Configuring LDAP

To configure LDAP, see the instructions in the following sections:

LDAP configuration

After SAML is activated for a tenant, you have no other way to log in to Instana. The SAML configuration can be deleted through API by using a token with enough permissions.

To configure an LDAP (Lightweight Directory Access Protocol) connection, follow these steps:

  1. Log in to the Instana user interface (UI).
  2. Click Settings from the sidebar on the UI.
  3. Click Authentication > LDAP and add the corresponding LDAP configuration values. See Supported authentication providers.
  4. To persist the LDAP configuration, you must add a username and password in the **LDAP user account" section on the form. This user is added as owner, and you can change that after the initial setup.

After you configure LDAP, other users who match the group query are added to Instana with the default role. You can set the roles for each user as described in Role-based access control.

Instana fetches the roles and subsequent permissions for the currently authenticated user from your LDAP server. Users can't log in with their previous username and password combination: they must use their LDAP credentials.

LDAP

Tips:

  • For Self-Hosted Classic Edition (Docker), when you configure LDAP with Instana, make sure to enable the debugging mode of the component "butler" because the debugging information is chatty and can help you.

  • LDAP is case-insensitive by default.

Supported authentication providers

Currently, Microsoft® Active Directory and OpenLDAP are supported.

Configuration parameters

Configuring LDAP can be challenging. To find the correct settings for LDAP in the Instana UI, see the following configuration parameters:

Table 1. LDAP configuration parameters
Parameter Description
Url LDAP Server URL (ldap://host:389 or ldaps://host:636).
Trust any certificate authorities whilst using ldaps When enabled, any certificate authority (CA) is trusted while you use LDAP. It's required for untrusted Authorities or self-signed certificates.
Read only user has anonymous access to LDAP Decides whether read-only access requires authentication. If it's disabled, a user and their password need to be specified.
User The LDAP read-only user. It needs to have sufficient rights to list groups by using group_query. It's only required if anonymous access is insufficient.
Password Password for read-only user. It's only required if anonymous access is insufficient.
Base The base for queries (dc=instana,dc=com).
Group Query The query to list a group or a set of groups with members who have access to Instana (ou=Instana).
Group Member Field Name of the field that contains DNs of users who are listed through group_query (uniqueMember).
User Query Template Template to query the user, for instance (uid=%s).
Email Field The name of the field where to find the email address (mail).
Username The user to be related in Instana as owner user. A login is tried as a test before the settings are saved.
Password The password of the Instana owner user.
User DN Mapping The field (such as distinguishedName) that contains the users dn. This parameter is optional.
User_Field The field where the users within the group are referenced by the value of this attribute (if no DN is used). This parameter is optional.

TLS

Connecting through Secure LDAP (LDAPS) can be as easy as providing ldaps://url:636. In case the server accepts only an encryption stronger than what is provided by your Java 8 installation, the cryptography extension needs to be used. You can download it from Oracle, and configure it as described on the JCE documentation page.

By default, a self-signed certificate for the LDAP is expected. Therefore, a CA is not validated.

You can turn on CA validation by clearing the Trust any certificate authorities whilst using ldaps checkbox in the Required Settings section.

Finding the correct configuration values

Starting with nearly no knowledge of the structure of the LDAP server, it is best to get an overview.

ldapsearch -H ldap://ldap.forumsys.com:389 -x -b "DC=example,DC=com" -D "cn=read-only-admin,dc=example,dc=com" -w "password"

See the following description of the parameters:

  • -H: LDAP server URL.
  • -x: Use simple authentication (most LDAP servers use this authentication).
  • -b: The base query.
  • -D: The LDAP read-only user.
  • -w: The password of the LDAP read-only user.

Important: LDAP paths are read from right to left. The LDAP search query returns a list of entries that start from the root.

Now that you have the output, you want the correct settings.

Group Query

First, search for the matching group where the wanted users are members. In the following case, take the mathematicians as an example:

    mathematicians, example.com
    dn: ou=mathematicians,dc=example,dc=com
    uniqueMember: uid=euclid,dc=example,dc=com
    uniqueMember: uid=riemann,dc=example,dc=com
    uniqueMember: uid=euler,dc=example,dc=com
    uniqueMember: uid=gauss,dc=example,dc=com
    uniqueMember: uid=test,dc=example,dc=com
    ou: mathematicians
    cn: Mathematicians
    objectClass: groupOfUniqueNames
    objectClass: top

To find this group, use either cn=Mathematicians or ou=mathematicians.

User DN Mapping

Within the output, you can see the attribute uniqueMember. It is the distinguished name as it leads you to the users that are members of this group.

User Query Template

Now, you need to find the actual user. Look at a user from the output from the first query.

    euler, example.com
    dn: uid=euler,dc=example,dc=com
    objectClass: inetOrgPerson
    objectClass: organizationalPerson
    objectClass: person
    objectClass: top
    uid: euler
    sn: Euler
    cn: Leonhard Euler
    mail: euler@ldap.forumsys.com

The unique ID of the user is euler, so the user_query_template is (uid=%s). (The %s in the user_query_template is used as a placeholder for the provided user login.)

Email Field

In the snippet that you see before, the email field is named mail, which is also the value of the Email Field setting.

Verifying your configuration

To verify your configuration, replace the values from the placeholders by using the ones from the LDAP configuration in the Instana UI, and run the group search and user search.

It is important to run them with the exact values from the input and without extra parameters. Both of them can work if the LDAP is correctly configured and the values are correct.

If one of the commands does not return the correct values, Instana LDAP does not work.

If the following commands return the values, it means that the LDAP server is configured and has the corresponding data. Otherwise, the LDAP configuration and data must be checked.

  • Group search

    ldapsearch -H {url} -x -D "{ro_user}" -w "{ro_password}" -b "{base}" "{group_query}"
    

    It returns the groups with Instana access right. Without it, even if the user is present, it is not possible for Instana to check the user membership.

  • User search

    ldapsearch -H {url} -x -D "{ro_user}" -w "{ro_password}" -b "{base}" "{user_query_template=login}"
    

    Where login is the provided username that replaces %s within the user_query_template. It returns the specific user.

    The user also needs to have the email field attribute.

Accessing Instana UI

LDAP authentication is configured at the tenant level.

To log on to Instana with LDAP authentication, go to the login page or any other page on a tenant unit.

Note: If you access any page other than the login page on a tenant unit, you are redirected to the tenant login page.

The URL to log in is the following format: https://<unit name>-<tenant name>.<Instana domain>/

For example, if the unit is unit0, the tenant is tenant0, and the Instana domain is example.com, then the URL to log in would be https://unit0-tenant0.example.com/.

Glossary

  • cn: Common Name
  • ou: Organization Unit
  • dc: Domain Component
  • dn: Distinguished Name

A path name (dn) is written from the last to the first element from right to left: cn=Christian Kellner,ou=dev,ou=employee,dc=instana,dc=com

LDAP query syntax

Sometimes it is necessary to specify a bit more complex queries to get the wanted result. The query language is straight forward.

  • Equals

    (name=John)
    

    It returns everything where the name is equal John. Parentheses are included to emphasize the beginning and end of the LDAP statement.

  • AND

    (&(name=Christian)(l=Solingen))
    

    Use this syntax when you have more than one condition and you want all conditions in the series to be true. For example, if you want to find all of the people that have the given name of Christian and live in Solingen, you might use this query.

    Each argument is in its own set of parentheses. The entire LDAP statement must be encompassed in a main set of parentheses. The & operator means that each argument must be true for this filter to apply to your object in question.

  • NOT

    (!name=John)
    

    This is the opposite of the first example.

  • Wildcard

    (title=*)
    

Use the wildcard to search for anything:

  • Combination

    (&(name=Christian)(|(l=Solingen)(l=Duesseldorf)))
    

    It returns every user where the name is christian and who live in either Duesseldorf or Solingen.