This page provides instructions on how to integrate the AppDynamics Controller with LDAP directory servers.
You can delegate Controller UI authentication and authorization to external directory servers that comply with LDAP (Lightweight Directory Access Protocol) version 3.
While the Controller should be able to work with any LDAPv3-compliant server, the Controller has been verified to work with these LDAP products:
To configure LDAP authentication in the Controller, you need to configure connection settings to the LDAP server and the queries that return user or group data. By mapping LDAP groups to roles, you can provision permissions in the AppDynamics Controller based on LDAP groups.
If the LDAP server configured for Controller authentication becomes unavailable for any reason, the Controller falls back to local user authentication. Given this possibility, you should provision local user accounts in AppDynamics for the administrative users who will need access if the LDAP server becomes unavailable.
If a user cannot be found in the LDAP directory, the authentication failure event is logged as a warning. The user, whether it is a regular controller user or a REST client user, may still be authenticated through local authentication.
To use an LDAP authentication provider, your AppDynamics Controller needs to be able to connect to the external LDAP server. A good practice is to create a user account in LDAP specifically for the Controller to use to authenticate itself to the server and run the queries. The Controller user only needs to have search privileges in LDAP.
While you can map existing LDAP group definitions to roles in AppDynamics, your existing groups may not correspond directly to roles in AppDynamics. The easiest way to map LDAP groups to Controller roles is to create a group in LDAP for each role you want to be mapped in AppDynamics. LDAP groups for each role provide you with a manageable, 1-to-1 correspondence between your LDAP groups and AppDynamics roles.
For example, a possible LDAP group scheme for mapping in AppDynamics would be:
The sample group names imply having custom roles in AppDynamics targeted to specific applications, AppA and AppB.
Naming the groups with a common prefix, as the
AppDynamics- prefix in our sample, allows you to use a relatively simple LDAP group filter. A group filter for the sample groups could be:
LDAP servers are sometimes configured to limit the number of entries it can return in a query response. If the results of your user or group query exceed that limit, AppDynamics reports a
To avoid this error, try to refine your query filter to produce a smaller result set. The results must include the users who will need to access the AppDynamics UI.
If your LDAP server supports it, you can also enable paged results in the Controller LDAP configuration. With paged results, the LDAP server divides the result set into separately transmitted blocks.
The paged results feature applies to the behind-the-scenes interaction between the AppDynamics Controller and the backend LDAP server. It does not affect the UI view of the data.
Depending on your organization's security policies, it may not be possible to use LDAP authentication with the SaaS AppDynamics Controller, since doing so requires opening your firewall to permit Controller access to your corporate LDAP server.
However, if you do want to enable LDAP authentication with SaaS AppDynamics Controller, you will need to permit access through the firewall for the IP range of 188.8.131.52/24, the IP address range assigned to AppDynamics SaaS Controllers. The firewall rule should allow incoming LDAP requests from the Controller at the LDAP port you configure.
To perform LDAP configuration, you must have:
At a high level, the steps for setting up LDAP authentication include:
As an Administrator or Account Owner in the Controller UI, you can configure LDAP authentication by navigating to Settings > Administration and selecting LDAP in the Authentication Provider tab.
If the user or group query that you need to use will return more entries than permitted by the LDAP server and the server support paged results, configure paged results as follows:
The page size should be the total number of entries to be returned divided by the number of round trips between the LDAP server and the Controller that are tolerable. For example, if you expect to receive 1200 results in a query and you can tolerate a maximum of two round trips, set the page size to 600 (1200 /2). See Using paged results for large result sets.
Configure the LDAP connection settings:
In the LDAP Configuration page, configure information to find LDAP users:
uid. For Active Directory, this would typically be
The Test Query button checks the connection. If successful, a screen displays the first few users returned by the query. The test does not return the entire result set if the result set is large.
Optionally, you can map LDAP groups to user roles in the AppDynamics Controller. To do this, you need to set up the LDAP query that returns the LDAP groups to map, as follows.
The Test Query button checks the connection. If successful, the first few groups returned by the query are shown.
You can now assign permissions in the AppDynamics Controller to users or groups.
LDAP Group configuration is optional.
The Controller keeps information about LDAP users and groups in a local cache. It regularly connects to the LDAP server to synchronize its cache with the LDAP server.
The Controller caches information about users and group membership. It does not cache user passwords. Accordingly, the Controller authenticates the user credentials against the LDAP server at the start of every user session.
If a user account is removed from LDAP, the change is reflected immediately; that is, the user will not be able to log in to the Controller UI from that point. However, if the user has an existing session in the Controller UI, that session continues until the user logs out or the session expires.
If the user's access to the Controller is based on group membership and the user is removed from the group but maintains an account in the LDAP server, the user will be able to log in to the Controller until the next time synchronization with the LDAP server occurs. By the default synchronization frequency setting, this ability to access the Controller UI could continue for up to an hour.
You can modify the default synchronization frequency of one hour as described in the following procedures.
On Linux, run:
On Windows, run this command from an elevated command prompt, which you can open by right-clicking the Command Prompt icon in the Windows Start menu and choosing Run as administrator:
platform-admin.exe cli stop-controller-appserver
<Controller-Installation-Directory>/appserver/glassfish/domains/domain1/config/domain.xmlfile for editing.
<jvm-options> element, add a system property named
appdynamics.ldap.sync.frequency with the desired synchronization frequency in milliseconds.
For example, to have the Controller synchronize to the LDAP server every 15 minutes (900000 milliseconds), add:
The default is 3600000 milliseconds (1 hour).
On Linux, run:
On Windows, run the following in an elevated command prompt:
platform-admin.exe cli start-controller-appserver