Hitachi Vantara Pentaho Community Forums
Results 1 to 5 of 5

Thread: BI 5.1 CE: LDAP Demystified

  1. #1
    Join Date
    Apr 2012
    Posts
    253

    Default BI 5.1 CE: LDAP Demystified

    Situation:

    Untouched 5.1.0.752 BI-SERVER CE Installation
    AD running on Windows 2008 server
    Windows 7 Pro (bi-server)

    Caveat: This is just what I experienced. Different situations will doubtlessly create different problems.

    Caveat#2: This is for admins who want to keep their repository on jackrabbit and perform authorization with ldap.

    Steps:

    1. Login to the server as admin/password.
    2. Create a user which duplicates the sAMAccountName user on the AD server who is part of the pentaho admin group you've presumably setup. Give
    them full administrator privileges. For the rest of the post I'll refer to them as newAdmin
    3. Logout.
    4. Shutdown the server.
    5. Modify the first two lines of /bi-server/pentaho-solutions/system/repository-spring.properties as so:

    singleTenantAdminDefaultUserName=newAdmin
    singleTenantAdminUserName=newAdmin

    6. Restart the server. Login as newAdmin See that things work.
    7. OPTIONAL: Delete the admin, suzy, tiffany, etc users. This ensures less confusion.
    8. Shutdown the server.
    9. Edit /bi-server/pentaho-solutions/system/applicationContext-security-ldap.properties
    10. This is the hard part, you need to ensure everything is good, here is my config

    Code:
    contextSource.providerUrl=ldap\://<servername>\:389
    contextSource.userDn=newadmin@<subdomain>.<domain, usually local>
    contextSource.password=password
    
    userSearch.searchBase=DC=<subdomain>,DC=<domain, usually local>
    userSearch.searchFilter=(sAMAccountName={0})
    
    populator.convertToUpperCase=false
    populator.groupRoleAttribute=cn
    populator.groupSearchBase=ou=Reporting,ou=Security Groups,DC=cortera,DC=local
    populator.groupSearchFilter=(member=\{0\})
    populator.rolePrefix=
    populator.searchSubtree=true
    
    allAuthoritiesSearch.roleAttribute=cn
    allAuthoritiesSearch.searchBase=ou=Reporting,ou=Security Groups,DC=<subdomain>,DC=<domain, usually local>
    allAuthoritiesSearch.searchFilter=(objectClass=group)
    
    allUsernamesSearch.usernameAttribute=sAMAccountName
    allUsernamesSearch.searchBase=dc=<subdomain>,dc=<domain usually local>
    allUsernamesSearch.searchFilter=(samAccountType=805306368)
    
    adminRole=cn=RPT_ADMIN,ou=Reporting,ou=Security Groups,dc=<subdomain>,dc=<domain, usually local>
    adminUser=cn=newAdmin,cn=Users,dc=<subdomain>,dc=<domain, usually local>
    Guaranteed this is not going to work for you. I suggest getting an ldap tool to explore your network AD repository
    and you can refer to these:

    http://www.selfadsi.org/extended-ad/...r-accounts.htm some info on ad
    https://confluence.atlassian.com/dis...search+filters about atlassian but good stuff
    http://www.ldapadministrator.com/ a good windows based LDAP explorer.
    http://www.joeware.net/freetools/tools/adfind/index.htm windows command line explorer, accepts the filters you'll need to use with applicationContext-security-ldap.properties above

    FINALLY: Edit /bi-server/pentaho-solutions/system/security.properties such that it looks like this:

    #provider=jackrabbit
    provider=ldap

    That's literally all you have to do. IF your ldap properties file is setup properly you should be able to restart the server and login as newAdmin.
    If it doesn't work, you are going to have to get a deeper understanding of ldap or ask one of your IT guys for help.

    So the big change is that you don't have to modify applicationContext-spring-security.xml unless you want to add some differing basic security options.

    ADDITION:

    You will have to change applicationContext-pentaho-security-ldap.xml. Thanks to haubuchon.

    Code:
     <bean id="allUsernamesSearch"
            class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.GenericLdapSearch">
        <constructor-arg index="0" ref="contextSource" />
        <constructor-arg index="1">
          <bean
              class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.LdapSearchParamsFactoryImpl">
            <constructor-arg index="0" value="${ldap.allUsernamesSearch.searchBase}" />
            <constructor-arg index="1" value="${ldap.allUsernamesSearch.searchFilter}" />
            <!-- start FIX 8/14/2014 -->
            <constructor-arg index="2">
              <bean class="javax.naming.directory.SearchControls">
                <property name="searchScope" value="2" />
              </bean>
            </constructor-arg>
            <!-- end FIX 8/14/2014 -->
          </bean>
        </constructor-arg>
        <constructor-arg index="2">
          <bean
              class="org.pentaho.platform.plugin.services.security.userrole.ldap.transform.SearchResultToAttrValueList">
            <constructor-arg index="0" value="${ldap.allUsernamesSearch.usernameAttribute}" />
          </bean>
        </constructor-arg>
      </bean>
    Note the FIX comments, those contain the lines to change. This enables you to view LDAP users and assign them security when controlling properties.
    Last edited by flamierd; 08-14-2014 at 12:38 PM.

  2. #2
    Join Date
    Apr 2014
    Posts
    12

    Default

    Very clear and useful thread. Thank you.

    I had ldap working with Jackrabbit, but after deleting my repository I was unable to start the I server with ldap enabled. Your thread explained why.

  3. #3
    Join Date
    Jun 2007
    Posts
    103

    Default

    Hi flamierd

    I won't say that I agree with the word "demystified," however you made this as clear as ldap/ad can be. Thank you for this post - it kept me moving in what was ultimately the right direction. With my lack of ldap/ad skills I was able to take your steps and work them for my office. I'm pleasantly surprised how few files needed to be modified to get this going.

    Now my next question is this: if the user has already logged on to ldap/ad (aka They've logged into our network), how do I bypass the Pentaho login dialog?

    Thanks again
    - rlm
    Last edited by rlmagidson; 10-22-2014 at 02:26 PM.

  4. #4
    Join Date
    Apr 2012
    Posts
    253

    Default

    best guess is that you'll have to find and dissect the login jsp examine the function calls and duplicate. I know what you are looking for, the same functionality that exists with SSRS and other microsoft based systems. The login jsp should be in the webapps/pentaho directory somewhere.

    Get the username and auth automatically as they should already be logged into AD. Not sure if this is a good idea, as it probably can produce a security hole or force users to use ie which isn't my favorite
    browser.

    Btw, I still am working on fixing the fact that they can login with camel case and create a second user directory. ie: it validates fine with User, uSer, usEr and creates 3 different user directories.

  5. #5
    Join Date
    Apr 2008
    Posts
    4,696

    Default

    Quote Originally Posted by flamierd View Post
    force users to use ie which isn't my favorite browser.
    You can configure Firefox to pass NTLM information to the server. (See here)
    I'm not sure how you configure the server to understand it.

    Short answer: I can get you one step closer, but not all the way there.
    Last edited by gutlez; 10-22-2014 at 05:34 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2019 Hitachi Vantara Corporation. All Rights Reserved.