By default, the Pentaho BI Platform comes with Hibernate-based security data access object (DAO) enabled. Often, enterprises have an existing directory server accessible by LDAP. This page shows you how to switch to the "LDAP" DAO. The instructions below describe a sample LDAP directory using ApacheDS. LDAP browsers such as Apache Directory Studio or JXplorer can be used to browse the objects in your directory.
- Edit pentaho-spring-beans.xml
Change the Spring XML files to use the LDAP DAOs instead of the Hibernate ones. Open pentaho-solutions/system/pentaho-spring-beans.xml and look for the following section:pentaho-spring-beans.xml<beans> <!-- some lines omitted --> <import resource="applicationContext-spring-security.xml" /> <import resource="applicationContext-common-authorization.xml" /> <import resource="applicationContext-spring-security-ldap.xml" /> <import resource="applicationContext-pentaho-security-ldap.xml" /> </beans>
- Start the directory
In Windows, just start the Apacheds service in the Services dialog. In Linux, the command might be as simple as service apacheds start. - Import the LDIF
The sample Spring XML files applicationContext-spring-security-ldap.xml and applicationContext-pentaho-security-ldap.xml assume the records below. If you already have an existing directory, or you wish to alter the sample LDIF files, you'll need to adjust the LDAP queries in the aforementioned Spring XML files. To make use of the sample LDIF file, use an LDAP browser, such as Apache Directory Studio or JXplorer, to import it. Note: You may or may not have success importing the LDIF file below. If you run into errors, manually create the recordsSample LDIFversion: 1
dn: uid=joe,ou=users,ou=system
mail: joe.pentaho@pentaho.org
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
uid: joe
cn: joe
businesscategory: cn=ceo,ou=roles,ou=system
businesscategory: cn=Admin,ou=roles,ou=system
userpassword:: cGFzc3dvcmQ=
sn: Pentaho
dn: uid=suzy,ou=users,ou=system
mail: suzy.pentaho@pentaho.org
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
uid: suzy
cn: suzy
userpassword:: cGFzc3dvcmQ=
businesscategory: cn=cto,ou=roles,ou=system
businesscategory: cn=is,ou=roles,ou=system
sn: Pentaho
dn: uid=tiffany,ou=users,ou=system
mail: tiffany.pentaho@pentaho.org
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
uid: tiffany
cn: tiffany
businesscategory: cn=devmgr,ou=roles,ou=system
businesscategory: cn=dev,ou=roles,ou=system
userpassword:: cGFzc3dvcmQ=
sn: Pentaho
dn: uid=pat,ou=users,ou=system
mail: pat.pentaho@pentaho.org
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
uid: pat
cn: pat
businesscategory: cn=dev,ou=roles,ou=system
userpassword:: cGFzc3dvcmQ=
sn: Pentaho
dn: cn=Sales,ou=groups,ou=system
cn: Sales
objectclass: groupofuniquenames
objectclass: top
uniquemember: uid=joe,ou=users,ou=system
dn: cn=Marketing,ou=groups,ou=system
cn: Marketing
objectclass: groupofuniquenames
objectclass: top
uniquemember: uid=suzy,ou=users,ou=system
dn: cn=Development,ou=groups,ou=system
cn: Development
objectclass: groupOfUniqueNames
objectclass: top
uniquemember: uid=pat,ou=users,ou=system
uniquemember: uid=tiffany,ou=users,ou=system
dn: ou=roles,ou=system
ou: roles
objectclass: organizationalUnit
objectclass: top
dn: cn=devmgr,ou=roles,ou=system
l: Orlando
objectclass: organizationalRole
objectclass: top
description: Development Manager
roleoccupant: uid=tiffany,ou=users,ou=system
cn: devmgr
dn: cn=cto,ou=roles,ou=system
cn: cto
description: CTO Role
objectclass: organizationalRole
objectclass: top
roleoccupant: uid=suzy,ou=users,ou=system
l: Orlando
st: Florida
dn: cn=ceo,ou=roles,ou=system
cn: ceo
description: CEO Role
objectclass: organizationalRole
objectclass: top
roleoccupant: uid=joe,ou=users,ou=system
l: Orlando
st: Florida
dn: cn=is,ou=roles,ou=system
cn: is
description: Information Systems
objectclass: organizationalRole
objectclass: top
roleoccupant: uid=suzy,ou=users,ou=system
l: Orlando
st: Florida
dn: cn=dev,ou=roles,ou=system
objectclass: organizationalRole
objectclass: top
roleoccupant: uid=pat,ou=users,ou=system
roleoccupant: uid=tiffany,ou=users,ou=system
cn: dev
dn: cn=Admin,ou=roles,ou=system
objectclass: organizationalRole
objectclass: top
roleoccupant: uid=joe,ou=users,ou=system
roleoccupant: uid=admin,ou=system
cn: Admin
dn: cn=Authenticated,ou=roles,ou=system
objectclass: organizationalRole
objectclass: top
roleoccupant: uid=joe,ou=users,ou=system
roleoccupant: uid=suzy,ou=users,ou=system
roleoccupant: uid=suzy,ou=users,ou=system
roleoccupant: uid=pat,ou=users,ou=system
roleoccupant: uid=pat,ou=users,ou=system
roleoccupant: uid=tiffany,ou=users,ou=system
roleoccupant: uid=tiffany,ou=users,ou=system
cn: Authenticated
dn: cn=Anonymous,ou=roles,ou=system
cn: Anonymous
objectclass: organizationalRole
objectclass: top
Note: The passwords in the LDIF above ('cGFzc3dvcmQ=') are equivalent to a hash of the word 'password.' Therefore, for authentication purposes, all the users above share the same password: 'password'.
Note: Be sure to leave a blank line at the end of this file. Otherwise, the last entry may not import correctly.
- Start the application server
Now that the directory is running and the LDIF has been imported, start the application server. - Stop the directory
In Windows, just stop the Apacheds in the Services dialog. In Linux, run service apacheds stop.
Troubleshooting
Having problems? Check out the troubleshooting section.
Comments (1)
Feb 04, 2010
Champion Louis says:
For the LDIF import you should add the two organizationalUnit at the beginning o...For the LDIF import you should add the two organizationalUnit at the beginning of the import :
dn: ou=users,ou=system
ou: users
objectclass: organizationalUnit
objectclass: top
dn: ou=groups,ou=system
ou: groups
objectclass: organizationalUnit
objectclass: top
To finish the Authenticated role failed to import because the roleoccupant for suzy, pat and tiffany were present twice.