Manage users and groups via LDAP

You can connect your Dynatrace Server to an external authentication server to import user groups or accounts that need access to your Dynatrace Managed environment. With LDAP integration, all users are accessed from your external LDAP resource. You then assign user-group privileges and roles by accessing the Groups page, as detailed below.

Connection setup

From the Cluster Management Console menu, select User authentication > User repository.

Choose External LDAP server from the list box.

Note:
Once you switch to LDAP authentication, local accounts will stop working and they will no longer be available from the Dynatrace Server user interface.
The administrator account you created during installation will however continue to work regardless of the selected authentication provider.

Enter your LDAP Host address. You may need to adjust the port number if your LDAP server doesn't use the default 389 port.

Specify the Bind DN (Distinguished Name) for the LDAP user account, for example, in the format of:
CN=UserName,OU=OU-name,DC=DomainName,DC=DomainExtension
or any other valid LDAP string.

Enter the Password used by the LDAP user specified in the Bind DN.

(Optional) Define extra connection parameters:

  • Enable encrypted communication with the LDAP server by enabling the Use SSL switch.
  • If you've configured referrals on your LDAP server, set the Maximum referral hops.

Click Test connection to see if Dynatrace Managed is able to reach your LDAP server. During the connection test, we attempt to recognize the type of LDAP server that you're using. Based on this information, we then provide you with the default settings for group and user queries. Once the connection is successful, you're ready to query and import groups and users.

Groups query

Following a successful connection test, the Groups query step becomes active.

Type query strings into the appropriate fields to return the groups you want to integrate with Dynatrace.

  • The LDAP directory is organized in a tree structure. Base DN for the groups query is the entry, which contains the subtree in which your groups exist. In the image below, for example, there are two subtrees containing user groups: OU=Groups,DC=dynatrace,DC=org and OU=Lab,DC=dynatrace,DC=org

    If you want to assign users to groups in both subtrees, you should specify the Base DN for the groups query as DC=dynatrace,DC=org (the parent entry). To only assign users to groups of the OU=Lab,DC=dynatrace,DC=or subtree, specify this subtree as the Base DN.

  • You can type an LDAP Filter string to narrow down the number of returned groups. The filter should contain information about which object class the group entries have. For example, for Active Directory, the default filter is:

    (objectClass=group)

    and for OpenLDAP the default filter is:

    (objectClass=groupOfNames)

    To narrow down the number of used groups, you can extend the filter with the group name restrictions. For example the filter below narrows down the groups used by the system to the groups that have group as an objectClass attribute and the CN attribute (common name) beginning with phrase PL:

    (&(objectClass=group)(CN=PL_*))

    You can insert here any other valid LDAP query. Remember that LDAP is case-insensitive.

  • Configure the Group ID attribute. This attribute is used only in specific cases. To learn more, check the Matching users and groups section below. If not applicable, set this to the same value as Group name attribute.

  • Configure the Group name attribute. This is the attribute holding the name of a group, typically called name (for example, for Active Directory) or cn (for example for OpenLDAP). The Group name attribute values in your LDAP directory should match LDAP group names on the User groups page (see image below). Remember that LDAP is case-insensitive.
    Note: LDAP group name on the User groups page is by default set to the group name you provide during group creation.

  • Configure the Group members attribute. This attribute is covered in detail in the Matching users and groups section.

Click Test query to test your settings and verify that the query works.

Users query

After a successful connection test, the Users query step becomes active.

Type query strings into the appropriate fields to return the users you want to integrate with Dynatrace.

  • The LDAP directory is organized in a tree structure. Base DN for the users query is the entry, this contains the subtree in which your users exists. For example, in the image below there are two subtrees holding users:

    OU=Functional,OU=Accounts,DC=dynatrace,DC=org and OU=Primary,OU=Accounts,DC=dynatrace,DC=org

    To authenticate users from both subtrees, you should specify Base DN for the user query as OU=Accounts,DC=dynatrace,DC=org (the parent entry). If you would like to authenticate only users from the OU=Primary,OU=Accounts,DC=dynatrace,DC=org subtree, you should specify this subtree as the Base DN. You can also further restrict system users to the OU=EU,OU=Primary,OU=Accounts,DC=dynatrace,DC=org subtree (for example, by setting this subtree as the Base DN).

  • You can type an LDAP Filter string to narrow down the number of returned users. The filter should contain information about which object class the group entries have. For example, for Active Directory and OpenLDAP the default filter is:

    (objectClass=person)

    To narrow down the number of authenticated users, you can extend the filter with any valid LDAP query. For example, the filter below narrows down the authenticated users to ones having user as objectClass attribute and department attribute set to one of specified values:

    (&(objectClass=user)(|(department=101)(department=102)(department=103)))

    Remember that LDAP is case-insensitive.

  • Configure the Login attribute. This attribute is used to log in to the system.

  • Fine tune the First name attribute, Last name attribute and Email attribute if the provided attributes don't work for you.

  • Configure the Group membership attribute. This attribute is covered in detail in Matching users and groups below.

Click Test query to test your settings and verify that the query works.


Note:
The test query options (for both groups and users) test only the correctness of Base DNs, filters, and mandatory attributes—group name attribute for groups and login attribute for users. Test queries don't raise errors when non-mandatory attributes are configured improperly. Also, they don't check if users are assigned to groups properly.

Matching users and groups

There are a few ways to match users with groups in LDAP directory servers. For example:

  1. The Group members attribute (for example, member or uniqueMember) in LDAP group entry contains user's DN:

    In this case, configuring the Group ID attribute isn't necessary. You may configure it to the same value as the Group name attribute.

  2. The Group membership attribute (for example, memberOf or isMemberOf) in user entry contains group's DN:

    In this case configuring the Group ID attribute isn't necessary as well, as group's DN is used for user-group matching. You may configure the Group ID attribute to the same value as the Group name attribute.

  3. The Group membership attribute (for example, gid or group) in user entry contains group's ID. In this case, the Group ID attribute needs to be configured to the attribute storing the referenced value.

    In the above example, the Group membership attribute in user's query should be configured to gid and the Group ID attribute in group's query should be configured to gidNumber.

  4. In the example below, the Group membership attribute in user's query should be configured to group and the Group ID attribute in group's query should be configured to cn (the same as the Group name attribute in this case).

    dn: cn=user 3,ou=People,dc=example,dc=com
    objectClass: person
    cn: user 3
    group: test
    
    dn: cn=test,ou=Groups,dc=example,dc=com
    objectClass: groupOfUniqueNames
    cn: test
    

Map Dynatrace Managed groups to LDAP groups

For information regarding the user group permissions that are available in Dynatrace Managed, see What roles and user groups are available?

After you've successfully configured groups and users from LDAP, you need to assign monitoring environment roles to the groups from your user directory. By default, no monitoring environment permissions are granted to imported groups.

Note:
Users won't be able to access a monitoring environment until you perform this step.

  1. From the navigation menu, select User authentication > User groups.
  2. From the list of groups imported from LDAP, select the group names you want to configure.
  3. You can assign cluster administrator rights to any specific group by enabling Grant global administrator permissions to this group. All user accounts within this group will then have administrator rights.
  4. In the Permissions section, manually set the permissions for each environment.

Note:
The list of users displayed by Dynatrace Managed shows only those accounts that are members of groups with assigned Dynatrace Managed roles.