LDAP

Authentication ► LDAP

To set up LDAP authentication, you need to configure Dynatrace to communicate with the LDAP server.

This procedure describes how to use the LDAP screen to enter basic information needed to connect to your LDAP server and test that you can find the users and groups that need access to Dynatrace. Use the Search settings to filter your user or group search to ease importing these users later.

Tip

We recommend using a free LDAP browser, such as Softerra 4.5, to view attributes used in your organization's LDAP server. Some familiarity with these attributes will be required to configure these for Dynatrace.

  1. In the NAM Console menu, select Authentication ► LDAP.
  2. Select LDAP enabled to activate the LDAP configuration fields.
  3. Select the LDAP server type.
    • MS Active Directory
      This is the default. Dynatrace is configured to use Microsoft Active Directory for LDAP authentication.
    • Other
      Select this to use Apache DS or another server type. You will need to use the Advanced settings to configure it to use Apache DS or another LDAP directory server. Click Load Defaults to populate configuration fields according to the LDAP server type selected.
  4. On the LDAP configuration tab, define how to connect to the LDAP server:
    • Host Name
      Enter the hostname of the LDAP server.
    • Encryption Method
      You can choose SSL or None. This selection will determine the default port used.
    • Port
      The LDAP default SSL port is 636; the LDAP default clear port is 389. If needed, you can enter another value to communicate with the LDAP server.
    • Service account user name and Password
      Dynatrace makes queries to the LDAP server. The Service Account information tells Dynatrace the user name and password to use to make these queries. A best practice is to use a non-user account that has search access and a non-expiring password, if security policies allow.
      • This value is passed directly to LDAP as the BIND's DN (Distinguished Name). Dynatrace does no processing on this field.
      • For non-Active Directory LDAP servers, this field must be a full DN, not an RDN (Relative DN) or a user name.
  5. Click the Connect button to test your connection settings.
    If the connection is successful, you will see a green Connected status message over the Connect button.
  6. Click Save to save your changes up to this point.
    The Connect button tests your connection, but the settings are only temporary until you save them.
  7. On the Search settings tab, review and test settings for LDAP users and groups:
    • Review Base DN and adjust it if needed.
      Dynatrace will attempt to determine the Base Distinguished Name (Base DN) value for your LDAP server if this value is accessible through the server's environment variable. You can choose a different Base DN if another one is better for your environment.
      Click Refresh Base DN to update this field if necessary.
      The Base DN setting is the root node that limits all subsequent searches. it needs to be high enough in the LDAP directory to contain all potential Dynatrace users. Dynatrace is unable to find any user or group that is higher in the LDAP hierarchy than the value set as the Base DN.
    • Test group name
      Enter an LDAP group name, which can include the wildcard character *, and then click Search Group.
      If groups matching the search criteria are displayed, you have properly configured Dynatrace to find your LDAP groups. You can later "import" that group on the User Groups screen.
      If you don't see any matching groups, you need to use different search settings.
    • Test username
      If using Active Directory, enter the user ID (their sAMAccountName) of someone who will use Dynatrace and then click Search User. If that user's information is displayed, you have properly configured Dynatrace to find your LDAP users (but additional configuration is required). You can later "import" that user (and others) on the Users screen.
      For other LDAP servers, the Service Account User Name field must be a full DN (Distinguished Name), not an RDN (Relative DN) or a user name.
      If you don't see the required users, select a different Base DN from the list or use different search settings.
  8. Click Save to save your changes.
    A message confirming a successful save is displayed.

Fine-tuning your search filters

The Advanced LDAP attributes and Search settings tab settings tell Dynatrace how to find users and groups in your LDAP server. These settings also tell Dynatrace the attributes used by your LDAP server to store information such as a user e-mail address and name. For instance, in Active Directory, the last name of each user is typically stored in an LDAP attribute named SN . Because Dynatrace needs to know a few things about each user (such as their e-mail address), it needs to know which of the user's attributes hold this information. Using an LDAP browser will help you determine how these attributes are defined in your organization's LDAP server.

The Search settings are used to define the search filters that Dynatrace uses to find users, groups, and the groups that a particular user is in. These are mostly LDAP filters written to return information about a user or group.

Some default filters may contain {0} and {1}. These two strings are placeholders that are replaced them with an appropriate value (depending on the configuration) before an LDAP query is made. For instance, when performing a user search, the {0} placeholder is replaced by the value that you have configured for the name of the attribute that holds a user's LDAP ID (sAMAccountName for Active Directory). To search on a particular user, the {1} in the default user search is replaced by the user's LDAP ID. To search on all users, the {1} is replaced by a wild card (*).

There are three search filters to be configured. Each of these searches has an associated search base that can be adjusted.

Each of these filter/base pairs must be set correctly for Dynatrace to be able to work with your LDAP server.

As mentioned earlier, all searches are narrowed to the Base DN setting. The three search base settings further narrow the scope of each of the three types of searches.

For example, the User search base further narrows the part of the LDAP hierarchy searched for users.

  • If you leave User search base empty, user searches will look under the sub-tree set by Base DN.
  • If you set a User search base value, user searches will look under the sub-tree defined by concatenating the value of the User search base with the Base DN. For example, if Base DN is set to DC=google, DC=com and User search base is OU=New York, then a search for users would be rooted at OU=New York,DC=google,DC=com and only users under that sub-tree would be found by searches.

This same principle applies to the two other searches. Their search bases are combined with Base DN to limit the portion of the LDAP tree that is searched.

Tuning your search filters:

  • Group search filter
    This is used with Group search base to find LDAP group.
    • In the Group search filter, make sure that the LDAP filter is applicable to your LDAP server's schema.
    • In the Description field, enter the name of the LDAP attribute used to hold a group's description.
    • In the Test group name field, enter the name of a group (use wild card characters – asterisks – if the exact name is unknown) and then click Search Group to make sure your settings are correct. If you see the desired group, you have configured Dynatrace properly for groups and can proceed to the User Settings section
  • User search filter
    This is used with User search base to find LDAP users.
    • In the User search base field, enter the RDN of the node containing user accounts, relative to the Base DN setting. This value is optional but can be helpful in reducing the load on your LDAP server if the sub-tree search for users can be limited beyond the Base DN.
    • In the User search filter, check that the LDAP filter is applicable to your LDAP server's schema. Remember that the {0} placeholder value will be replaced (within Dynatrace) before the query is submitted to the LDAP server. In this case, the placeholder will be replaced with the value entered into the Test username field.
    • In the Email address field, enter the name of the LDAP attribute used to hold a user's email address.
    • In the First name field, enter the name of the LDAP attribute used to hold a user's first name.
    • In the Last name field, enter the name of the LDAP attribute used to hold a user's last name.
    • In the User group search base field, enter the RDN of the node containing the groups that your user is a member, relative to the Base DN setting. This value is optional but can be very helpful in reducing the load on your LDAP server if the sub-tree searched for the groups that a user is in can be limited beyond Base DN.
    • In the Test Username field, enter the name of a user (use wild card characters – asterisks – if the exact name is unknown) and then clickSearch User. If you see the desired users and groups, you have configured Dynatrace properly for finding your users.
  • User group search filter
    This is used with User group search base to find LDAP groups that contains a particular LDAP user.

Be sure to Save your changes.

Fine-tuning your other settings

On the Advanced LDAP attributes tab:

  • Connection timeout
    This specifies the maximum number of seconds allowed for the server to run search and bind operations.
    Default: 30
  • Follow referrals The LDAP server may return referrals when performing searches, in order to extend the search to include results from another LDAP server.
    Default: enabled
  • Referral limit
    The maximum number of referrals that can be chained together.
    Default: 10
  • Search pagination
    Many LDAP servers support an LDAP extension that allows search results to be returned in discrete pieces called pages. This is useful when an LDAP search returns a lot of results. Instead of trying to return 100,000 results all at once, the LDAP server (at the request of the LDAP client) can return one page at a time, where the page size is dictated by the LDAP client. When Search pagination is selected, Dynatrace acts as the LDAP client: it requests pagination, where the page size is defined in the LDAP properties file.
  • LDAP group association required for LDAP user auto import
    When LDAP is enabled, any LDAP user with valid LDAP credentials can access Dynatrace. Select LDAP Auto Import to disable this feature. If disabled, only LDAP users that have been explicitly imported into Dynatrace are allowed access.

Be sure to Save your changes.