This page provides information and instructions for configuring an Splunk AppDynamics Controller to authenticate using Lightweight Directory Access Protocol (LDAP). 

Before You Begin

To perform LDAP configuration, you must have:

  • An LDAP server. There is a one-to-one correspondence between a Splunk AppDynamicsaccount and an LDAP server.
  • An account on an Splunk AppDynamics on-premises Controller
  • Account administrator privileges on the Splunk AppDynamics Controller. See Update the Root User Password.
  • Network connectivity between your LDAP server and the Controller.

Configure LDAP Authentication

The high-level procedure to set up LDAP authentication includes:

  • Configure the connection to the LDAP server.
  • Configure and test the LDAP query that returns users to be provisioned in the Splunk AppDynamics Controller.
  • Configure the LDAP query that returns the LDAP groups to be mapped to Splunk AppDynamics roles.
  • Map the users or groups to roles in Splunk AppDynamics.

Configure the Connection to the LDAP Server

You must be a Company Administrator or an Account Owner to perform these actions.
To configure LDAP authentication, navigate to Settings> Administration > Authentication Provider > LDAP

Use the following paged results configuration if the user or group query you need to use returns more entries than the LDAP server permits:

  • Enable Paging: Check this option to have the Controller request paged results from the server when submitting user or group queries.
  • Page Size: Enter the number of entries per round-trip from the Splunk AppDynamics Controller to the LDAP server. The default is 500. 

The page size should equal the total number of entries to be returned divided by the tolerable number of round trips between the LDAP server and the Controller. For example, if you expect to receive 1200 results in a query and you can tolerate a maximum of two round trips, set the page size to 600 (1200/2). See Using Paged Results for Large Result Sets.

Configure the LDAP connection settings: 

  • Host: Address of the LDAP server. Required.
  • Port: Port on which the LDAP server listens. The default is 636 for an SSL connection and 389 if not using SSL. Required.
  • Use SSL: Enabled by default to use a secure connection to the LDAP server. Clear if not using SSL.
  • Enable Referrals: Enabled by default to support LDAP referrals. A referral is when an LDAP server forwards an LDAP client request to another LDAP server. Each referral event is referred to as a hop.
  • Maximum Referral Hops: The maximum number of referrals that Splunk AppDynamics follows in a sequence of referrals. The default is five.
  • Bind DN: Distinguished Name of the user on the LDAP Server on whose behalf the Splunk AppDynamics application searches. Required.
  • Password: Password of the user on the LDAP server. Required.   

Configure Users

In the LDAP Configuration page, configure information to find LDAP users:

  • Base DN: Location in the LDAP tree to begin recursively searching for users. Required.
  • Filter: Optional LDAP search string that filters the items matched from the base DN. See RFC2254 for information about LDAP search filters.
  • Login Attribute: The LDAP field that corresponds to the username users will enter when logging in to the Splunk AppDynamics Controller. The default is uid. For Active Directory, this would typically be sAMAccountName.
  • Display Name Attribute: The LDAP field to use as the user's display name.
  • Group Membership Attribute: Optional user group membership field. Recommended for faster retrieval.
  • Email Attribute: Optional user email address. 

Select Test Query to check the connection. If successful, a screen displays the first few users returned by the query. The test does not return the entire result set if the result set is large.

Configure Groups

Optionally, you can map LDAP groups to user roles in the Splunk AppDynamicsController. To do this, you must set up the LDAP query that returns the LDAP groups to map:

  • Base DN: Location in the LDAP tree to begin recursively searching for groups. Required.
  • Enable Nested Groups: Option to include nested LDAP groups to a depth of 10.
  • Filter: Optional LDAP search string that filters the items matched from the base DN. See RFC2254 for information about LDAP search filters.
  • Name Attribute: The LDAP field containing the name of the group. Default is cn. Required.
  • Description Attribute: The LDAP field containing a description of the group. Optional.
  • User Membership Attribute: Identifies members of the groups. Optional.
  • Referenced User Attribute: Optional child attribute of the User Membership Attribute. Disabled if the parent is empty. Identifies the property of the user that the user membership attribute contains. 

Select Test Query to check the connection. If successful, the first few groups the query returns are shown.

You can now assign permissions in the Splunk AppDynamics Controller to users or groups.

Assign Splunk AppDynamics Permissions to an LDAP User

  1. In SettingsSettings > Administration.
  2. Click Users. If LDAP is enabled with the correct configuration, the Splunk AppDynamics Controller fetches the user names from the LDAP server.
  3. Select the name of the user to whom you want to assign permissions.
  4. Add or delete the Roles that you want to assign to this user. You can assign multiple roles to a user. 
  5. Click Save.

Assign Splunk AppDynamics Permissions to an LDAP Group

LDAP Group configuration is optional.

  1. Navigate to Settings > Administration
  2. Click Groups. If LDAP is enabled and correctly configured, Splunk AppDynamics fetches the group names in LDAP.
  3. Select the name of the group to which you want to assign permissions.
  4. Add or delete the Roles that you want to assign to this group. You can assign multiple roles to a group.
  5. Click Save

Configure the LDAP Cache Synchronization Frequency

The Controller keeps the information about LDAP users and groups in a local cache. It regularly connects to the LDAP server to synchronize its cache with the LDAP server.

The Controller caches information about users and group membership. It does not cache user passwords. The Controller authenticates the user credentials against the LDAP server at the start of every user session.

If you remove a user account from LDAP, the change reflects immediately and the user cannot log in to the Controller. However, an existing session continues until the user logs out or the session expires. 

With group membership access, if you remove the user from the group but maintain an account in the LDAP server, the user can log in to the Controller until the next LDAP server synchronization. The default synchronization frequency setting enables the ability to access the Controller for up to an hour. 

Configure the LDAP Synchronization Frequency

To modify the default synchronization frequency of one hour:

  1. Stop the Controller application server.

    • From Linux, run:

      platform-admin.sh stop-controller-appserver

    • From Windows, run this command from an elevated command prompt (which you can open by right-clicking the Command Prompt in the Windows Start menu, and selecting Run as administrator):

      platform-admin.exe cli stop-controller-appserver
  2. Open the <Controller-Installation-Directory>/appserver/glassfish/domains/domain1/config/domain.xml file for editing.

  3. In the <jvm-options> element, add a system property named appdynamics.ldap.sync.frequency with the desired synchronization frequency in milliseconds.
    For example, to have the Controller synchronize to the LDAP server every 15 minutes (900000 milliseconds), add: 

    <jvm-options>-Dappdynamics.ldap.sync.frequency=900000</jvm-options>

    The default is 3600000 milliseconds (1 hour).

  4. Save the file.
  5. Restart the Controller app server:

    • From Linux, run: 

      platform-admin.sh start-controller-appserver

    • From Windows, run this command from an elevated command prompt:

      platform-admin.exe cli start-controller-appserver