question

Service A. avatar image
Service A. asked ·

LDAP DYNATRACE MANAGED

Hello,


I have a few questions about LDAP if someone could answer them :

First of all i'm not sure i understood the principle from the official documentation so i'm just going to tell you what i know.


1- What we did is We succeeded the connection to the Host so connectivity is OK

2- Groups Query is also okay

3- here is my question

Why do we need Users query

What i thought at first was :

1- create Groups on Active Directory

2- Assign Users to those groups in Active directory (by active Directory team not in Dynatrace)

3- Call out those groups in Dynatrace and Assign rights to the groups (in Dynatrace) not the users => So when i assign rights to a specific group => All the users on AD who are in that groups will have those rights.


But then when i found that i have to do a User Query i didn't really understand why ?


Another question is : Do the local account get deleted or just disabled when i enable LDAP because i want to enable it to test but i'm not sure it will work and i will need those local accounts back working.

Dynatrace Manageddocumentationaccountpermissions
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

1 Answer

Radoslaw S. avatar image
Radoslaw S. answered ·

I believe your refer to that page: https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-managed/users-and-groups-setup/manage-users-and-groups-with-ldap/#users-query


Why do we need Users query ?

The user query is used to find a particular user in AD and get the details like meta data or group membership. If a user exists in AD then a password hash can be validated to authenticate the user. To authorize a user group membership attributes are retrieved and mapped to groups configured in Dynatrace.


For example a user "John" logs in. User query is executed to AD and we received:

 "memberOf(working-group, employees)"

In Dynatrace you have configured a group "Cluster admins" that is mapped to AD group "working-group" and a group "Environment A viewers" that is mapped to "employees". Group query is executed to verify that both groups exists in AD and create a mapping.

Then the user "John" is assigned to Dynatrace group "Cluster admins" and a group "employees" as he's a member of both AD groups.


Why do we need Group query ?

The group query is used to validate the correctness of group configuration in Dynatrace (mapping of a Dynatrace group and AD groups). By the query results Dynatrace knows which of the configured AD groups exist in AD.


Do the local account get deleted or just disabled when i enable LDAP?

If you enable LDAP, you are no longer able to create internal users. All existing users will be overwritten by LDAP user accounts when they log-in. There's a special "admin" account that will be still active, so you can log-in and adjust configuration. You can remove that user if you want, be then you are vulnerable to lock-in if your LDAP stops to work. In that case the only rescue is to contact Dynatrace support.

4 comments Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Thank you so much

0 Likes 0 · ·

I have another question if you may :

i configured LDAP on one of our Environments and when the users try and connect i can see them being added to the users list but they can not access so i do not know which password should they use
I assumed that they would use their Active Directory Passwordbut it is not working
0 Likes 0 · ·

Yes - AD password of course. After successful configuration of LDAP you need to configure group mapping and assign permissions to environments. Please follow our guide :

https://www.dynatrace.com/support/help/shortlink/managed-ldap#map-dynatrace-managed-groups-to-ldap-groups

0 Likes 0 · ·

Thank you !

0 Likes 0 · ·

Space Topics

mobile monitoring dotnet synthetic monitoring reports iis chat kubernetes servicenow amazon web services mysql mainframe rest api errors cassandra dashboard oneagent sdk cmc application monitoring openkit smartscape request attributes monitoring developer community user tagging log monitoring services ufo syntheticadvisory activegate ip addresses auto-detection high five award oracle hyperion webserver uem usql iib test automation license web performance monitoring ios news migration management zones index ibm mq web services notifications sso host monitoring knowledge sharing reports browser monitors java hybris sap vmware maintenance window user action naming javascript appmon ai synthetic classic availability tipstricks automation extensions diagnostic tools session replay permissions davis assistant faq documentation problem detection http monitors server easytravel apdex aws-quickstart network docker tags and metadata cloud foundry google cloud platform synthetic monitoring process groups account usability dynatrace saas gui paas openshift key user actions administration user actions postgresql synthetic locations oneagent security Dynatrace Managed user management custom python technologies mongodb openstack user session monitoring continuous delivery citrix configuration alerting NGINX action naming linux nam installation masking error reporting database mission control jmeter recorder apache mobileapp RUM php threshold azure purepath davis scripting agent aix nodejs android