Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

 

 

 

Home > Success Center > Database Performance Analyzer (DPA) > DPA 11.0 Administrator Guide > Users and groups > Configure Active Directory or LDAP

Configure Active Directory or LDAP

Updated August 1st, 2016

 

To use AD or LDAP user authentication in DPA:

  1. Gather the following information from your domain administrator:
    • Directory service type: AD or LDAP
    • Domain name
    • Port number: Used to connect to the directory service
    • User: The domain user DPA uses to query the directory for users and groups
    • Password: The password of the domain user, preferably one that does not expire
  2. Click Options > Administration > Configure AD/LDAP.
  3. Select the type of directory service you have: Active Directory or LDAP.
  4. Click Next.

Connection information

Domain name

Enter the domain name.

SolarWinds recommends using a domain name, not the name of a specific domain controller.

Do you have multiple domains?

If your domain users authenticate from a different domain other than the domain specified here, you must connect to the global catalog ports 3268 or 3269. The domain users must belong to a universal group, and that universal group must be added under Options > Administration > User Administration.

Port

Select the port number.

If you use a unique port, select Other non-standard port. Enter the port number, and select SSL if required.

User and Password

DPA uses this user to search the directory service for users and groups.

Active Directory user name

For the AD user name, use one of the following formats:

  • Distinguished Name (DN): cn=BobSmith,cn=Users,dc=domain,dc=local
  • User Principal Name (UPN): bsmith@domain.local

LDAP user name

For the LDAP user name, use the following format:

  • Distinguished Name (DN): cn=BobSmith,cn=Users,dc=domain,dc=local

Did the connection test fail?

If you use an SSL port and the verification fails, DPA must import its certificate. Click Yes on the confirmation window to try again.

Base search location

Base DN

Use the default

SolarWinds recommends selecting the default, so DPA uses the detected base DN from the previous step.

Example of default base DN: dc=east,dc=acme,dc=com

Use a custom value

You may use a value other than the default base DN. For example: You use a global catalog that supports multiple domains, and you want to broaden the scope of the search.

Example for multiple domains: dc=acme,dc=com

Advanced settings

If this is your first time using this wizard, do not use the advanced settings.

Only use advanced settings if you completed this wizard and you experience slow domain user logins or group searches.

Are domain user logins slow?

Set the User Search Base value if domain user logins take a long time.

If your company has one domain, specify the location in the directory tree that contains all of the domain users that will use SolarWinds DPA.

If you do not know what to put here, ask the domain administrator of your company the following questions:

"What folder, or organization unit (OU), in the directory tree of the domain contains all of the users? I must specify a search base for users. What is the distinguished name of the folder?"

Example: cn=users OR ou=users

Are domain group searches slow?

Set the Group Search Base value if domain group searches in User Administration take a long time.

Specify the location in the directory tree that contains all of the groups to which SolarWinds DPA users belong.

If your company has multiple domains, you can enter the group search bases individually. After you add groups to SolarWinds DPA using the group search base from one domain, update this wizard to specify a group search base in another domain.

If you do not know what to put here, ask your the domain administrator of your company the following:

"What folder, or organization unit (OU), in the directory tree of the domain contains all of the groups? I must specify a search base for groups. What is the distinguished name of the folder?"

Example: cn=groups OR ou=groups

Summary

Confirm the information for configuring DPA with your directory service, and click Finish.

You must restart the DPA server for the settings to take effect.

Configure authentication and permissions for groups of users

After you have set up DPA to use Active Directory or LDAP, do the following:

  1. In AD or LDAP, determine which groups contain the users that you want to grant access to DPA. You may need to create a group if a suitable group does not exist.
  2. In DPA, click Options > Administration > User Administration.
  3. Click Add Active Directory Group or Add LDAP Group.
  4. Click Search for a Group.
  5. Find and select the group you want and click Save.
  6. Assign privileges to the group, just as you would for a user. This assigns those permissions to the domain users who are members of the group.

    DPA does not support single sign-on (SSO) for individual accounts. It only supports AD or LDAP groups.

  7. Click Save.

    All domain users in the selected group can log in to DPA using their domain credentials. The users have the privileges you set up for the group in DPA.

You can add multiple AD or LDAP groups in DPA. If a domain user is a member of more than one group, DPA grants them the combined privileges from all of their groups.

Log in to DPA

When you enter the domain user name and password in the DPA login screen, DPA searches your directory service for a matching user name, and then authenticates using the password. If the domain user belongs to one of the groups that you configured as a DPA custom user, the login succeeds.

Name formats for AD login

DPA supports three types of login name formats for Active Directory:

User name for LDAP

The user name used by DPA is the LDAP user object uid attribute.

Last modified
10:58, 1 Mar 2017

Tags

Classifications

Public