This page provides instructions on how to integrate a Cisco AppDynamics on-premises Controller with Lightweight Directory Access Protocol (LDAP) directory servers.
LDAP Support
You can delegate Controller authentication and authorization to external directory servers that comply with LDAP version 3.
While a Controller should be able to work with any LDAPv3-compliant server, these LDAP products have been verified:
- Microsoft Active Directory for Windows Server 2008 >= SP2
- OpenLDAP >= 2.4
To configure LDAP authentication on a Cisco AppDynamics Controller, you must configure connection settings to the LDAP server and the queries that return user or group data. By mapping LDAP groups to roles, you can provision permissions in the Controller based on LDAP groups.
Possible Issues and Resolutions
Issue | Resolution |
---|
The LDAP Server becomes unavailable | If the LDAP server configured for Controller authentication becomes unavailable for any reason, the Controller falls back to local user authentication. The best practice is to create a local user account with administrative rights that can access the Controller if the LDAP server becomes unavailable. |
The user cannot be found in the LDAP directory | If a user cannot be found in the LDAP directory, the system logs an authentication failure event as a warning. The user can still authenticate through local authentication. |
Prepare the LDAP Directory for Cisco AppDynamics Integration
To use an LDAP authentication provider, your Controller must be able to connect to the external LDAP server. We recommend creating a user account in LDAP specifically for the Controller to authenticate itself to the server and run the queries. The Controller user only needs search privileges in LDAP.
You can map existing LDAP group definitions to roles in Cisco AppDynamics, however, your existing groups may not correspond directly to those roles. You can map LDAP groups to Controller roles by creating a group in LDAP for each role you want to map in Cisco AppDynamics. LDAP groups for each role provide you with a manageable, one-to-one correspondence between your LDAP groups and Cisco AppDynamics roles.
This is a possible LDAP group scheme for mapping in Cisco AppDynamics:
- AppDynamics-App1-ReadOnly
- AppDynamics-App1-Admins
- AppDynamics-App1-DashboardViewers
- AppDynamics-App2-ReadOnly
- AppDynamics-App2-Admins
- AppDynamics-App2-DashboardViewers
The sample group names imply having custom roles in Cisco AppDynamics that target specific applications, App1 and App2.
Naming the groups with a common prefix, as the AppDynamics-
prefix in our sample, allows you to use an LDAP group filter. A group filter for the sample groups could be:
(&(objectClass=group)(cn=AppDynamics-*))
CODE
Use Paged Results for Large Result Sets
LDAP servers may have a configuration to limit the number of entries they can return in a query response. If the results of your user or group query exceed that limit, Cisco AppDynamics reports a max_results_exceeded
error.
To avoid this error, refine your query filter to produce a smaller result set. The results must include the users who will need to access the Controller.
If your LDAP server supports it, you can enable paged results in the Controller LDAP configuration. With paged results, the LDAP server divides the result set into separately transmitted blocks.
The paged results feature applies to the behind-the-scenes interaction between the Cisco AppDynamics Controller and the backend LDAP server. It does not affect the view of the data in the Controller.