Configure DPA to use Active Directory or LDAP
To use AD or LDAP user authentication in DPA:
- Gather the following information from your domain administrator:
- Directory service type: AD or LDAP
- Domain name
- Port number: Used to connect to the directory service
- If DPA is configured to use credentials stored in CyberArk, the CyberArk credentials query
- If DPA is not configured to use credentials stored in CyberArk:
- User: The domain user DPA uses to query the directory for users and groups
- Password: The password of the domain user, preferably one that does not expire
- From the DPA menu in the upper-right corner, click Options.
- Under Administration > Users & Contacts, click Configure AD/LDAP.
- Select the type of directory service you have: Active Directory or LDAP.
- Click Next.
Enter the domain name.
SolarWinds recommends using a domain name, not the name of a specific domain controller.
Do you have multiple domains?
If your domain users authenticate from a different domain other than the domain specified here, you must connect to the global catalog ports 3268 or 3269. The domain users must belong to a universal group, and that universal group must be added under Options > Administration > Users & Contacts > User Administration.
Select the port number.
If you use a unique port, select Other non-standard port. Enter the port number, and select SSL if required.
User and Password
DPA uses this user to search the directory service for users and groups.
Active Directory user name
For the AD user name, use one of the following formats:
- Distinguished Name (DN):
- User Principal Name (UPN):
See this article for information about valid characters for Active Directory user names.
LDAP user name
For the LDAP user name, use the following format:
- Distinguished Name (DN):
If DPA is configured to use credentials stored in CyberArk, enter the CyberArk credentials query.
Did the connection test fail?
If you use an SSL port and the verification fails, DPA must import its certificate. Click Yes on the confirmation window to try again.
Use the default
SolarWinds recommends selecting the default, so DPA uses the detected base DN from the previous step.
Example of default base DN:
Use a custom value
You may use a value other than the default base DN. For example: You use a global catalog that supports multiple domains, and you want to broaden the scope of the search.
Example for multiple domains:
If this is your first time using this wizard, do not use the advanced settings.
Only use advanced settings if you completed this wizard and you experience slow domain user logins or group searches.
Are domain user logins slow?
Set the User Search Base value if domain user logins take a long time.
If your company has one domain, specify the location in the directory tree that contains all of the domain users that will use DPA.
If you do not know what to put here, ask the domain administrator of your company the following questions:
"What folder, or organization unit (OU), in the directory tree of the domain contains all of the users? I must specify a search base for users. What is the distinguished name of the folder?"
cn=users OR ou=users
Are domain group searches slow?
Set the Group Search Base value if domain group searches in User Administration take a long time.
Specify the location in the directory tree that contains all of the groups to which DPA users belong.
If your company has multiple domains, you can enter the group search bases individually. After you add groups to DPA using the group search base from one domain, update this wizard to specify a group search base in another domain.
If you do not know what to put here, ask your the domain administrator of your company the following:
"What folder, or organization unit (OU), in the directory tree of the domain contains all of the groups? I must specify a search base for groups. What is the distinguished name of the folder?"
cn=groups OR ou=groups
Confirm the information for configuring DPA with your directory service, and click Finish.
You must restart DPA for the settings to take effect.
Configure authentication and permissions for groups of users
After you have set up DPA to use Active Directory or LDAP, do the following:
- In AD or LDAP, determine which groups contain the users that you want to grant access to DPA. You may need to create a group if a suitable group does not exist.
From the DPA menu in the upper-right corner, click Options.
- Under Administration > Users & Contacts, click User Administration.
- Click Add Active Directory Group or Add LDAP Group.
- Click Search for a Group.
- Find and select the group you want and click Save.
Assign privileges to the group, just as you would for a user. This assigns those permissions to the domain users who are members of the group.
DPA does not support single sign-on (SSO) for individual accounts. It only supports AD or LDAP groups.
All domain users in the selected group can log in to DPA using their domain credentials. The users have the privileges you set up for the group in DPA.
You can add multiple AD or LDAP groups in DPA. If a domain user is a member of more than one group, DPA grants them the combined privileges from all of their groups.
Log in to DPA
When you enter the domain user name and password in the DPA login screen, DPA searches your directory service for a matching user name, and then authenticates using the password. If the domain user belongs to one of the groups that you configured as a DPA custom user, the login succeeds.
Name formats for AD login
DPA supports three types of login name formats for Active Directory:
- SAM account name:
- User principal name:
User name for LDAP
The user name used by DPA is the LDAP user object