Hitachi Vantara Pentaho Community Forums
Results 1 to 5 of 5

Thread: BI 5.1 CE: LDAP Demystified

  1. #1
    Join Date
    Apr 2012

    Default BI 5.1 CE: LDAP Demystified


    Untouched BI-SERVER CE Installation
    AD running on Windows 2008 server
    Windows 7 Pro (bi-server)

    Caveat: This is just what I experienced. Different situations will doubtlessly create different problems.

    Caveat#2: This is for admins who want to keep their repository on jackrabbit and perform authorization with ldap.


    1. Login to the server as admin/password.
    2. Create a user which duplicates the sAMAccountName user on the AD server who is part of the pentaho admin group you've presumably setup. Give
    them full administrator privileges. For the rest of the post I'll refer to them as newAdmin
    3. Logout.
    4. Shutdown the server.
    5. Modify the first two lines of /bi-server/pentaho-solutions/system/ as so:


    6. Restart the server. Login as newAdmin See that things work.
    7. OPTIONAL: Delete the admin, suzy, tiffany, etc users. This ensures less confusion.
    8. Shutdown the server.
    9. Edit /bi-server/pentaho-solutions/system/
    10. This is the hard part, you need to ensure everything is good, here is my config

    contextSource.userDn=newadmin@<subdomain>.<domain, usually local>
    userSearch.searchBase=DC=<subdomain>,DC=<domain, usually local>
    populator.groupSearchBase=ou=Reporting,ou=Security Groups,DC=cortera,DC=local
    allAuthoritiesSearch.searchBase=ou=Reporting,ou=Security Groups,DC=<subdomain>,DC=<domain, usually local>
    allUsernamesSearch.searchBase=dc=<subdomain>,dc=<domain usually local>
    adminRole=cn=RPT_ADMIN,ou=Reporting,ou=Security Groups,dc=<subdomain>,dc=<domain, usually local>
    adminUser=cn=newAdmin,cn=Users,dc=<subdomain>,dc=<domain, usually local>
    Guaranteed this is not going to work for you. I suggest getting an ldap tool to explore your network AD repository
    and you can refer to these: some info on ad about atlassian but good stuff a good windows based LDAP explorer. windows command line explorer, accepts the filters you'll need to use with above

    FINALLY: Edit /bi-server/pentaho-solutions/system/ such that it looks like this:


    That's literally all you have to do. IF your ldap properties file is setup properly you should be able to restart the server and login as newAdmin.
    If it doesn't work, you are going to have to get a deeper understanding of ldap or ask one of your IT guys for help.

    So the big change is that you don't have to modify applicationContext-spring-security.xml unless you want to add some differing basic security options.


    You will have to change applicationContext-pentaho-security-ldap.xml. Thanks to haubuchon.

     <bean id="allUsernamesSearch"
        <constructor-arg index="0" ref="contextSource" />
        <constructor-arg index="1">
            <constructor-arg index="0" value="${ldap.allUsernamesSearch.searchBase}" />
            <constructor-arg index="1" value="${ldap.allUsernamesSearch.searchFilter}" />
            <!-- start FIX 8/14/2014 -->
            <constructor-arg index="2">
              <bean class="">
                <property name="searchScope" value="2" />
            <!-- end FIX 8/14/2014 -->
        <constructor-arg index="2">
            <constructor-arg index="0" value="${ldap.allUsernamesSearch.usernameAttribute}" />
    Note the FIX comments, those contain the lines to change. This enables you to view LDAP users and assign them security when controlling properties.
    Last edited by flamierd; 08-14-2014 at 12:38 PM.

  2. #2
    Join Date
    Apr 2014


    Very clear and useful thread. Thank you.

    I had ldap working with Jackrabbit, but after deleting my repository I was unable to start the I server with ldap enabled. Your thread explained why.

  3. #3
    Join Date
    Jun 2007


    Hi flamierd

    I won't say that I agree with the word "demystified," however you made this as clear as ldap/ad can be. Thank you for this post - it kept me moving in what was ultimately the right direction. With my lack of ldap/ad skills I was able to take your steps and work them for my office. I'm pleasantly surprised how few files needed to be modified to get this going.

    Now my next question is this: if the user has already logged on to ldap/ad (aka They've logged into our network), how do I bypass the Pentaho login dialog?

    Thanks again
    - rlm
    Last edited by rlmagidson; 10-22-2014 at 02:26 PM.

  4. #4
    Join Date
    Apr 2012


    best guess is that you'll have to find and dissect the login jsp examine the function calls and duplicate. I know what you are looking for, the same functionality that exists with SSRS and other microsoft based systems. The login jsp should be in the webapps/pentaho directory somewhere.

    Get the username and auth automatically as they should already be logged into AD. Not sure if this is a good idea, as it probably can produce a security hole or force users to use ie which isn't my favorite

    Btw, I still am working on fixing the fact that they can login with camel case and create a second user directory. ie: it validates fine with User, uSer, usEr and creates 3 different user directories.

  5. #5
    Join Date
    Apr 2008


    Quote Originally Posted by flamierd View Post
    force users to use ie which isn't my favorite browser.
    You can configure Firefox to pass NTLM information to the server. (See here)
    I'm not sure how you configure the server to understand it.

    Short answer: I can get you one step closer, but not all the way there.
    Last edited by gutlez; 10-22-2014 at 05:34 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2019 Hitachi Vantara Corporation. All Rights Reserved.