Manage users and groups via LDAP

You can connect your Dynatrace Server to an external authentication server to import user groups or accounts that need access to your Dynatrace Managed environment. With LDAP integration, all users are accessed from your external LDAP resource. You then assign user-group privileges and roles by accessing the Groups page as detailed below.

Get started

  1. Select User authentication > User repository from the navigation menu.

  2. Select External LDAP server from the list.
    The LDAP configuration page is displayed.

    After you switch to LDAP authentication

    1. Local accounts (other than the administrator account) will stop working and will no longer be available from the Dynatrace Server user interface.
    2. The administrator account you created during installation will continue to work regardless of the selected authentication provider.
  3. The LDAP configuration page displays a three-step process for configuration

    1. Connection configuration
    2. Groups query
    3. Users query

    See below for configuration details.

Connection configuration

Enter your LDAP Host address. You may need to adjust the port number if your LDAP server doesn't use the default 389 port.

Specify the Bind DN (Distinguished Name) for the LDAP user account, for example, in the format of:
CN=UserName,OU=OU-name,DC=DomainName,DC=DomainExtension
or any other valid LDAP string.

Enter the Password used by the LDAP user specified in the Bind DN.

(Optional) Define extra connection parameters:

  • Enable encrypted communication with the LDAP server by enabling the Use SSL switch.
  • If you've configured referrals on your LDAP server, set the Maximum referral hops.

Click Test connection to see if Dynatrace Managed is able to reach your LDAP server. During the connection test, we attempt to recognize the type of LDAP server you're using. Based on this information, we then provide you with the default settings for group and user queries. When the connection is successful, you're ready to query and import groups and users.

Groups query

Following a successful connection test, the Groups query step becomes active.

Type query strings into the appropriate fields to return the groups you want to integrate with Dynatrace.

  • The LDAP directory is organized in a tree structure. Base DN for the groups query is the entry that contains the subtree in which your groups exist. In the example image below, there are two subtrees containing user groups OU=Groups,DC=dynatrace,DC=org and OU=Lab,DC=dynatrace,DC=org:

    If you want to assign users to groups in both subtrees, you should specify the Base DN for the groups query as DC=dynatrace,DC=org (the parent entry). To only assign users to groups of the OU=Lab,DC=dynatrace,DC=org subtree, specify this subtree as the Base DN.

  • You can type an LDAP Filter string to narrow down the number of returned groups. The filter should contain information about which object class the group entries have. For example, for Active Directory the default filter is:

    (objectClass=group)

    and for OpenLDAP the default filter is:

    (objectClass=groupOfNames)

    To narrow down the number of used groups, you can extend the filter with the group name restrictions. For example, the filter (&(objectClass=group)(CN=PL_*)) narrows down the groups used by the system to groups that have group as an objectClass attribute and the CN attribute (common name) beginning with phrase PL. You can insert here any other valid LDAP query. Remember that LDAP is case-insensitive.

  • Configure the Group ID attribute. This attribute is used only in specific cases. To learn more, check the Matching users and groups section below. If not applicable, set this to the same value as Group name attribute.

  • Configure the Group name attribute. This is the attribute holding the name of a group, typically called name (for example, for Active Directory) or cn (for example, for OpenLDAP). The Group name attribute values in your LDAP directory should match LDAP group names on the User groups page (see image below). Remember that LDAP is case-insensitive.
    Note: LDAP group name on the User groups page is by default set to the group name you provide during group creation.

  • Configure the Group members attribute. This attribute is covered in detail in the Matching users and groups section below.

Click Test query to test your settings and verify that the query works.

Users query

After a successful connection test, the Users query step becomes active.

Type query strings into the appropriate fields to return the users you want to integrate with Dynatrace.

  • The LDAP directory is organized in a tree structure. Base DN for the users query is the entry that contains the subtree in which your users exists. For example, in the image below there are two subtrees holding users:

    OU=Functional,OU=Accounts,DC=dynatrace,DC=org and OU=Primary,OU=Accounts,DC=dynatrace,DC=org

    Referring to the example tree above:

    • To authenticate users from both subtrees (OU=Functional and OU=Primary), set Base DN to the parent entry of those subtrees:
      OU=Accounts,DC=dynatrace,DC=org
    • To authenticate users only from the OU=Primary subtree of OU=Accounts, set Base DN to:
      OU=Primary,OU=Accounts,DC=dynatrace,DC=org
    • To further restrict system users to the OU=EU subtree of OU=Primary, set Base DN to:
      OU=EU,OU=Primary,OU=Accounts,DC=dynatrace,DC=org
  • You can type an LDAP Filter string to narrow down the number of returned users. The filter should contain information about which object class the group entries have. For example, for Active Directory and OpenLDAP the default filter is:

    (objectClass=person)

    To narrow down the number of authenticated users, you can extend the filter with any valid LDAP query. For example, the filter
    (&(objectClass=user)(|(department=101)(department=102)(department=103)))
    narrows the authenticated users to those having user as objectClass attribute and department attribute set to one of specified values.
    Remember that LDAP is case-insensitive.

  • Configure the Login attribute. This attribute is used to log in to the system.

  • Fine tune the First name attribute, Last name attribute, and Email attribute if the provided attributes don't work for you.

  • Configure the Group membership attribute. This attribute is covered in detail in Matching users and groups below.

Click Test query to test your settings and verify that the query works.


Note:
The test query options (for both groups and users) test only the correctness of Base DNs, filters, and mandatory attributes—group name attribute for groups and login attribute for users. Test queries don't raise errors when non-mandatory attributes are configured improperly. Also, they don't check if users are assigned to groups properly.

Matching users and groups

There are several ways to match users with groups in LDAP directory servers. review these examples to find the solution that works best for you.

Examples:

  1. The Group members attribute (for example, member or uniqueMember) in LDAP group entry contains user's DN. In this case, configuring Group ID attribute isn't necessary. You can configure it to the same value as Group name attribute:

  2. The Group membership attribute (for example, memberOf or isMemberOf) in user entry contains group's DN. In this case, configuring the Group ID attribute also isn't necessary, because the group's DN is used for user-group matching. You can configure Group ID attribute to the same value as Group name attribute:

  3. The Group membership attribute (for example, gid or group) in the user entry contains the group's ID. In this case, the Group ID attribute needs to be configured to the attribute that stores the referenced value. In this example:

    • Group membership attribute in users query should be configured to gid
    • Group ID attribute in groups query should be configured to gidNumber
  4. In the following example:

    • Group membership attribute in users query should be configured to group
    • Group ID attribute in groups query should be configured to cn (the same as the Group name attribute in this case)

Map Dynatrace Managed groups to LDAP groups

For information regarding the user group permissions that are available in Dynatrace Managed, see User groups and permissions.

After you've successfully configured groups and users from LDAP, you need to assign monitoring environment roles to the groups from your user directory. By default, no monitoring environment permissions are granted to imported groups.

Note:
Users won't be able to access a monitoring environment until you perform this step.

  1. From the navigation menu, select User authentication > User groups.
  2. From the list of groups imported from LDAP, select the group names you want to configure.
  3. You can assign cluster administrator rights to any specific group by enabling Grant global administrator permissions to this group. All user accounts within this group will then have administrator rights.
  4. In the Permissions section, manually set the permissions for each environment.

Note:
The list of users displayed by Dynatrace Managed shows only those accounts that are members of groups with assigned Dynatrace Managed roles.

Limitations

Dynatrace does not support multiple domains for LDAP user authentication.