Can I manage users and groups with LDAP?

This topic applies to Dynatrace Managed installations only.

Does your organization use SAML for login?

You can connect your Dynatrace Server to an external authentication server to import user groups or accounts that need access to your Dynatrace Managed environment. With LDAP integration, all users are accessed from your external LDAP resource. You then assign user-group privileges and roles by accessing the Groups page, as detailed below.

Connection setup

From the menu bar, click Settings > User repository .

Change the default setting from Internal Dynatrace user database to External LDAP server .

Once you switch to LDAP authentication, local accounts stop working and are no longer available from the Dynatrace Server user interface.
The administrator account you created during installation will however continue to work regardless of the selected authentication provider.

LDAP configuration screen.

Enter your LDAP Host address and Password . You may need to adjust the port number if your LDAP server doesn’t use the default 389 port.

Set Bind DN (Distinguished Name) attributes to synchronize directories.

(Optional) Define extra connection parameters:

  • Enable encrypted communication with the LDAP server by enabling the Use SSL  switch.
  • If you’ve configured referrals on your LDAP server, set the number of referral hops.

Click Test connection  to see if Dynatrace Managed is able to reach your LDAP server. During the connection test we attempt to recognize the type of LDAP server that you’re using. Based on this information, we then provide you with the default settings for group and user queries. Once the connection is successful, you’re ready to query and import groups and users.

Groups query

Following a successful connection test, the Groups query step becomes active.

Type query strings into the appropriate fields to return the groups you want to integrate with Dynatrace.

Example of query for groups in Active Directory.
  • Type Base DN attributes to define how group Distinguished Names are queried.
  • Fine-tune the attributes for Group ID , Group name , and Group members  if the provided attributes don’t work for you.
  • You can type an LDAP filter string to narrow down the number of returned groups—use the Filter field for this.

Click Test query to test your settings and verify that the query works.

Users query

After a successful connection test, the Users query step becomes active.

Type query strings into the appropriate fields to return the users you want to integrate with Dynatrace.

Example of query for users in Active Directory.
  • Type Base DN attributes to define how user Distinguished Names are queried.
  • Fine tune the attributes for Login , First name , Last name , Email, and Group membership if the provided attributes don’t work for you.
  • You can type an LDAP filter string to narrow down the number of returned users—use the Filter field for this.

Click Test query to test your settings and verify that the query works.

LDAP configuration complete!

Map Dynatrace Managed and LDAP groups

For information regarding the user group permissions that are available in Dynatrace Managed, see What roles and user groups are available?

After you’ve successfully configured groups and users from LDAP, you need to assign monitoring environment roles to the groups from your user directory. By default, no monitoring environment permissions are granted to imported groups.

Users won’t be able to access a monitoring environment until you perform this step.

  1. From the menu bar, select Settings > User groups.
  2. From the list of groups imported from LDAP, select the group names you want to configure.
  3. You can assign Cluster admin rights to any specific group by enabling the Cluster admin permission toggle. All user accounts within this group will have administrator rights.
  4. In the Environments access rights section, manually assign access rights for each environment.
  5. In the Log analytics permissions section, select which environments should have log analytics enabled and viewable to the members of this group.

The list of users displayed by Dynatrace Managed shows only those accounts that are members of groups with assigned Dynatrace Managed roles.