Showing results for 
Show  only  | Search instead for 
Did you mean: 
Looking to upgrade from Dynatrace Managed to SaaS? See how

Ldap in Dynatrace Managed




I have a few questions about LDAP if someone could answer them :

First of all i'm not sure i understood the principle from the official documentation so i'm just going to tell you what i know.


1- What we did is We succeeded the connection to the Host so connectivity is OK

2- Groups Query is also okay

3- here is my question

Why do we need Users query

What i thought at first was :

1- create Groups on Active Directory

2- Assign Users to those groups in Active directory (by active Directory team not in Dynatrace)

3- Call out those groups in Dynatrace and Assign rights to the groups (in Dynatrace) not the users => So when i assign rights to a specific group => All the users on AD who are in that groups will have those rights.


But then when i found that i have to do a User Query i didn't really understand why ?


Another question is : Do the local account get deleted or just disabled when i enable LDAP because i want to enable it to test but i'm not sure it will work and i will need those local accounts back working.



Dynatrace Guru
Dynatrace Guru

I believe your refer to that page:

Why do we need Users query ?

The user query is used to find a particular user in AD and get the details like meta data or group membership. If a user exists in AD then a password hash can be validated to authenticate the user. To authorize a user group membership attributes are retrieved and mapped to groups configured in Dynatrace.

For example a user "John" logs in. User query is executed to AD and we received:

 "memberOf(working-group, employees)"

In Dynatrace you have configured a group "Cluster admins" that is mapped to AD group "working-group" and a group "Environment A viewers" that is mapped to "employees". Group query is executed to verify that both groups exists in AD and create a mapping.

Then the user "John" is assigned to Dynatrace group "Cluster admins" and a group "employees" as he's a member of both AD groups.

Why do we need Group query ?

The group query is used to validate the correctness of group configuration in Dynatrace (mapping of a Dynatrace group and AD groups). By the query results Dynatrace knows which of the configured AD groups exist in AD.

Do the local account get deleted or just disabled when i enable LDAP?

If you enable LDAP, you are no longer able to create internal users. All existing users will be overwritten by LDAP user accounts when they log-in. There's a special "admin" account that will be still active, so you can log-in and adjust configuration. You can remove that user if you want, be then you are vulnerable to lock-in if your LDAP stops to work. In that case the only rescue is to contact Dynatrace support.

Senior Product Manager,
Dynatrace Managed expert

Thank you so much

I have another question if you may :

i configured LDAP on one of our Environments and when the users try and connect i can see them being added to the users list but they can not access so i do not know which password should they use
I assumed that they would use their Active Directory Passwordbut it is not working

Yes - AD password of course. After successful configuration of LDAP you need to configure group mapping and assign permissions to environments. Please follow our guide :

Senior Product Manager,
Dynatrace Managed expert

Thank you !

Featured Posts