View Full Version : Ldap authentication & role Authenticated

10-15-2007, 05:20 AM
I have configured ldap to authenticate against our Microsoft AD server.
I configured pentaho.xml as follows:

These acls are used when publishing from the file system. Every folder
gets these ACLS. Authenticated is a "default" role that everyone
gets when they're authenticated (be sure to setup your bean xml properly
for this to work).
<acl-entry role="GG Pentaho administrators (BE)" acl="ADMIN_ALL"/> <!-- Admin users get all authorities -->

<!--<acl-entry role="Admin" acl="ADMIN_ALL" /> <!-- Admin users get all authorities -->
<!-- <acl-entry role="cto" acl="ADMIN_ALL" /> <!-- CTO gets everything -->
<!-- <acl-entry role="dev" acl="EXECUTE_SUBSCRIBE" /> <!-- Dev gets execute/subscribe -->
<!-- <acl-entry role="Authenticated" acl="EXECUTE" /> <!-- Authenticated users get execute only -->
<acl-entry role="GG Pentaho users (BE)" acl="EXECUTE"/> <!-- Authenticated users get execute only -->

I replaced the role names, with the roles defined in AD. This is logical for the first role ADMIN_ALL.
Initially i left the default role as is (Authenticated), but i did receive acess denies messages wen trying to open the index.jsp and later on the main page.
To fix this behaviour, i changed the role to "GG Pentaho users (BE)". The bad thing to this is, that you have to assign this default role to the user. If you forget to do so, the user will be authenticated, and then get an ugly "access denied" screen. The comment "be sure to setup your bean xml properly for this to work" let me suspect, i am doing something wrong. Problably there is an other way to get rid of this "access denied" screen. Can someone point me to the solution??????

10-15-2007, 10:25 AM
I'm not sure I fully understand your setup. But let me list some possible problems.

You mention a "default role." Are you talking about the defaultRole property in DefaultLdapAuthoritiesPopulator? By default, the platform defines no defaultRole in DefaultLdapAuthoritiesPopulator.
When you edit default-acls, you must update the solution repository (http://wiki.pentaho.org/display/PentahoDoc/Re-Applying+Default+ACL).
When you want to introduce your organization-specific roles, you must add them to both pentaho.xml and applicationContext-acegi-security.xml. The former addresses domain object authorization while the latter addresses web resource authorization.

10-15-2007, 11:19 AM
I was refering to the role="Authenticated" in pentaho.xml

In applicationContext-acegi-security.xml you define :

<!-- Note the order that entries are placed against the objectDefinitionSource is critical.
The FilterSecurityInterceptor will work from the top of the list down to the FIRST pattern that matches the request URL.
Accordingly, you should place MOST SPECIFIC (ie a/b/c/d.*) expressions first, with LEAST SPECIFIC (ie a/.*) expressions last -->

<bean id="filterInvocationInterceptor"

<property name="authenticationManager">

<ref local="authenticationManager" />


<property name="accessDecisionManager">

<ref local="httpRequestAccessDecisionManager" />


<property name="objectDefinitionSource">






Where "\A/.*\Z=Authenticated" gives you access to http://localhost/pentaho/ (http://localhost/pentaho/home)login.jsp or http://localhost/pentaho/home
To get it working i replaced "Authenticated" with a role "pentaho_user" i defined in Active directory. This is not convenient. All users defined in AD will pass the authentication phrase, but will get an ugly "access denied error" because they are not member of the role "pentaho_user". So i thought there might be a relation between the fact the users are authenticated and the role definition "Authenticated" as specified above. In otehr words, if you are authenticated by ldap, you have the role "Authenticated" assigned

10-15-2007, 02:19 PM
I believe what you are requesting can be accomplished using the defaultRole property of DefaultLdapAuthoritiesPopulator, which is defined in applicationContext-acegi-security-ldap.xml. The defaultRole property "will be assigned to all authenticated users."

<bean id="populator" class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
<!-- omitted -->
<property name="defaultRole" value="Authenticated" />
<!-- omitted -->

The default role needs to exist in the LDAP directory if you plan on using the Permissions UI to assign permissions that reference the default role. If you're not going to use the Permissions UI, and instead just use the default-acls in pentaho.xml, you can safely define a default role that does not exist in the LDAP directory.

10-15-2007, 02:22 PM
The last post in this thread (http://forums.pentaho.org/showthread.php?t=54689) might also help you.