcom.dynatrace.diagnostics.ldapAuthenticationTimeout=600