LDAP SaaS 認証の設定

このページでは、Lightweight Directory Access Protocol(LDAP)を使用して認証するように Splunk AppDynamics SaaS コントローラテナントを設定するための情報と手順を示します。

LDAP Authentication with a Controller Tenant

To use LDAP authentication with the Splunk AppDynamics SaaS Controller Tenant, your firewall must be open to permit the Controller Tenant access to your corporate LDAP server.

You must also permit access through the firewall for the Splunk AppDynamics IP ranges listed in Splunk AppDynamics SaaS Domains and IP Ranges. The firewall rule should allow incoming LDAP requests from the Controller Tenant at the LDAP port you configure.

Before You Begin

To perform LDAP configuration, you must have:

  • An LDAP server. There is a one-to-one correspondence between a Splunk AppDynamics account and an LDAP server.
  • An account on a Splunk AppDynamics SaaS Controller Tenant.
  • Account administrator privileges on the Splunk AppDynamics Controller Tenant. See Manage Controller Tenant Users and Groups.
  • Network connectivity between your LDAP server and the Controller Tenant. The LDAP server may not be accessible to the Controller Tenant without enabling access through your network firewall. See LDAP for SaaS Deployments.

Configure LDAP Authentication

The high-level procedure to set up LDAP authentication includes:

  • Configure the connection to the LDAP server.
  • Configure and test the LDAP query that returns users to be provisioned in the Splunk AppDynamics Controller Tenant.
  • Configure the LDAP query that returns the LDAP groups to be mapped to Splunk AppDynamics roles.
  • Map the users or groups to roles in Splunk AppDynamics.

Configure the Connection to the LDAP Server

重要: You must be a Company Administrator or an Account Owner to perform these actions.
To configure LDAP authentication, navigate to Settings Settings > Administration > Authentication Provider > LDAP.

Use the following paged results configuration if the user or group query you need to use returns more entries than the LDAP server permits:

  • Enable Paging: Check this option to have the Controller Tenant request paged results from the server when submitting user or group queries.
  • Page Size: Enter the number of entries per round-trip from the Controller Tenant to the LDAP server. The default is 500.

The page size should equal the total number of entries to be returned divided by the tolerable number of round trips between the LDAP server and the Controller Tenant. For example, if you expect to receive 1200 results in a query and you can tolerate a maximum of two round trips, set the page size to 600 (1200/2). See Using Paged Results for Large Result Sets.

Configure the LDAP connection settings:

  • Host: Address of the LDAP server. Required.
  • Port: Port on which the LDAP server listens. The default is 636 for an SSL connection and 389 if not using SSL. Required.
  • Use SSL: Enabled by default to use a secure connection to the LDAP server. Clear if not using SSL.
  • Enable Referrals: Enabled by default to support LDAP referrals. A referral is when an LDAP server forwards an LDAP client request to another LDAP server. Each referral event is referred to as a hop.
  • Maximum Referral Hops: The maximum number of referrals that Splunk AppDynamics follows in a sequence of referrals. The default is five.
  • Bind DN: Distinguished Name of the user on the LDAP Server on whose behalf the Splunk AppDynamics application searches. Required.
  • Password: Password of the user on the LDAP server. Required.

Configure Users

In the LDAP Configuration page, configure information to find LDAP users:

  • Base DN: Location in the LDAP tree to begin recursively searching for users. Required.
  • Filter: Optional LDAP search string that filters the items matched from the base DN. See RFC2254for information about LDAP search filters.
  • Login Attribute: The LDAP field that corresponds to the username users will enter when logging in to the Splunk AppDynamics UI. The default is uid . For Active Directory, this would typically be AMAccountName .
  • Display Name Attribute: The LDAP field to use as the user's display name.
  • Group Membership Attribute: Optional user group membership field. Recommended for faster retrieval.
  • Email Attribute : Optional user email address.

Select Test Query to check the connection. If successful, a screen displays the first few users returned by the query. The test does not return the entire result set if the result set is large.

Configure Groups

Optionally, you can map LDAP groups to user roles in the

  • Splunk AppDynamics

Controller Tenant. To do this, you must set up the LDAP query that returns the LDAP groups to map:

  • Base DN: Location in the LDAP tree to begin recursively searching for groups. Required.
  • Enable Nested Groups: Option to include nested LDAP groups to a depth of 10.
  • Filter: Optional LDAP search string that filters the items matched from the base DN. See RFC2254 for information about LDAP search filters.
  • Name Attribute: The LDAP field that contains the name of the group. Default is cn . Required.
  • Description Attribute: The LDAP field that contains a description of the group. Optional.
  • User Membership Attribute: Identifies members of the groups. Optional.
  • Referenced User Attribute: Optional child attribute of the User Membership Attribute. Disabled if the parent is empty. Identifies the property of the user that the user membership attribute contains.

Select Test Query to check the connection. If successful, the first few groups returned by the query are shown.

You can now assign permissions in the Splunk AppDynamics Controller Tenant to users or groups.

Assign Splunk AppDynamics Permissions to an LDAP User

  1. Navigate to Settings Settings > Administration.
  2. Click Users. If LDAP is enabled and correctly configured, the Splunk AppDynamics Controller Tenant fetches the user names from the LDAP server.
  3. Select the name of the user to whom you want to assign permissions.
  4. Add or delete the Roles that you want to assign to this user. You can assign multiple roles to a user.
  5. Click Save.

Assign Splunk AppDynamics Permissions to an LDAP Group

LDAP Group configuration is optional.

  1. Navigate toSettings Settings > Administration.
  2. Click Groups. If LDAP is enabled and correctly configured, Splunk AppDynamics fetches the group names in LDAP.
  3. Select the name of the group to which you want to assign permissions.
  4. Add or delete the Roles that you want to assign to this group. You can assign multiple roles to a group.
  5. Click Save.

LDAP キャッシュ同期頻度の設定

コントローラテナントは、LDAP ユーザーおよびグループに関する情報をローカルキャッシュに保持します。LDAP サーバーに定期的に接続して、キャッシュを LDAP サーバーと同期させます。

コントローラテナントは、ユーザーとグループメンバーシップに関する情報をキャッシュします。ユーザーパスワードはキャッシュされません。コントローラテナントは、すべてのユーザーセッションの開始時に LDAP サーバーに対してユーザーログイン情報を認証します。

LDAP からユーザーアカウントを削除すると、変更はすぐに反映され、ユーザーはコントローラテナント UI にログインできなくなります。ただし、ユーザーがログアウトするかセッションの期限が切れるまでセッションは継続します。

グループメンバーシップのアクセスでは、ユーザーがグループから削除されても、アカウントが LDAP サーバーに維持される場合、そのユーザーは次に LDAP サーバーとの同期が行われるまでコントローラテナントにログインできます。同期頻度のデフォルト設定では、コントローラテナント UI にアクセスできる時間は最大 1 時間になります。

LDAP同期頻度の構成

1 時間のデフォルトの同期頻度を変更するには、次の手順を実行します。

  1. コントローラテナントのアプリケーションサーバーを停止します。

    • Linux では、次を実行します。

      platform-admin.sh stop-controller-appserver

    • Windows では、管理者特権のコマンドプロンプト(Windows の [Start] メニューの [Command Prompt] を右クリックし、[Run as administrator] を選択)から次のコマンドを実行します。

      platform-admin.exe cli stop-controller-appserver
  2. <Controller-Installation-Directory>/appserver/glassfish/domains/domain1/config/domain.xml ファイルを開いて編集します。
  3. <jvm-options> エレメントで、appdynamics.ldap.sync.frequency という名前のシステムプロパティをミリ秒単位の同期頻度で追加します。
    たとえば、15 分(900,000 ミリ秒)ごとにコントローラを LDAP サーバーに同期させるには、<jvm-options>-Dappdynamics.ldap.sync.frequency=900000</jvm-options> を追加します。
    デフォルトは3600000ミリ秒(1時間)です。
  4. ファイルを保存します。
  5. コントローラ テナント アプリケーション サーバーを再起動します。

    • Linux では、次を実行します。

      platform-admin.sh start-controller-appserver

    • Windows では、管理者特権でのコマンドプロンプトから次のコマンドを実行します。

      platform-admin.exe cli start-controller-appserver