This page provides information and instructions for configuring an Cisco AppDynamicsSaaS Controller Tenant to authenticate using Lightweight Directory Access Protocol (LDAP). 

LDAP Authentication with a Controller Tenant

To use LDAP authentication with the Cisco AppDynamics SaaS Controller Tenant, your firewall must be open to permit the Controller Tenant access to your corporate LDAP server.

You must also permit access through the firewall for the Cisco AppDynamics IP ranges listed in Cisco AppDynamics SaaS Domains and IP Ranges. The firewall rule should allow incoming LDAP requests from the Controller Tenant at the LDAP port you configure.

Before You Begin

To perform LDAP configuration, you must have:

  • An LDAP server. There is a one-to-one correspondence between a Cisco AppDynamics account and an LDAP server.
  • An account on a Cisco AppDynamics SaaS Controller Tenant.
  • Account administrator privileges on the Cisco AppDynamics Controller Tenant. See Manage Controller Tenant Users and Groups.
  • Network connectivity between your LDAP server and the Controller Tenant. The LDAP server may not be accessible to the Controller Tenant without enabling access through your network firewall. See LDAP for SaaS Deployments.

Configure LDAP Authentication

The high-level procedure to set up LDAP authentication includes:

  • Configure the connection to the LDAP server.
  • Configure and test the LDAP query that returns users to be provisioned in the Cisco AppDynamics Controller Tenant.
  • Configure the LDAP query that returns the LDAP groups to be mapped to Cisco AppDynamics roles.
  • Map the users or groups to roles in Cisco AppDynamics.

Configure the Connection to the LDAP Server

You must be a Company Administrator or an Account Owner to perform these actions.
To configure LDAP authentication, navigate to SettingsSettings> Administration > Authentication Provider > LDAP

Use the following paged results configuration if the user or group query you need to use returns more entries than the LDAP server permits:

  • Enable Paging: Check this option to have the Controller Tenant request paged results from the server when submitting user or group queries.
  • Page Size: Enter the number of entries per round-trip from the Controller Tenant to the LDAP server. The default is 500. 

The page size should equal the total number of entries to be returned divided by the tolerable number of round trips between the LDAP server and the Controller Tenant. For example, if you expect to receive 1200 results in a query and you can tolerate a maximum of two round trips, set the page size to 600 (1200/2). See Using Paged Results for Large Result Sets.

Configure the LDAP connection settings: 

  • Host: Address of the LDAP server. Required.
  • Port: Port on which the LDAP server listens. The default is 636 for an SSL connection and 389 if not using SSL. Required.
  • Use SSL: Enabled by default to use a secure connection to the LDAP server. Clear if not using SSL.
  • Enable Referrals: Enabled by default to support LDAP referrals. A referral is when an LDAP server forwards an LDAP client request to another LDAP server. Each referral event is referred to as a hop.
  • Maximum Referral Hops: The maximum number of referrals that Cisco AppDynamics follows in a sequence of referrals. The default is five.
  • Bind DN: Distinguished Name of the user on the LDAP Server on whose behalf the Cisco AppDynamics application searches. Required.
  • Password: Password of the user on the LDAP server. Required.   

Configure Users

In the LDAP Configuration page, configure information to find LDAP users:

  • Base DN: Location in the LDAP tree to begin recursively searching for users. Required.
  • Filter: Optional LDAP search string that filters the items matched from the base DN. See RFC2254 for information about LDAP search filters.
  • Login Attribute: The LDAP field that corresponds to the username users will enter when logging in to the Cisco AppDynamics UI. The default is uid. For Active Directory, this would typically be AMAccountName.
  • Display Name Attribute: The LDAP field to use as the user's display name.
  • Group Membership Attribute: Optional user group membership field. Recommended for faster retrieval.
  • Email Attribute: Optional user email address. 

Select Test Query to check the connection. If successful, a screen displays the first few users returned by the query. The test does not return the entire result set if the result set is large.

Configure Groups

Optionally, you can map LDAP groups to user roles in the 

  • Cisco AppDynamics

Controller Tenant. To do this, you must set up the LDAP query that returns the LDAP groups to map:

  • Base DN: Location in the LDAP tree to begin recursively searching for groups. Required.
  • Enable Nested Groups: Option to include nested LDAP groups to a depth of 10.
  • Filter: Optional LDAP search string that filters the items matched from the base DN. See RFC2254 for information about LDAP search filters.
  • Name Attribute: The LDAP field that contains the name of the group. Default is cn. Required.
  • Description Attribute: The LDAP field that contains a description of the group. Optional.
  • User Membership Attribute: Identifies members of the groups. Optional.
  • Referenced User Attribute: Optional child attribute of the User Membership Attribute. Disabled if the parent is empty. Identifies the property of the user that the user membership attribute contains. 

Select Test Query to check the connection. If successful, the first few groups returned by the query are shown.

You can now assign permissions in the Cisco AppDynamics Controller Tenant to users or groups.

Assign Cisco AppDynamics Permissions to an LDAP User

  1. Navigate to SettingsSettings > Administration.
  2. Click Users. If LDAP is enabled and correctly configured, the Cisco AppDynamics Controller Tenant fetches the user names from the LDAP server.
  3. Select the name of the user to whom you want to assign permissions.
  4. Add or delete the Roles that you want to assign to this user. You can assign multiple roles to a user. 
  5. Click Save.

Assign Cisco AppDynamics Permissions to an LDAP Group

LDAP Group configuration is optional.

  1. Navigate to SettingsSettings > Administration.
  2. Click Groups. If LDAP is enabled and correctly configured, Cisco AppDynamics fetches the group names in LDAP.
  3. Select the name of the group to which you want to assign permissions.
  4. Add or delete the Roles that you want to assign to this group. You can assign multiple roles to a group.
  5. Click Save

Configure the LDAP Cache Synchronization Frequency

The Controller Tenant keeps the information about LDAP users and groups in a local cache. It regularly connects to the LDAP server to synchronize its cache with the LDAP server.

The Controller Tenant caches information about users and group membership. It does not cache user passwords. The Controller Tenant authenticates the user credentials against the LDAP server at the start of every user session.

If you remove a user account from LDAP, the change reflects immediately and the user cannot log in to the Controller Tenant UI. However, an existing session continues until the user logs out or the session expires. 

With group membership access, if you remove the user from the group but maintain an account in the LDAP server, the user can log in to the Controller Tenant until the next LDAP server synchronization. The default synchronization frequency setting enables the ability to access the Controller Tenant UI for up to an hour. 

Configure the LDAP Synchronization Frequency

To modify the default synchronization frequency of one hour:

  1. Stop the Controller Tenant application server.

    • From Linux, run:

      platform-admin.sh stop-controller-appserver

    • From Windows, run this command from an elevated command prompt (which you can open by right-clicking the Command Prompt in the Windows Start menu, and selecting Run as administrator):

      platform-admin.exe cli stop-controller-appserver
  2. Open the <Controller-Installation-Directory>/appserver/glassfish/domains/domain1/config/domain.xml file for editing.

  3. In the <jvm-options> element, add a system property named appdynamics.ldap.sync.frequency with the desired synchronization frequency in milliseconds.
    For example, to have the Controller Tenant synchronize to the LDAP server every 15 minutes (900000 milliseconds), add: 

    <jvm-options>-Dappdynamics.ldap.sync.frequency=900000</jvm-options>

    The default is 3600000 milliseconds (1 hour).

  4. Save the file.
  5. Restart the Controller Tenant app server:

    • From Linux, run: 

      platform-admin.sh start-controller-appserver

    • From Windows, run this command from an elevated command prompt:

      platform-admin.exe cli start-controller-appserver