Hitachi Vantara Pentaho Community Wiki

Using LDAP and JDBC Simultaneously

Skip to end of metadata
Go to start of metadata

Note: There are related HOWTOs: Changing to the LDAP Security DAO and Changing to the JDBC Security DAO.

Overview

Is it possible to authenticate via LDAP then fetch roles from a relational database? Yes! To accomplish this, make the following changes.

Steps

  1. Edit pentaho-spring-beans.xml to use a combination of LDAP and JDBC configuration files.
    pentaho-spring-beans.xml
    <beans>
      <!-- some lines omitted -->
      <import resource="applicationContext-spring-security.xml" />
      <import resource="applicationContext-common-authorization.xml" />
      <import resource="applicationContext-spring-security-ldap.xml" />
      <import resource="applicationContext-pentaho-security-jdbc.xml" />
    </beans>
    
  2. Open applicationContext-spring-security-ldap.xml. Replace the populator bean definition with the one below.
    applicationContext-spring-security-ldap.xml
    <bean id="populator" class="org.springframework.security.ldap.populator.UserDetailsServiceLdapAuthoritiesPopulator">
      <constructor-arg ref="userDetailsService" />
    </bean>
    
  3. Staying in the same file, remove the userDetailsService bean. (We're removing it to replace it later with the JDBC-based UserDetailsService implementation: JdbcDaoImpl.)
    applicationContext-spring-security-ldap.xml
    <!-- removed userDetailsService bean -->
    
  4. Open applicationContext-pentaho-security-jdbc.xml. Add the following two bean definitions. Both of these bean definitions were copied from applicationContext-spring-security-jdbc.xml. (One is the JDBC-based UserDetailsService implementation; the other is a bean required by that implementation.)
    applicationContext-pentaho-security-jdbc.xml
    <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
      <property name="driverClassName" value="org.hsqldb.jdbcDriver" />
      <property name="url" value="jdbc:hsqldb:hsql://localhost:9002/userdb" />
      <property name="username" value="sa" />
      <property name="password" value="" />
    </bean>
    
    <bean id="userDetailsService" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
      <property name="dataSource">
        <ref local="dataSource" />
      </property>
      <property name="authoritiesByUsernameQuery">
        <value>
          <![CDATA[SELECT username, authority FROM granted_authorities WHERE username = ?]]>
        </value>
      </property>
      <property name="usersByUsernameQuery">
        <value>
          <![CDATA[SELECT username, password, enabled FROM users WHERE username = ?]]>
        </value>
      </property>
    </bean>
    
  5. If you followed Changing to the JDBC Security DAO and Changing to the LDAP Security DAO, the default configuration should work without any changes. If you want to change the database host, the LDAP server host, or anything else about the configuration, see Security Data Access Objects.

Labels

userrolelistservice userrolelistservice Delete
jdbcdaoimpl jdbcdaoimpl Delete
database database Delete
open open Delete
relational relational Delete
ldap ldap Delete
apache apache Delete
userdetailsservice userdetailsservice Delete
favourite favourite Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
  1. Nov 29, 2012

    Pablo Quiroga says:

    Hi Mat, Thanks for this information.  We're trying to achieve something si...

    Hi Mat,

    Thanks for this information.  We're trying to achieve something similar > Using Windows Authentication and JDBC simultaneously.

    Let me describe what we're trying to achieve:

    Authentication: Managed by IIS and Windows (local or domain account) - IIS/Windows take care of authentication (based on local or domain credentials) and then redirect to tomcat/pentaho.

    See reference here: http://infocenter.pentaho.com/help/index.jsp?topic=%2Fsecurity_guide%2Fconcept_active_directory_tips.html

    Authorization: Roles managed in our own Database (JDBC) - Once authentication happens, query database to get role and ACLs.

    Is this possible? Could you please point me to some documentation/information.

    Thank you,

    ~Pablo