Hitachi Vantara Pentaho Community Wiki
Child pages
  • Active Directory configuration example (CE 3.0RC1) 2.x-3.0.x
Skip to end of metadata
Go to start of metadata

Active Directory/LDAP example configuration (BI Server Community Edition 3.0RC1)

Active Directory is an LDAP server with some unusual properties. Therefore, we can use the LDAP method of Spring/Acegi Security with a few changes. We also need to change the Pentaho BI Server configuration so that it uses the groups defined in the directory.

Obtain the following data first:

  • The root of your Active Directory. This ist probably your domain name in the form DC=domain,DC=tld.
  • The name of your Active Directory server. (You should be able to ping it, e.g. adsrv.domain.tld.)
  • Your domain name that you use for login into Windows. E.g. COMPANY.
  • The path of users and groups in your directory. This could be something like OU=Company.
  • User name and password of an Active Directory user. A low privileged user works best; you'll need to enter the clear text password in the configuration so don't use the credentials of a real person if possible. Set this user to "password doesn't expire". In this example, the user is called pentahoaduser with password changeme.
  • At least two groups for fine-grained access control: One for regular users who can use the BI Server (example: CompanyUsers) and one for BI Server administrators (example: BIServerAdmins). Of course, the users who will be using the BI Server will have to be in the right user group. (Admins in both groups.)

Then you can go on editing the configuration files.

  • pentaho-solutions/system/pentaho-spring-beans.xml

In this file, we configure the authentication source (instead of *-security-hibernate.xml we insert *-security-ldap.xml).

  <!-- <import resource="applicationContext-acegi-security-hibernate.xml" />
          <import resource="applicationContext-pentaho-security-hibernate.xml" /> -->
  <import resource="applicationContext-acegi-security-ldap.xml" />
  <import resource="applicationContext-pentaho-security-ldap.xml" />
  • pentaho-solutions/system/applicationContext-acegi-security.xml

This is where access to single pages or directories on the Pentaho server can be configured. You need to search for "Admin" and "Authenticated" and replace them with your admin and normal user group names IN CAPITALS:

<property name="objectDefinitionSource">
      <value>
        <![CDATA[
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/docs/pentaho_ce_user_guide.*\Z=Anonymous,COMPANYUSERS
\A/mantlelogin/.*\Z=Anonymous,COMPANYUSERS
\A/mantle/mantleloginservice/*\Z=Anonymous,COMPANYUSERS
\A/mantle/.*\Z=COMPANYUSERS
...
\A/admin.*\Z=BISERVERADMINS
\A/auditreport.*\Z=BISERVERADMINS
\A/auditreportlist.*\Z=BISERVERADMINS
\A/versioncontrol.*\Z=BISERVERADMINS
...
\A/logout.*\Z=Anonymous
\A/.*\Z=COMPANYUSERS
        ]]>
      </value>
    </property>
  • pentaho-solutions/system/applicationContext-acegi-security-ldap.xml

This file contains the connection parameters and search areas for the Spring/Acegi security LDAP module.

<bean id="initialDirContextFactory"
                class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
                <constructor-arg index="0"
                        value="ldap://adsrv.domain.tld:389" />
                <property name="managerDn" value="pentahoaduser@COMPANY" />
                <property name="managerPassword" value="changeme" />
                <property name="extraEnvVars">
                        <map><entry><key><value>java.naming.referral</value>
                        </key><value>follow</value> </entry> </map>
                </property>
        </bean>
<bean id="userSearch"
                class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
                <constructor-arg index="0" value="OU=Company,DC=domain,DC=tld" />
                <constructor-arg index="1" value="(sAMAccountName={0})" />
                <constructor-arg index="2">
                        <ref local="initialDirContextFactory" />
                </constructor-arg>
                <property name="searchSubtree">
                    <value>true</value>
                </property>
        </bean>
<bean id="populator"
                class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
                <constructor-arg index="0">
                        <ref local="initialDirContextFactory" />
                </constructor-arg>
                <constructor-arg index="1" value="OU=Company,DC=domain,DC=tld" />
                <property name="groupRoleAttribute" value="cn" />
    <!-- {0} will be replaced with user DN; {1} will be replaced with username -->
                <property name="groupSearchFilter" value="member={0}" />
                <property name="rolePrefix" value="" />
                <property name="convertToUpperCase" value="true" />
                <property name="searchSubtree" value="true" />
       </bean>
  • pentaho-solutions/system/applicationContext-pentaho-security-ldap.xml

The BI Server fetches additional user data using these parameters:

<bean id="allUsernamesSearch"
                class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.GenericLdapSearch">
                <constructor-arg index="0" ref="initialDirContextFactory" />
                <constructor-arg index="1">
                        <bean
                                class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.LdapSearchParamsFactoryImpl">
                                <constructor-arg index="0" value="OU=Company,DC=domain,DC=tld" />
                                <constructor-arg index="1" value="(samAccountType=805306368)" />
                                <constructor-arg index="2">
                                        <bean class="javax.naming.directory.SearchControls">
                                          <property name="searchScope" value="2" />
                                        </bean>
                                </constructor-arg>
                        </bean>
                </constructor-arg>
                <constructor-arg index="2">
                        <bean
                                class="org.pentaho.platform.plugin.services.security.userrole.ldap.transform.SearchResultToAttrValueList">
                                <constructor-arg index="0" value="sAMAccountName" />
                        </bean>
                </constructor-arg>
        </bean>
<bean id="allAuthoritiesSearch"
                class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.GenericLdapSearch">
                <constructor-arg index="0" ref="initialDirContextFactory" />
                <constructor-arg index="1">
                        <bean
                                class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.LdapSearchParamsFactoryImpl">
                                <constructor-arg index="0" value="ou=Company,DC=domain,DC=tld" />
                                <constructor-arg index="1"
                                        value="objectClass=group" />

                                <constructor-arg index="2">
                                        <bean class="javax.naming.directory.SearchControls">
                                          <property name="searchScope" value="2" />
                                        </bean>
                                </constructor-arg>
                       </bean>
                </constructor-arg>
                <constructor-arg index="2">
                        <bean
                                class="org.apache.commons.collections.functors.ChainedTransformer">
                               <constructor-arg index="0">
                                        <list>
                                                <bean
                                                        class="org.pentaho.platform.plugin.services.security.userrole.ldap.transform.SearchResultToAttrValueList">
                                                        <constructor-arg index="0" value="cn" />
                                                </bean>
                                                <bean
                                                        class="org.pentaho.platform.plugin.services.security.userrole.ldap.transform.StringToGrantedAuthority">
                                                        <property name="rolePrefix" value="" />
                                                        <property name="convertToUpperCase" value="true" />
                                                </bean>
                                        </list>
                                </constructor-arg>
                       </bean>
                </constructor-arg>
        </bean>
  • pentaho-solutions/system/pentaho.xml

In this configuration file, you switch off the demo user list on the login page and also change the group names.

<login-show-users-list>false</login-show-users-list>
<default-acls>
                                        <acl-entry role="BISERVERADMINS" acl="FULL_CONTROL" />   <!-- Admin users get all authorities-->
                                        <acl-entry role="COMPANYUSERS" acl="EXECUTE" />         <!-- Authenticated users get execute only -->
                               </default-acls>
<overrides>
                                                <file path="/pentaho-solutions/admin">
                                                        <acl-entry role="BISERVERADMINS" acl="FULL_CONTROL" />
                                                </file>
                                        </overrides>
<acl-voter>
                                        <!-- What role must someone be in to be an ADMIN of Pentaho -->
                                        <admin-role>BISERVERADMIN</admin-role>
                                </acl-voter>

1 Comment

  1. In my testing, it also works without capitalizing the role names if implemented carefully. (The roles are case sensitive.)

    You must change the

    <property name="convertToUpperCase" value="true" />
    

    parts into false instead of true and then the access lists accordingly.
    If you already have some XActions or other resources, they will have the old ACLs. See "Changing the Admin Role" and "Re-Applying Default ACL" for information on changing them.