Download PDF
Download page LDAP for SaaS Deployments.
LDAP for SaaS Deployments
This page provides instructions on how to integrate a Cisco AppDynamics SaaS Controller Tenant with LDAP directory servers.
Some code examples refer to a Controller Tenant simply as Controller.
LDAP Support
You can delegate Controller Tenant UI authentication and authorization to external directory servers that comply with LDAP (Lightweight Directory Access Protocol) version 3.
While a Controller Tenant should be able to work with any LDAPv3-compliant server, these LDAP products have been verified:
- Microsoft Active Directory for Windows Server 2008 >= SP2
- OpenLDAP >= 2.4
To configure LDAP authentication on a Cisco AppDynamics Controller Tenant, you must configure connection settings to the LDAP server and the queries that return user or group data. By mapping LDAP groups to roles, you can provision permissions in the Controller Tenant based on LDAP groups.
Possible Issues and Resolutions
| Issue | Resolution |
|---|---|
| The LDAP Server becomes unavailable | If the LDAP server configured for Controller Tenant authentication becomes unavailable for any reason, the Controller Tenant falls back to local user authentication. Given this possibility, you should provision local user accounts in Cisco AppDynamicsfor the administrative users who will need access if the LDAP server becomes unavailable. |
| The user cannot be found in the LDAP directory | If a user cannot be found in the LDAP directory, the authentication failure event is logged as a warning. The user, whether a regular Controller Tenant user or a REST client user, may still be authenticated through local authentication. |
Prepare the LDAP Directory for Cisco AppDynamics Integration
To use an LDAP authentication provider, your Cisco AppDynamics Controller Tenant must be able to connect to the external LDAP server. We recommend creating a user account in LDAP specifically for the Controller Tenant to use to authenticate itself to the server and run the queries. The Controller Tenant user only needs to have search privileges in LDAP.
You can map existing LDAP group definitions to roles in Cisco AppDynamics, however, your existing groups may not correspond directly to those roles. You can map LDAP groups to Controller Tenant roles by creating a group in LDAP for each role you want to map in Cisco AppDynamics. LDAP groups for each role provide you with a manageable, one-to-one correspondence between your LDAP groups and Cisco AppDynamics roles.
This is a possible LDAP group scheme for mapping in Cisco AppDynamics:
- AppDynamics-App1-ReadOnly
- AppDynamics-App1-Admins
- AppDynamics-App1-DashboardViewers
- AppDynamics-App2-ReadOnly
- AppDynamics-App2-Admins
- AppDynamics-App2-DashboardViewers
The sample group names imply having custom roles in Cisco AppDynamics targeted to specific applications, App1 and App2.
Naming the groups with a common prefix, as the AppDynamics- prefix in our sample, allows you to use an LDAP group filter. A group filter for the sample groups could be:
(&(objectClass=group)(cn=AppDynamics-*))
Use Paged Results for Large Result Sets
LDAP servers are sometimes configured to limit the number of entries they can return in a query response. If the results of your user or group query exceed that limit, Cisco AppDynamics reports a max_results_exceeded error.
To avoid this error, refine your query filter to produce a smaller result set. The results must include the users who will need to access the Controller Tenant UI.
If your LDAP server supports it, you can enable paged results in the Controller Tenant LDAP configuration. With paged results, the LDAP server divides the result set into separately transmitted blocks.
The paged results feature applies to the behind-the-scenes interaction between the Cisco AppDynamics Controller Tenant and the backend LDAP server. It does not affect the view of the data in the Controller Tenant UI.