LDAP Synthetic extension

Latest Dynatrace
Extension

Run Synthetic tests against your LDAP server to monitor availability and response time, validate search results, and support multiple authentication methods including SASL Kerberos.

Get started

Overview

This extension validates LDAP health by running Synthetic tests against your LDAP server. Filters that match are flagged as successful, and response time is recorded.

Requirements

Communication ports between ActiveGate and LDAP server must be open on whichever port the LDAP server runs on.
Optional If you are using a Linux ActiveGate and you would like to use the ldapsearch feature, ldapsearch must be installed on your Linux ActiveGate.
Optional If you are using a Linux ActiveGate and you would like to use SASL Kerberos authentication via GSSAPI, you need an MIT Kerberos package installed on your Linux ActiveGate. For more information, see SASL Kerberos authentication via GSSAPI.

SASL Kerberos authentication via GSSAPI

To authenticate via GSSAPI, you need the following packages and configuration file:

On Ubuntu systems, ensure that krb5-user and libsasl2-modules-gssapi-mit are installed.
On RHEL systems, ensure that krb5-workstation and cyrus-sasl-gssapi are installed.
A system-wide krb5.conf (typically located at /etc/krb5.conf) configuration file, so that the extension can authenticate your principal defined in the monitoring configuration with a specified realm. This file can be set up in a variety of ways and your package manager may create the file automatically. For examples, see MIT Kerberos Documentation.

DNS resolution for Kerberos realm
Your Linux ActiveGate needs to be able to resolve the domain name (realm) defined for the principal in the extension monitoring configuration.

Minimal example of a krb5.conf file:
```
[libdefaults]
    default_realm = EXAMPLE.ORG
# The following krb5.conf variables are only for MIT Kerberos.
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    rdns = false

[realms]
    EXAMPLE.ORG = {
            kdc = server1.example.org
            admin_server = server1.deb.example.org
    }
```

Activation and setup

Find the extension in Dynatrace Hub and add it to your environment.
Add a monitoring configuration.
- LDAP Server:
  
  Hostname or IP of your LDAP server.
- LDAP Port:
  
  389 is the default for LDAP. If using SSL, make sure you also change this port number to reflect the correct SSL port.
- Test name:
  
  The name for this Synthetic test.
- Test location:
  
  Enter the name of the location this test runs from. The default is "ActiveGate".
- Authentication Method:
  
  A dropdown of different authentication methods:
  - Anonymous Bind
  - Simple
  - SASL Kerberos (GSSAPI) (Linux ActiveGate only)
- Use credential vault:
  
  Use this feature if you would like to use a pre-stored username/password from your Dynatrace credential vault.
- Username:
  - The username depends on the selected authentication method:
    Anonymous Bind: No username is supplied with this method.
    Simple authentication: The username used to log into the LDAP server.
    SASL Kerberos (GSSAPI) authentication: The Kerberos principal.
- Password:
  
  Password for the username above.
- LDAP Base DN:
  
  Entry DN from where to start the search.
- Use ldapsearch:
  
  This is in case you would like to use an ldapsearch command expression instead. This is due to some LDAP tools having different format and custom properties and fields that the normal LDAP searches cannot see. An ldapsearch might return or provide more hidden fields. You will rarely need to use this feature and it requires you have ldapsearch installed on your ActiveGates.
- LDAP filters:
  
  Add filters to better focus your search and speed it up.
- LDAP attributes:
  
  Which attributes to return.
- LDAP matcher:
  
  The exact text to match in the result (case sensitive). If a matcher is entered, your test will be flagged as successful if the text is found, otherwise, marked as failed if not found.
- LDAP timeout:
  
  Number of seconds for the request to wait before timing out if no response.
- Dynatrace token:
  
  Because data is pushed as a third party synthetic test using the API, you must enter an API token with "Create and read synthetic monitors, locations and nodes" scope.
- Polling frequency:
  
  The interval at which this synthetic test runs. By default, it runs every minute.

Details

Licensing and costs

This extension runs a synthetic test once per minute, by default. This can be changed in the monitoring configuration when setting up the extension.

License consumption is incurred in the form of a Third Party Synthetic.

DPS licensing

For DPS licensing, see this Calculate your consumption of Third-Party Synthetic API Integration (DPS) for more details.

The formula for DPS consumption per minute is shown below (with polling frequency = 1 minute). One extension execution ingests one test result.

number of LDAP Connections x (polling frequency x 1 third-party synthetic test result) = DPS Consumption

Classic licensing

For Dynatrace classic licensing, see DEM units for more details on calculating consumption.

For example, a single Third-party synthetic API ingestion consumes 0.1 DEM.

The formula for DEM consumption per minute can be seen below, where the polling frequency = 1 minute.

number of LDAP Connections x (polling frequency x 1 third-party synthetic test result) = DEM Consumption

Feature sets

When activating your extension using a monitoring configuration, you can limit monitoring to one of the feature sets. To work properly, the extension has to collect at least one metric after the activation.

In highly segmented networks, feature sets can reflect the segments of your environment. Then, when you create a monitoring configuration, you can select a feature set and a corresponding ActiveGate group that can connect to this particular segment.

All metrics that aren't categorized into any feature set are considered to be the default and are always reported.

A metric inherits the feature set of a subgroup, which in turn inherits the feature set of a group. Also, the feature set defined on the metric level overrides the feature set defined on the subgroup level, which in turn overrides the feature set defined on the group level.

Explore in Dynatrace Hub

Run Synthetic tests against your LDAP server to monitor availability and response time, validate search results, and support multiple authentication methods including SASL Kerberos.

LDAP Synthetic extension

Latest Dynatrace
Extension

Run Synthetic tests against your LDAP server to monitor availability and response time, validate search results, and support multiple authentication methods including SASL Kerberos.

Get started

Overview

This extension validates LDAP health by running Synthetic tests against your LDAP server. Filters that match are flagged as successful, and response time is recorded.

Requirements

Communication ports between ActiveGate and LDAP server must be open on whichever port the LDAP server runs on.
Optional If you are using a Linux ActiveGate and you would like to use the ldapsearch feature, ldapsearch must be installed on your Linux ActiveGate.
Optional If you are using a Linux ActiveGate and you would like to use SASL Kerberos authentication via GSSAPI, you need an MIT Kerberos package installed on your Linux ActiveGate. For more information, see SASL Kerberos authentication via GSSAPI.

SASL Kerberos authentication via GSSAPI

To authenticate via GSSAPI, you need the following packages and configuration file:

On Ubuntu systems, ensure that krb5-user and libsasl2-modules-gssapi-mit are installed.
On RHEL systems, ensure that krb5-workstation and cyrus-sasl-gssapi are installed.
A system-wide krb5.conf (typically located at /etc/krb5.conf) configuration file, so that the extension can authenticate your principal defined in the monitoring configuration with a specified realm. This file can be set up in a variety of ways and your package manager may create the file automatically. For examples, see MIT Kerberos Documentation.

DNS resolution for Kerberos realm
Your Linux ActiveGate needs to be able to resolve the domain name (realm) defined for the principal in the extension monitoring configuration.

Minimal example of a krb5.conf file:
```
[libdefaults]
    default_realm = EXAMPLE.ORG
# The following krb5.conf variables are only for MIT Kerberos.
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    rdns = false

[realms]
    EXAMPLE.ORG = {
            kdc = server1.example.org
            admin_server = server1.deb.example.org
    }
```

Activation and setup

Find the extension in Dynatrace Hub and add it to your environment.
Add a monitoring configuration.
- LDAP Server:
  
  Hostname or IP of your LDAP server.
- LDAP Port:
  
  389 is the default for LDAP. If using SSL, make sure you also change this port number to reflect the correct SSL port.
- Test name:
  
  The name for this Synthetic test.
- Test location:
  
  Enter the name of the location this test runs from. The default is "ActiveGate".
- Authentication Method:
  
  A dropdown of different authentication methods:
  - Anonymous Bind
  - Simple
  - SASL Kerberos (GSSAPI) (Linux ActiveGate only)
- Use credential vault:
  
  Use this feature if you would like to use a pre-stored username/password from your Dynatrace credential vault.
- Username:
  - The username depends on the selected authentication method:
    Anonymous Bind: No username is supplied with this method.
    Simple authentication: The username used to log into the LDAP server.
    SASL Kerberos (GSSAPI) authentication: The Kerberos principal.
- Password:
  
  Password for the username above.
- LDAP Base DN:
  
  Entry DN from where to start the search.
- Use ldapsearch:
  
  This is in case you would like to use an ldapsearch command expression instead. This is due to some LDAP tools having different format and custom properties and fields that the normal LDAP searches cannot see. An ldapsearch might return or provide more hidden fields. You will rarely need to use this feature and it requires you have ldapsearch installed on your ActiveGates.
- LDAP filters:
  
  Add filters to better focus your search and speed it up.
- LDAP attributes:
  
  Which attributes to return.
- LDAP matcher:
  
  The exact text to match in the result (case sensitive). If a matcher is entered, your test will be flagged as successful if the text is found, otherwise, marked as failed if not found.
- LDAP timeout:
  
  Number of seconds for the request to wait before timing out if no response.
- Dynatrace token:
  
  Because data is pushed as a third party synthetic test using the API, you must enter an API token with "Create and read synthetic monitors, locations and nodes" scope.
- Polling frequency:
  
  The interval at which this synthetic test runs. By default, it runs every minute.

Details

Licensing and costs

This extension runs a synthetic test once per minute, by default. This can be changed in the monitoring configuration when setting up the extension.

License consumption is incurred in the form of a Third Party Synthetic.

DPS licensing

For DPS licensing, see this Calculate your consumption of Third-Party Synthetic API Integration (DPS) for more details.

The formula for DPS consumption per minute is shown below (with polling frequency = 1 minute). One extension execution ingests one test result.

number of LDAP Connections x (polling frequency x 1 third-party synthetic test result) = DPS Consumption

Classic licensing

For Dynatrace classic licensing, see DEM units for more details on calculating consumption.

For example, a single Third-party synthetic API ingestion consumes 0.1 DEM.

The formula for DEM consumption per minute can be seen below, where the polling frequency = 1 minute.

number of LDAP Connections x (polling frequency x 1 third-party synthetic test result) = DEM Consumption

Feature sets

All metrics that aren't categorized into any feature set are considered to be the default and are always reported.

Explore in Dynatrace Hub

Run Synthetic tests against your LDAP server to monitor availability and response time, validate search results, and support multiple authentication methods including SASL Kerberos.