PDA

View Full Version : LDAP Auth not working



ozwolverine
05-29-2008, 09:18 AM
Hello Everybody,

I'm new in Pentaho, our company wants to use it to generate reports for our business processes which run under jBPM.
I have installed a version of Pentaho for testing and I now know how to generate reports, but as I don't need memory authentication, I want to bind Pentaho to our LDAP directory, I did some changes but when I try to log in it says: "Bad Credentials" or something like that. Next on, what changes I did, are those changes enough, what did I missed to do?

WEB.XML file

I just changed this:
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext-acegi-security.xml /WEB-INF/applicationContext-common-authorization.xml /WEB-INF/applicationContext-acegi-security-memory.xml /WEB-INF/applicationContext-pentaho-security-memory.xml</param-value>
</context-param>


from memory to ldap, just two words:
<param-value>/WEB-INF/applicationContext-acegi-security.xml /WEB-INF/applicationContext-common-authorization.xml /WEB-INF/applicationContext-acegi-security-ldap.xml /WEB-INF/applicationContext-pentaho-security-ldap.xml</param-value>
</context-param>

FILE: ./tomcat/webapps/pentaho/WEB-INF/applicationContext-pentaho-security-ldap.xml

changed body <bean id="allUsernamesSearch" to point to my ldap users base dn:

<bean class="com.pentaho.security.ldap.search.LdapSearchParamsFactoryImpl">
<constructor-arg index="0"
value="ou=People, o=usuarios,o=mycompany.gov.co" />
<constructor-arg index="1" value="objectClass=Person" />
</bean>

in that leaf of ldap tree we have our users, so I guessed that is entry I had to put there (index 0), I find them there as uid= login I want them to use to log into Pentaho.

File
./tomcat/webapps/pentaho/WEB-INF/applicationContext-acegi-security-ldap.xml

<bean id="initialDirContextFactory"
class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
<constructor-arg index="0"
value="ldap://ldap.mycompany.gov.co:389/" />
<property name="managerDn" value="uid=admin,ou=system" />
<property name="managerPassword" value="secret" />
</bean>


There Just changed index 0 value to my ldap server URL and port to: ldap://ldap.mycompany.gov.co:389/

Are there any other changes mandatory to do? What did I miss? What did I do wrong?

Thans In Advanced,
:)

zach
05-29-2008, 04:46 PM
You may need to change the roles that have access to the different objects in Pentaho to match what is returned from your LDAP service.

What does your server log say?

I would look at the file:
applicationContext-acegi-security.xml

The section of xml you may need to modify is:

<property name="objectDefinitionSource">
<value>
<![CDATA[
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/login.*\Z=Anonymous,Authenticated
\A/j_acegi_security_check.*\Z=Anonymous,Authenticated
\A/getmondrianmodel.*\Z=Anonymous,Authenticated
\A/getimage.*\Z=Anonymous,Authenticated
\A/getresource.*\Z=Anonymous,Authenticated
\A/admin.*\Z=Admin
\A/auditreport.*\Z=Admin
\A/auditreportlist.*\Z=Admin
\A/versioncontrol.*\Z=Admin
\A/propertieseditor.*\Z=Admin
\A/propertiespanel.*\Z=Admin
\A/subscriptionadmin.*\Z=Admin
\A/resetrepository.*\Z=Admin
\A/viewaction.*solution.admin.*\Z=Admin
\A/scheduleradmin.*\Z=Admin
\A/publish.*\Z=Admin
\A/logout.*\Z=Anonymous
\A/.*\Z=Authenticated
]]>
</value>
</property>

mlowery
06-02-2008, 12:55 PM
If the error is "Bad credentials," then the authentication is failing and no authorization checks have yet to occur. While zach is correct that the roles granted to the users in your LDAP server will need to agree with roles used in authorization rules within Pentaho, I don't believe you're even getting to the authorization rules yet.

I would focus on getting the userSearch bean in applicationContext-acegi-security-ldap.xml correct. Do this by executing your queries in a tool such as Apache Directory Studio first. Once you're satisfied, copy them over and run Pentaho. Turn on security logging too.