Hitachi Vantara Pentaho Community Forums
Results 1 to 27 of 27

Thread: LDAP configuration migration to Pentaho 5.0.1 CE

  1. #1
    Join Date
    Nov 2013
    Posts
    4

    Default LDAP configuration migration to Pentaho 5.0.1 CE

    Hi,

    I'm trying to migrate working Pentaho 4.8 LDAP configuration to Pentaho 5.0.1 CE.

    The results so far are proper authentication of users but ACLs settings seem to have a problem.

    Neither users nor admins can not create anything (reports/analysis/schedules/folders/etc.).

    Datasource management and Tools menus are also invisible for admins.

    Recreating ACL lists (removing pentaho-solutions/system/jackrabbit/repository/ subfolders) doesn't help.

    Below some pieces of my configuration.

    repository.spring.properties (where myadmin, PentahoAdmins, all_users are LDAP based)

    Code:
    singleTenantAdminDefaultUserName=myadmin
    singleTenantAdminUserName=myadmin
    singleTenantAdminDefaultAuthorityName=PentahoAdmins
    singleTenantAdminAuthorityName=PentahoAdmins
    repositoryAdminUsername=myadmin
    singleTenantAuthenticatedAuthorityName=all_users
    singleTenantAnonymousAuthorityName=Anonymous
    superAdminAuthorityName=PentahoAdmins
    superAdminUserName=myadmin
    systemTenantAdminUserName=myadmin
    systemTenantAdminPassword=mypassword
    security.properties

    Code:
    provider=ldap
    applicationContext-security-ldap.properties which is working on 4.8 (the only difference is adminRole and adminUser added in 5.0)

    Code:
    contextSource.providerUrl=ldap\://myldap\:389/o\=myorganization,o\=eu
    contextSource.userDn=uid\=ldapread,ou\=generic,o\=myusers,o\=myorganization,o\=eu
    contextSource.password=mypassword
    
    userSearch.searchBase=o\=myusers
    userSearch.searchFilter=(uid\={0})
    
    populator.convertToUpperCase=false
    populator.groupRoleAttribute=cn
    populator.groupSearchBase=ou\=mygroups
    populator.groupSearchFilter=(uniqueMember\={0})
    populator.rolePrefix=
    populator.searchSubtree=true
    
    allAuthoritiesSearch.roleAttribute=cn
    allAuthoritiesSearch.searchBase=ou\=mygroups
    allAuthoritiesSearch.searchFilter=(objectClass\=mygroup)
    
    allUsernamesSearch.usernameAttribute=uid
    allUsernamesSearch.searchBase=o\=myusers
    allUsernamesSearch.searchFilter=(memberOf\=cn\=all_users,ou\=mygroups,o\=myorganization,o\=eu)
    
    adminRole=cn\=PentahoAdmins,ou\=mygroups,o\=myorganization,o\=eu
    adminUser=uid\=myuser,o\=myusers
    data-access/settings.xml

    PHP Code:
    ...
      <!-- 
    roles with data access permissions --> 
      <
    data-access-roles>PentahoAdmins</data-access-roles>
      <!-- 
    users with data access permissions -->
      <!--  <
    data-access-users></data-access-users>   -->
      <!-- 
    roles with datasource view permissions -->
      <
    data-access-view-roles>all_users,PentahoAdmins</data-access-view-roles>
      <!-- 
    users with datasource view permissions -->
      <!--<
    data-access-view-users>suzy</data-access-view-users>-->
      <!-- default 
    view acls for user or role -->
      <
    data-access-default-view-acls>31</data-access-default-view-acls>
      <
    data-access-staging-jndi>Hibernate</data-access-staging-jndi>
      <
    data-access-datasource-solution-storage>admin</data-access-datasource-solution-storage>
    ... 

    defaultUser.spring.xml - commented out the content of dafaultUserRoleMappings tag which contained mappings for suzy,pat,tiffany, etc.

    pentaho.xml - I was trying to add <acl-publisher>, <default-acls>, <acl-voter> and <acl-files> (working for me on Pentaho 4.8) but there was no difference if the config was with or without it.

    applicationContext-spring-security.xml - replaced Admin and Authenticated roles with LDAP based all_users and PentahoAdmins roles inside filterInvocationInterceptor and filterInvocationInterceptorForWS beans but left unchanged inside defaultRole bean.

    While trying to create folder I get exception

    Code:
    org.pentaho.platform.api.repository2.unified.UnifiedRepositoryAccessDeniedException: access denied while creating folder with name "test"
    The strange thing I've noticed debugging security is that when I log in with LDAP administrator user account then AbstractSecurityInterceptor shows all the Granted Authorities except for the PentahoAdmins LDAP role while DefaultLdapAuthoritiesPopulator finds the all the LDAP roles.

    URL patterns added based on the content of applicationContext-spring-security.xml

    Code:
    11:01:46,224 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/admin.*\Z; attributes: [PentahoAdmins]
    11:01:46,224 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/auditreport.*\Z; attributes: [PentahoAdmins]
    11:01:46,224 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/auditreportlist.*\Z; attributes: [PentahoAdmins]
    11:01:46,224 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/versioncontrol.*\Z; attributes: [PentahoAdmins]
    11:01:46,225 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/propertieseditor.*\Z; attributes: [PentahoAdmins]
    11:01:46,225 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/propertiespanel.*\Z; attributes: [PentahoAdmins]
    11:01:46,225 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/subscriptionadmin.*\Z; attributes: [PentahoAdmins]
    11:01:46,225 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/resetrepository.*\Z; attributes: [PentahoAdmins]
    11:01:46,225 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/viewaction.*solution.admin.*\Z; attributes: [PentahoAdmins]
    11:01:46,225 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/scheduleradmin.*\Z; attributes: [PentahoAdmins]
    11:01:46,225 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/publish.*\Z; attributes: [PentahoAdmins]
    11:01:46,153 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/unifiedrepository\?wsdl.*\Z; attributes: [Anonymous, all_users]
    11:01:46,153 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/userrolelistservice\?wsdl.*\Z; attributes: [Anonymous, all_users]
    11:01:46,154 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/userroleservice\?wsdl.*\Z; attributes: [Anonymous, all_users]
    11:01:46,154 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/authorizationpolicy\?wsdl.*\Z; attributes: [Anonymous, all_users]
    11:01:46,154 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/rolebindingdao\?wsdl.*\Z; attributes: [Anonymous, all_users]
    11:01:46,154 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/scheduler\?wsdl.*\Z; attributes: [Anonymous, all_users]
    11:01:46,154 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/repositorysync\?wsdl.*\Z; attributes: [Anonymous, all_users]
    11:01:46,154 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/datasourcemgmtservice\?wsdl.*\Z; attributes: [Anonymous, all_users]
    11:01:46,155 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/.*\Z; attributes: [all_users]
    11:01:46,155 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/api/.*require-js-cfg.js\Z; attributes: [Anonymous, all_users]
    11:01:46,155 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/api/.*\Z; attributes: [all_users]
    11:01:46,155 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/plugin/.*\Z; attributes: [all_users]
    Any idea of the possible soution? Am I missing something in my config?

    Best Regards,
    Marcin

  2. #2
    Join Date
    Nov 2013
    Posts
    4

    Default

    Quote Originally Posted by mpiatek View Post
    ...
    The strange thing I've noticed debugging security is that when I log in with LDAP administrator user account then AbstractSecurityInterceptor shows all the Granted Authorities except for the PentahoAdmins LDAP role while DefaultLdapAuthoritiesPopulator finds the all the LDAP roles.
    ...
    Further investigation shows that after InteractiveAuthenticationSuccessEvent PentahoAdmins LDAP role on the list of Granted Authorities is replaced by Administrator role (which is not comming from my LDAP).


    I've tried to modify repository.spring.properties and applicationContext-spring-security.xml files and replace my LDAP groups with Administrator (despite the documentation which tells to put there LDAP group names) - and everything works fine!


    Is it intended behaviour? Documentation inconsistency or a bug?

  3. #3

    Red face Not work correctly

    Hi,

    I'm trying to run the newest Pentaho 5 CE with LDAP authentication, but i'm not sure running ok.
    When you say .... "I've tried to modify repository.spring.properties and applicationContext-spring-security.xml ..." could you put the content of both files to help me ? I'm very confused about LDAP groups with Administrator role !!!

    Best regards
    Jordi


    Quote Originally Posted by mpiatek View Post
    Further investigation shows that after InteractiveAuthenticationSuccessEvent PentahoAdmins LDAP role on the list of Granted Authorities is replaced by Administrator role (which is not comming from my LDAP).


    I've tried to modify repository.spring.properties and applicationContext-spring-security.xml files and replace my LDAP groups with Administrator (despite the documentation which tells to put there LDAP group names) - and everything works fine!


    Is it intended behaviour? Documentation inconsistency or a bug?

  4. #4
    Join Date
    Nov 2013
    Posts
    4

    Default

    Quote Originally Posted by jcarreras@biton.es View Post
    Hi,

    I'm trying to run the newest Pentaho 5 CE with LDAP authentication, but i'm not sure running ok.
    When you say .... "I've tried to modify repository.spring.properties and applicationContext-spring-security.xml ..." could you put the content of both files to help me ? I'm very confused about LDAP groups with Administrator role !!!

    Best regards
    Jordi
    Yes, it is confusing... I've just replaced every occurrence of LDAP group used to identify Pentaho administrators (PentahoAdmins) with Administrator (Pentaho built-in group?) in the files mentioned above.

    Hope this helps. It's working for me but I'm still confused if it is a bug or documentation inconsistency?

    applicationContext-spring-security.xml - replaced roles: Admin with Administrator (NOT LDAP based!) and Authenticated with LDAP based all_users

    Code:
    ...
      <bean id="filterInvocationInterceptor"
            class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
        <property name="authenticationManager">
          <ref local="authenticationManager" />
        </property>
        <property name="accessDecisionManager">
          <ref local="httpRequestAccessDecisionManager" />
        </property>
        <property name="objectDefinitionSource">
          <value>
            <!--
                Note - the "=Nobody" below is saying that resource URLs with those
                patterns not be available through a web call.
            -->
            <=!=[=C=D=A=T=A=[
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    \A/.*require-js-cfg.js\Z=Anonymous,all_users
    \A/js/require.js\Z=Anonymous,all_users
    \A/js/require-cfg.js\Z=Anonymous,all_users
    \A/content/data-access/resources/gwt/.*css\Z=Anonymous,all_users
    \A/webcontext.js.*\Z=Anonymous,all_users
    \A/content/common-ui/resources/web/cache/cache-service.js.*\Z=Anonymous,all_users
    \A/cacheexpirationservice.*\Z=Anonymous,all_users
    \A/js/theme.*\Z=Anonymous,all_users
    \A/content/common-ui/resources/themes/.*\Z=Anonymous,all_users
    \A/content/common-ui/resources/web/dojo/djconfig.js.*\Z=Anonymous,all_users
    \A/content/pentaho-mobile/resources/.*\Z=Anonymous,all_users
    \A/docs/.*\Z=Anonymous,all_users
    \A/mantlelogin/.*\Z=Anonymous,all_users
    \A/mantle/mantleloginservice/*\Z=Anonymous,all_users
    \A/mantle/.*\Z=all_users
    \A/welcome/.*\Z=Anonymous,all_users
    \A/public/.*\Z=Anonymous,all_users
    \A/login.*\Z=Anonymous,all_users
    \A/ping/alive.gif.*\Z=Anonymous,all_users
    \A/j_spring_security_check.*\Z=Anonymous,all_users
    \A/getimage.*\Z=Anonymous,all_users
    \A/getresource.*\Z=Anonymous,all_users
    \A/admin.*\Z=Administrator
    \A/auditreport.*\Z=Administrator
    \A/auditreportlist.*\Z=Administrator
    \A/versioncontrol.*\Z=Administrator
    \A/propertieseditor.*\Z=Administrator
    \A/propertiespanel.*\Z=Administrator
    \A/subscriptionadmin.*\Z=Administrator
    \A/resetrepository.*\Z=Administrator
    \A/viewaction.*solution.admin.*\Z=Administrator
    \A/scheduleradmin.*\Z=Administrator
    \A/publish.*\Z=Administrator
    \A/logout.*\Z=Anonymous
    \A/solutionrepositoryservice.*component=delete.*solution=system.*\Z=Nobody
    \A/solutionrepositoryservice.*solution=system.*component=delete.*\Z=Nobody
    .*system.*pentaho.xml.*=Nobody
    .*system.*applicationcontext.*.xml.*=Nobody
    .*system.*pentahoobjects.spring.xml.*=Nobody
    .*system.*pentahosystemconfig.xml.*=Nobody
    .*system.*adminplugins.xml.*=Nobody
    .*system.*plugin.properties.*=Nobody
    .*system.*sessionstartupactions.xml.*=Nobody
    .*system.*systemlisteners.xml.*=Nobody
    .*system.*hibernate.*=Nobody
    .*system.*birt/.*=Nobody
    .*system.*dialects/.*=Nobody
    .*system.*google/.*=Nobody
    .*system.*jasperreports/.*=Nobody
    .*system.*kettle/.*=Nobody
    .*system.*logs/.*=Nobody
    .*system.*mondrian/.*=Nobody
    .*system.*quartz/.*=Nobody
    .*system.*simple-jndi/.*=Nobody
    .*system.*smtp-email/.*=Nobody
    .*system.*ui/.*=Nobody
    .*system.*\.\./.*=Nobody
    \A/.*\Z=all_users
            ]=]=>
          </value>
        </property>
      </bean>
    
    
      <bean id="filterInvocationInterceptorForWS" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
        <property name="authenticationManager">
          <ref local="authenticationManager" />
        </property>
        <property name="accessDecisionManager">
          <ref local="httpRequestAccessDecisionManager" />
        </property>
        <!-- allow anyone to see the wsdl of various services -->
        <property name="objectDefinitionSource">
          <value>
            <=!=[=C=D=A=T=A=[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    \A/webservices/unifiedrepository\?wsdl.*\Z=Anonymous,all_users
    \A/webservices/userrolelistservice\?wsdl.*\Z=Anonymous,all_users
    \A/webservices/userroleservice\?wsdl.*\Z=Anonymous,all_users
    \A/webservices/authorizationpolicy\?wsdl.*\Z=Anonymous,all_users
    \A/webservices/rolebindingdao\?wsdl.*\Z=Anonymous,all_users
    \A/webservices/scheduler\?wsdl.*\Z=Anonymous,all_users
    \A/webservices/repositorysync\?wsdl.*\Z=Anonymous,all_users
    \A/webservices/datasourcemgmtservice\?wsdl.*\Z=Anonymous,all_users
    \A/webservices/.*\Z=all_users
    \A/api/.*require-js-cfg.js\Z=Anonymous,all_users
    \A/api/.*\Z=all_users
    \A/plugin/.*\Z=all_users
          ]=]=>
          </value>
        </property>
      </bean>
    
    
      <bean id="defaultRole" class="java.lang.String">
        <constructor-arg value="Authenticated" />
      </bean>
    
    
      <bean id="anonymousRole" class="java.lang.String">
        <constructor-arg value="Anonymous" />
      </bean>
    
    
    ...
    repository.spring.properties

    Code:
    singleTenantAdminDefaultUserName=myadmin
    singleTenantAdminUserName=myadmin
    singleTenantAdminDefaultAuthorityName=Administrator
    singleTenantAdminAuthorityName=Administrator
    repositoryAdminUsername=myadmin
    singleTenantAuthenticatedAuthorityName=all_users
    singleTenantAnonymousAuthorityName=Anonymous
    superAdminAuthorityName=Administrator
    superAdminUserName=myadmin
    systemTenantAdminUserName=myadmin
    systemTenantAdminPassword=mypassword
    Also be aware that content of applicationContext-security-ldap.properties is strictly related to your LDAP server configuration and should be tested with some LDAP client tool in first place.
    Last edited by mpiatek; 01-12-2014 at 07:57 AM.

  5. #5
    Join Date
    Mar 2013
    Posts
    22

    Default

    Can you place your full configuration, i'm trying to migrate just like you from 4.8 to 5.0.1 and when i configure all the LDAP parameters, i just get Error 404 in tomcat. I would appreciate it

    Edit: I finished configure like you did, but i just get this error when i launch de platform, checking logs right now... :
    Name:  pentaho error.jpg
Views: 640
Size:  21.8 KB
    Last edited by alucard1626; 02-04-2014 at 05:07 PM.

  6. #6
    Join Date
    Dec 2013
    Posts
    1

    Default

    Quote Originally Posted by alucard1626 View Post
    Can you place your full configuration, i'm trying to migrate just like you from 4.8 to 5.0.1 and when i configure all the LDAP parameters, i just get Error 404 in tomcat. I would appreciate it

    Edit: I finished configure like you did, but i just get this error when i launch de platform, checking logs right now... :
    I ran into that same error today when I modified the repositoryAdminUsername setting in repository.spring.properties. I had to set it back to the default pentahoRepoAdmin in order for the application to initialize.


    With regards to this thread, from what I can tell the pentaho 'Administrator' role is mapped to the ldap.adminRole in applicationContext-spring-security-ldap.xml (note: ldap.adminRole is specified applicationContext-security-ldap.properties). So that could explain why everything started working once you replaced your LDAP PentahoAdmins role with Pentaho's Administrator role. I'm currently configuring ldap myself and this part was very confusing, however I'm not even sure if I am correct or not.

  7. #7
    Join Date
    Mar 2013
    Posts
    22

    Default

    Quote Originally Posted by DanLake View Post
    I ran into that same error today when I modified the repositoryAdminUsername setting in repository.spring.properties. I had to set it back to the default pentahoRepoAdmin in order for the application to initialize.


    With regards to this thread, from what I can tell the pentaho 'Administrator' role is mapped to the ldap.adminRole in applicationContext-spring-security-ldap.xml (note: ldap.adminRole is specified applicationContext-security-ldap.properties). So that could explain why everything started working once you replaced your LDAP PentahoAdmins role with Pentaho's Administrator role. I'm currently configuring ldap myself and this part was very confusing, however I'm not even sure if I am correct or not.
    well... yeah, that solved it, but now i got the past HTTP 404 Status... as you said, Pentaho "Administrator" seems to be mapped with the repository.

    EDIT: Checking logs, i found this error in my catalaina logs:

    feb 10, 2014 9:11:24 AM org.apache.catalina.startup.ContextConfig validateSecurityRoles
    Información: ATENCIÓN: El nombre de papel de seguridad PENTAHO-ADMIN es usado en un <auth-constraint> sin haber sido definido en <security-role>
    feb 10, 2014 9:11:59 AM org.apache.catalina.core.StandardContext start
    Grave: Error listenerStart
    i don't really understand what i'm missing, can someone help me??
    Last edited by alucard1626; 02-10-2014 at 11:26 AM.

  8. #8
    Join Date
    Jan 2013
    Posts
    101

    Default

    Hi,

    I'm trying to implement LDAP for users to login. I don't see the option described in the security_guide.pdf

    From User Console Home menu, click Administration, then select Authentication from the left.

    I only see Users and Roles, Mail Server and Settings. What am I missing?

    Mike

  9. #9
    Join Date
    Mar 2013
    Posts
    22

    Default

    Quote Originally Posted by arcelio1023 View Post
    Hi,

    I'm trying to implement LDAP for users to login. I don't see the option described in the security_guide.pdf

    From User Console Home menu, click Administration, then select Authentication from the left.

    I only see Users and Roles, Mail Server and Settings. What am I missing?

    Mike
    Are you deploying Pentaho EE?? cause security guide is for the Enterprice version, not the Community version

  10. #10
    Join Date
    Jan 2013
    Posts
    101

    Default

    I wish EE. I'm using community. Do I have to use the manual method?

    Mike

  11. #11
    Join Date
    Mar 2013
    Posts
    22

    Default

    Quote Originally Posted by arcelio1023 View Post
    I wish EE. I'm using community. Do I have to use the manual method?

    Mike
    yes, you have to use the manual method cause CE version doesn't have those options for LDAP authentication on the web interface. If you make it work, share it with us please.

    UPDATE: My Pentaho 5 is now working with Active Directory Authentication, but i can't make it assign the roles, y have no access for administration, neither to create new analysis. I will post my configurations later.
    Last edited by alucard1626; 02-14-2014 at 04:51 PM.

  12. #12
    Join Date
    Jan 2013
    Posts
    101

    Default

    Thanks look forward to it.

  13. #13
    Join Date
    Mar 2013
    Posts
    22

    Default

    First let me tell you some configurations of my deplyment, i have Active Directory as my LDAP and there i have some Distribution Groups that act as roles for my Pentaho. In the next codes, "Pentaho-*" are the roles, "pentaho.admin" is my LDAP user that can access the directory to read it, "Pentaho-Admin" is my LDAP group where all the administrators for Pentaho are added, "Pentaho-User" is my LDAP group that filters the AD Users that can access the Pentaho Platform, also, the "Pentaho-*" like groups in my AD are supposed to be for ACLs for the folders, so people in each group can have access only to their specific folder to save reports. Now, here are the files:


    applicationContext-security-ldap.properties
    Code:
    contextSource.providerUrl=ldap://pentaho_server:389/dc=domain,dc=localcontextSource.userDn=CN=Pentaho Admin,OU=Usuarios,DC=domain,DC=local
    contextSource.password=*omitted*
    userSearch.searchBase=
    userSearch.searchFilter=(&(sAMAccountName={0})(memberOf=CN=Pentaho-User,OU=Grupos,DC=domain,DC=local))
    
    
    populator.convertToUpperCase=false
    populator.groupRoleAttribute=cn
    populator.groupSearchBase=ou=grupos
    populator.groupSearchFilter=(member={0})
    populator.rolePrefix=
    populator.searchSubtree=yes
    
    
    allAuthoritiesSearch.roleAttribute=cn
    allAuthoritiesSearch.searchBase=ou=grupos
    allAuthoritiesSearch.searchFilter=(cn=Pentaho-*)
    
    
    allUsernamesSearch.usernameAttribute=sAMAccountName
    allUsernamesSearch.searchBase=ou=empresa
    allUsernamesSearch.searchFilter=(objectClass=person)
    
    
    adminRole=cn=Pentaho-Admin,ou=grupos,dc=domain,dc=local
    adminUser=cn=pentaho admin,ou=usuarios,dc=domain,dc=local

    applicationContext-spring-security-ldap.xml
    Code:
    *omitted*
        <!-- map ldap role to pentaho security role -->
        <util:map id="ldapRoleMap">
            <entry key="${ldap.adminRole}" value="Pentaho-Admin"/>
        </util:map>
        <bean id="ldapRoleMapper"
              class="org.pentaho.platform.engine.security.DefaultLdapRoleMapper">
            <constructor-arg>
                <ref local="ldapRoleMap"/>
            </constructor-arg>
        </bean>
      <!--
        LDAP is different from JDBC and others in that its authenticationProvider does not delegate to a
        userDetailsService. While the others use org.springframework.security.providers.dao.DaoAuthenticationProvider which
        does the password check, LDAP binds as the user to check the password.  Because userDetailsService isn't used by
        authenticationProvider, defaultRole property of populator bean must be supplied to automatically inject a default
        role. This bean is actually not used in this file but instead in applicationContext-pentaho-security-ldap.xml.
        In that file, userRoleListService uses this bean for fetching roles for a user (e.g. during scheduled jobs).
      -->
      <bean id="ldapUserDetailsService" class="org.pentaho.platform.engine.security.DefaultRoleUserDetailsServiceDecorator">
        <property name="userDetailsService" ref="ldapUserDetailsService0" />
        <property name="defaultRole" ref="defaultRole" />
        <property name="roleMapper" ref="ldapRoleMapper" />
        <pen:publish as-type="INTERFACES">
          <pen:attributes>
            <pen:attr key="providerName" value="ldap"/>
          </pen:attributes>
        </pen:publish>
      </bean>
      <bean class="org.pentaho.platform.config.SolutionPropertiesFileConfiguration">
        <constructor-arg value="ldap"/>
        <constructor-arg value="applicationContext-security-ldap.properties"/>
        <pen:publish as-type="INTERFACES"/>
      </bean>
    </beans>

    applicationContext-spring-security.xml
    Code:
    *omitted*
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    \A/.*require-js-cfg.js\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/js/require.js\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/js/require-cfg.js\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/content/data-access/resources/gwt/.*css\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/webcontext.js.*\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/content/common-ui/resources/web/cache/cache-service.js.*\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/cacheexpirationservice.*\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/js/theme.*\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/content/common-ui/resources/themes/.*\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/content/common-ui/resources/web/dojo/djconfig.js.*\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/content/pentaho-mobile/resources/.*\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/docs/.*\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/mantlelogin/.*\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/mantle/mantleloginservice/*\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/mantle/.*\Z=Authenticated,PENTAHO-USER
    \A/welcome/.*\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/public/.*\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/login.*\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/ping/alive.gif.*\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/j_spring_security_check.*\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/getimage.*\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/getresource.*\Z=Anonymous,Authenticated,PENTAHO-USER
    \A/admin.*\Z=Administrator,Admin,PENTAHO-ADMIN
    \A/auditreport.*\Z=Administrator,Admin,PENTAHO-ADMIN
    \A/auditreportlist.*\Z=Administrator,Admin,PENTAHO-ADMIN
    \A/versioncontrol.*\Z=Administrator,Admin,PENTAHO-ADMIN
    \A/propertieseditor.*\Z=Administrator,Admin,PENTAHO-ADMIN
    \A/propertiespanel.*\Z=Administrator,Admin,PENTAHO-ADMIN
    \A/subscriptionadmin.*\Z=Administrator,Admin,PENTAHO-ADMIN
    \A/resetrepository.*\Z=Administrator,Admin,PENTAHO-ADMIN
    \A/viewaction.*solution.admin.*\Z=Administrator,Admin,PENTAHO-ADMIN
    \A/scheduleradmin.*\Z=Administrator,Admin,PENTAHO-ADMIN
    \A/publish.*\Z=Administrator,Admin,PENTAHO-ADMIN
    \A/logout.*\Z=Anonymous
    \A/solutionrepositoryservice.*component=delete.*solution=system.*\Z=Nobody
    \A/solutionrepositoryservice.*solution=system.*component=delete.*\Z=Nobody
    .*system.*pentaho.xml.*=Nobody
    .*system.*applicationcontext.*.xml.*=Nobody
    .*system.*pentahoobjects.spring.xml.*=Nobody
    .*system.*pentahosystemconfig.xml.*=Nobody
    .*system.*adminplugins.xml.*=Nobody
    .*system.*plugin.properties.*=Nobody
    .*system.*sessionstartupactions.xml.*=Nobody
    .*system.*systemlisteners.xml.*=Nobody
    .*system.*hibernate.*=Nobody
    .*system.*birt/.*=Nobody
    .*system.*dialects/.*=Nobody
    .*system.*google/.*=Nobody
    .*system.*jasperreports/.*=Nobody
    .*system.*kettle/.*=Nobody
    .*system.*logs/.*=Nobody
    .*system.*mondrian/.*=Nobody
    .*system.*quartz/.*=Nobody
    .*system.*simple-jndi/.*=Nobody
    .*system.*smtp-email/.*=Nobody
    .*system.*ui/.*=Nobody
    .*system.*\.\./.*=Nobody
    \A/.*\Z=Authenticated,PENTAHO-USER
           ]=]=>                  
    *omitted*

    pentahoObjects.spring.xml
    Code:
    *omitted*    
      <bean id="Mondrian-UserRoleMapper"
            name="Mondrian-One-To-One-UserRoleMapper"
            class="org.pentaho.platform.plugin.action.mondrian.mapper.MondrianOneToOneUserRoleListMapper"
            scope="singleton" />
      <!--
     This sample mapper assumes that a translator is needed (in the form of a Map) to map a platform role to a mondrian role
     Note- Key = platform role, value = mondrian role
     <bean id="Mondrian-UserRoleMapper"
           name="Mondrian-SampleLookupMap-UserRoleMapper"
           class="org.pentaho.platform.plugin.action.mondrian.mapper.MondrianLookupMapUserRoleListMapper"
           scope="singleton">
       <property name="lookupMap">
         <map>
           <entry key="ceo" value="M_CEO" />
           <entry key="cto" value="M_CTO" />
           <entry key="dev" value="M_DEV" />
         </map>
       </property>
     </bean>
      -->
      <!--
      This sample mapper assumes that every user has their mondrian roles in their session under then named session variable
      <bean id="Mondrian-UserRoleMapper"
            name="Mondrian-SampleUserSession-UserRoleMapper"
            class="org.pentaho.platform.plugin.action.mondrian.mapper.MondrianUserSessionUserRoleListMapper"
            scope="singleton">
        <property name="sessionProperty" value="MondrianUserRoles" />
      </bean>
      -->
    *omitted*

    repository.spring.properties
    Code:
    singleTenantAdminDefaultUserName=pentaho.admin
    singleTenantAdminUserName=pentaho.admin
    singleTenantAdminDefaultAuthorityName=Administrator
    singleTenantAdminAuthorityName=Administrator
    repositoryAdminUsername=pentahoRepoAdmin
    singleTenantAuthenticatedAuthorityName=Pentaho-User
    singleTenantAnonymousAuthorityName=Anonymous
    superAdminAuthorityName=Pentaho-Admin
    superAdminUserName=pentaho.admin
    systemTenantAdminUserName=system
    systemTenantAdminPassword=cGFzc3dvcmQ=

    security.properties
    Code:
    provider=ldap

    pentaho-solutions/system/marketplace/settings.xml
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <settings>
        <marketplace-site>http://marketplace.pentaho.com/marketplace-plugins.xml</marketplace-site>
       <telemetry-site>http://marketplace.pentaho.com/telemetry-servlet/telemetry</telemetry-site>
       <marketplace-roles>Administrator,Admin,Pentaho-Admin</marketplace-roles>
    </settings>

    With this configuraction i can authenticate with all the AD user that are in the "Pentaho-User" group in my AD, enter administration with only the members of "Pentaho-Admin" AD group, create new analysis, jpivot, install plugins from market, the only problem i've seen so far is that i can't assign roles to the folders (the roles are mapped with my Pentaho-* like AD groups), maybe someone can help me resolve that. The error i get is this:
    Name:  error_p.jpg
Views: 452
Size:  4.4 KB
    I'll keep testing this configurations, any update i will post it.
    Last edited by alucard1626; 02-21-2014 at 12:45 PM.

  14. #14
    Join Date
    Feb 2014
    Posts
    5

    Default

    Together with our sysadmin I've been working on getting Pentaho BI Server running with Active Directory based LDAP authentication. In the end, it all came down to adapting only 3 files:
    • biserver-ce/pentaho-solutions/system/applicationContext-security-ldap.properties
    • biserver-ce/pentaho-solutions/system/security.properties
    • biserver-ce/pentaho-solutions/system/repository.spring.properties


    Full details can be found on http://tech.sid3windr.be/2014/02/lin...ive-directory/

  15. #15
    Join Date
    Jan 2013
    Posts
    101

    Default

    Great work and information. I wish there were more contributions like this.

    One question/request can you highlight which parts of the 3 files have to be changed/added to from the original to work for a particular AD domain.

    Mike

  16. #16
    Join Date
    Apr 2014
    Posts
    12

    Default

    Hi all,


    I've been trying to set up my BI server (biserver-ce-5.0.1) to work with our existing Active Directory server and thanks to all the hard work and investigations by users in this thread I'm now able to authenticate users successfully.


    The problem I now face is that when I go to the admin screens, I have none of my AD roles available to assign to the directories / reports. Has anybody managed to get this version working with the AD roles as I see it was an issue a few posts back?


    Also, do people know which of the properties from applicationContext-security-ldap.properties is actually used to populate the roles window in the admin console as this may simply be my issue?


    Thanks.

  17. #17
    Join Date
    Mar 2013
    Posts
    22

    Default

    Quote Originally Posted by nathanb View Post
    Hi all,I've been trying to set up my BI server (biserver-ce-5.0.1) to work with our existing Active Directory server and thanks to all the hard work and investigations by users in this thread I'm now able to authenticate users successfully.The problem I now face is that when I go to the admin screens, I have none of my AD roles available to assign to the directories / reports. Has anybody managed to get this version working with the AD roles as I see it was an issue a few posts back? Also, do people know which of the properties from applicationContext-security-ldap.properties is actually used to populate the roles window in the admin console as this may simply be my issue?Thanks.
    well, with the configurations a previously posted, my roles list gets populated with my AD groups, but i have the problem that i can't assign them cause they give me some error when applying changes, haven't resolved it yet.

  18. #18
    Join Date
    Apr 2014
    Posts
    7

    Default

    Hello,
    I have a problem, I was able to configure pentaho and authenticate my userID against LDAP to enter the console in Pentaho 5.0, but I do not have Administration role. My userID was giving Administrator priviledges before.

    Also I would like to know , keeping the LDAP configuration working with my userID, can I keep my previous 'admin' user working as well.

    Please help me out with this issue.
    Last edited by reviliant; 04-30-2014 at 06:10 PM.

  19. #19
    Join Date
    Apr 2014
    Posts
    12

    Default

    Hi,

    I finally got around to looking at this again today. I now finally have everything working correctly in my setup. I spent a lot of time using the Microsoft tool ldp.exe to refine my LDAP queries. Once I got them just right, the Pentaho set-up worked just fine.

    alucard1626 - With regard to your error of not being able to assign permissions to the folders, I had the exact same issue today. The pop-up saying "Sorry. You cannot do that right now". The AD roles I was trying to assign were of the format "Pentaho-<company>-reports". For some reason Pentaho was getting upset by the role having 2 minus signs in it. I changed the names to "Pentaho_<company>_reports" and the problem went away after a restart. (I changed the minus signs to underscores). Hope that helps.

  20. #20
    Join Date
    Jun 2009
    Posts
    22

    Default

    Thanks for this post Nathan. I've been having trouble with assigning permissions for a while and I also had AD groups with a hyphen like "Pentaho - Users". I changed these today to remove the hyphens and it now works like I was expecting it to. Never would have guessed that was the problem.

  21. #21
    Join Date
    Apr 2014
    Posts
    12

    Default

    Hi again,

    I've now come across another error that didn't exist before I moved the security to ldap/AD roles.

    None of my "users" can create anything in their home directories. The "admin users" can create content quite happily though.

    For example, when a standard user tries to create a folder a popup appears saying "You do not have permission to create this folder". An error also appears in the catalina.log:

    15-May-2014 15:59:40 com.sun.jersey.spi.container.ContainerResponse mapMappableContainerExceptionSEVERE: The RuntimeException could not be mapped to a response, re-throwing to the HTTP container
    org.pentaho.platform.api.repository2.unified.UnifiedRepositoryAccessDeniedException: access denied while creating folder with name "Test"


    Reference number: f4bf7ec2-379c-4f6a-ae61-22713bd064e7
    I've tried everything I can think of to fix this but no luck. Has anyone else come across this problem since moving security to LDAP and have a solution?

    Thanks.

  22. #22
    Join Date
    Apr 2014
    Posts
    12

    Default

    I fixed my above issue. It was very simple! I just needed to go into the Administration pages in the PUC as my admin user and tick the "Create Content" option against the AD user role!

    Attachment 13321

  23. #23
    Join Date
    Mar 2009
    Posts
    205

    Default

    Hello !

    I have been successful implementing LDAP with Pentaho 5, following you advices.

    I have only one thing not working.

    When Users that are not admin (but members of my "all_users" group ) log in for the fist time, their /home directory is not created. Even If i create it manually and give the the rights to use it, they can't see it.

    Do you have any ideas where I should look ?

    My repository.sprint.properties looks exactly like yours (except for my admin user and all_user group):

    Thanks !

    ** Addendum: The Home folder is beeing created, with the correct owner and security, but the user still cannot see it .

    Code:
    #Tue Mar 26 17:50:44 EDT 2013
    singleTenantAdminDefaultUserName=iconcerttask
    singleTenantAdminUserName=iconcerttask
    singleTenantAdminDefaultAuthorityName=Administrator
    singleTenantAdminAuthorityName=Administrator
    repositoryAdminUsername=pentahoRepoAdmin
    singleTenantAuthenticatedAuthorityName=pentaho_user
    singleTenantAnonymousAuthorityName=Anonymous
    superAdminAuthorityName=SysAdmin
    superAdminUserName=super
    systemTenantAdminUserName=system
    systemTenantAdminPassword=cGFzc3dvcmQ=
    Last edited by haubuchon; 05-20-2014 at 06:55 PM.

  24. #24
    Join Date
    Apr 2014
    Posts
    12

    Default

    Hi haubuchon

    Have you logged in to the Pentaho user console as your admin user and gone to the admin pages and made sure your "all_users" group has the "Read Content" and "Create content" options ticked as in my screen shot above? I spent ages looking at config files and all I need to do was tick these 2 boxes!

  25. #25
    Join Date
    Mar 2009
    Posts
    205

    Default

    Thanks for the advice ! I did not event see this post.

    Unfortunately,Read and Create were already checked. But one thing is different. My pentaho_Users is listed under "System Roles" and not "Manage Roles".

    The user cannot even see the /home folder.

    The log shows:

    Code:
    SEVERE: The RuntimeException could not be mapped to a response, re-throwing to the HTTP container
    java.lang.NullPointerException
    	at org.pentaho.platform.plugin.services.metadata.PentahoMetadataDomainRepository.internalReloadDomains(PentahoMetadataDomainRepository.java:432)
    	at org.pentaho.platform.plugin.services.metadata.PentahoMetadataDomainRepository.getDomainIds(PentahoMetadataDomainRepository.java:329)
    	at org.pentaho.platform.plugin.services.metadata.SessionCachingMetadataDomainRepository.getDomainIds(SessionCachingMetadataDomainRepository.java:356)
    	at org.pentaho.platform.dataaccess.datasource.wizard.service.impl.DatasourceResource.getMetadataDatasourceIds(DatasourceResource.java:120)
    BTW, I figures out how to list recusrsively the roles. If you still are looking for a way, I'll post my solution (nothing to do with MD AD special LDAP codes).

    Hugues

  26. #26
    Join Date
    Mar 2009
    Posts
    205

    Default

    Got it !

    For some reason, the /Home folder had the group "Authenticated" as the allowed read group. It should have been my "pentaho_user" group.

    I think it's probably because I had not changed singleTenantAuthenticatedAuthorityName in my property file the first time I fired up pentaho.

    I think we should publish a book on this subject ;-)

    As for the resursive listing of users and groups, you need to modify the file:
    system\applicationContext-pentaho-security-ldap.xml

    and add sone info in those two beans (the whole block beginning with <constructor-arg index="2">:

    In the end, you should have (note, I did not include the whole XML, only the beginning part):

    HTML Code:
    <bean id="allUsernamesSearch" class="org.pentaho.platfor...>
        <constructor-arg index="0" ref="contextSource" />
        <constructor-arg index="1">
          <bean class="org.pentaho.platform.plugin….">
            <constructor-arg index="0" value="${allUsernamesSearch.searchBase}" />
            <constructor-arg index="1" value="${allUsernamesSearch.searchFilter}" />
            <constructor-arg index="2">
              <bean class="javax.naming.directory.SearchControls">
                <property name="searchScope" value="2" />
              </bean>
            </constructor-arg>
          </bean>
    ...
    et

    HTML Code:
    <bean id="allAuthoritiesSearch" class="org.pentaho.platform.plugin...">
       <constructor-arg index="0" ref="contextSource" />
       <constructor-arg index="1">
        <bean class="org.pentaho.platform.plug...">
          <constructor-arg index="0" value="${allAuthoritiesSearch.searchBase}" />
          <constructor-arg index="1" value="${allAuthoritiesSearch.searchFilter}" />
          <constructor-arg index="2">
            <bean class="javax.naming.directory.SearchControls">
            <property name="searchScope" value="2" />
            </bean>
          </constructor-arg>
        </bean>
      </constructor-arg>
    ...

  27. #27
    Join Date
    Jan 2013
    Posts
    18

    Default Using PUC Version 5.4.0.1.130

    After following all the suggestions in here I was still unable to even load the login page. Scanning through the logs I saw several jackrabbit errors. It seems that the admin ID in Security/LoginModule in "pentaho-solutions/system/jackrabbit/repository.xml" needs to be the same as the repository admin username in "pentaho-solutions/system/repository.spring.properties". There's nothing about this in the official Pentaho documentation that I've seen (https://help.pentaho.com/Documentati...P0/150/010/030) but it works for me.

    pentaho-solutions/system/jackrabbit/repository.xml

    HTML Code:
    <LoginModule class="org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityLoginModule">      
      <!--        
        anonymous user name ('anonymous' is the default value)      
      -->     
     <param name="anonymousId" value="anonymous"/>      
     <!--        
       administrator user id (default value if param is missing is 'admin')      
      -->     
     <param name="adminId" value="john.cobley"/> <!-- << This is the entry you need to check -->
     
      <param name="principalProvider"                          
          value="org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityPrincipalProvider"/>      
      <!-- 
        comma separated list of pre-authentication tokens, one per application 
      -->      
      <param name="preAuthenticationTokens" value="ZchBOvP8q9FQ"/>      
      <!-- 
        must match PentahoSessionCredentialsStrategy.ATTR_PRE_AUTHENTICATION_TOKEN 
      -->      
      <param name="trust_credentials_attribute" value="pre_authentication_token"/>
    </LoginModule>
    pentaho-solutions/system/repository.spring.properties
    Code:
    #Tue Mar 26 17:50:44 EDT 2013
    singleTenantAdminDefaultUserName=john.cobley
    singleTenantAdminUserName=john.cobley
    singleTenantAdminDefaultAuthorityName=IT
    singleTenantAdminAuthorityName=IT
    repositoryAdminUsername=john.cobley # << This is the entry you need to check
    singleTenantAuthenticatedAuthorityName=uk_users
    singleTenantAnonymousAuthorityName=Anonymous
    superAdminAuthorityName=IT
    superAdminUserName=john.cobley
    systemTenantAdminUserName=john.cobley
    systemTenantAdminPassword=Test1234
    cache-size=100
    cache-ttl=300
    # This is the property to enable/disable multi byte encoding in the repository
    # This property can only be changed to "true" if you are installing it fresh. For upgrades,
    # this must be set to false.
    useMultiByteEncoding=false

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2019 Hitachi Vantara Corporation. All Rights Reserved.