I have a few questions about LDAP if someone could answer them :
First of all i'm not sure i understood the principle from the official documentation so i'm just going to tell you what i know.
1- What we did is We succeeded the connection to the Host so connectivity is OK
2- Groups Query is also okay
3- here is my question
Why do we need Users query
What i thought at first was :
1- create Groups on Active Directory
2- Assign Users to those groups in Active directory (by active Directory team not in Dynatrace)
3- Call out those groups in Dynatrace and Assign rights to the groups (in Dynatrace) not the users => So when i assign rights to a specific group => All the users on AD who are in that groups will have those rights.
But then when i found that i have to do a User Query i didn't really understand why ?
Another question is : Do the local account get deleted or just disabled when i enable LDAP because i want to enable it to test but i'm not sure it will work and i will need those local accounts back working.
Answer by Radoslaw S. ·
Why do we need Users query ?
The user query is used to find a particular user in AD and get the details like meta data or group membership. If a user exists in AD then a password hash can be validated to authenticate the user. To authorize a user group membership attributes are retrieved and mapped to groups configured in Dynatrace.
For example a user "John" logs in. User query is executed to AD and we received:
In Dynatrace you have configured a group "Cluster admins" that is mapped to AD group "working-group" and a group "Environment A viewers" that is mapped to "employees". Group query is executed to verify that both groups exists in AD and create a mapping.
Then the user "John" is assigned to Dynatrace group "Cluster admins" and a group "employees" as he's a member of both AD groups.
Why do we need Group query ?
The group query is used to validate the correctness of group configuration in Dynatrace (mapping of a Dynatrace group and AD groups). By the query results Dynatrace knows which of the configured AD groups exist in AD.
Do the local account get deleted or just disabled when i enable LDAP?
If you enable LDAP, you are no longer able to create internal users. All existing users will be overwritten by LDAP user accounts when they log-in. There's a special "admin" account that will be still active, so you can log-in and adjust configuration. You can remove that user if you want, be then you are vulnerable to lock-in if your LDAP stops to work. In that case the only rescue is to contact Dynatrace support.