These are the files I have modified to integrate OpenLDAP with Pentaho:
- <PENTAHO_HOME>/pentaho-solutions/system/pentaho.xml: In this file a set to false the value in tags <login-show-users-list> and <login-show-sample-user-hint>. This is so the login page doesn't show the default users that come with pentaho installation (admin, suzy)
- <PENTAHO_HOME>/pentaho-solutions/system/security.properties: change the value of provider to ldap instead of jackrabbit.
- <PENTAHO_HOME>/pentaho-solutions/system/applicationContext-security-ldap.properties: This file defines how to search LDAP, we used this document (I suppose there's a similar document in Pentaho 7 documentation, we configured it the same in Pentaho 6.1, Pentaho 7.1 and Pentaho 8.0, so I don't think there have been changes) to know what each property meant, we test with a terminal to LDAP the correct values for queries.
# LDAP server and user for queries if it's neccessary. In our case the anonimous user can query LDAP, so userDn and password properties is empty.
contextSource.providerUrl=ldap://host:port
contextSource.userDn=QueryUser
contextSource.password=QueryUserPassword
# These properties determine how the user login in the screen is searched . The token {0} is sustituted by the user in login screen.
# It is equivalent to perform this search in a terminal window:
# $ ldapsearch -x -h ldaphost -b "userSearch.searchBase.value" 'userSearch.searchFilter.value (with the token substituted)'
# With my examples, the search would be: $ ldapsearch -x -h ldaphost -b "ou=people,dc=company,dc=com" '(uid=myuser)'
userSearch.searchBase=yourvalue # in our case, we perform this search: ou=people,dc=company,dc=com
userSearch.searchFilter=yourvalue # in our case, we have (uid={0})
# These properties the queries to look for the user group membership. token {0} is the user DN and token {1} is the name of the user in Pentaho login screen. Our users are stored with the uid in the memberUid of the group, but there is more than one way to organize this in LDAP, so you have to determine how to do these queries in your LDAP server
# $ ldapsearch -x -h ldaphost -b "populator.groupSearchBase.value" 'populator.groupSearchFilter.value' populator.groupRoleAttribute.value
# With my examples, the search would be: $ ldapsearch -x -h ldaphost -b "ou=groups,dc=mycompany,dc=com" '(memberUid=myuser)' uid
populator.convertToUpperCase=false
populator.groupSearchBase=ou=groups,dc=mycompany,dc=com
populator.groupSearchFilter=(memberUid={1})
populator.groupRoleAttribute=uid
populator.rolePrefix=
populator.searchSubtree=false
# How to get the name of all groups. We have personalize this search so we only get groups with at least one memberUid
# $ ldapsearch -x -h ldaphost -b "ou=groups,dc=mycompany,dc=com" '(&(objectClass=posixGroup)(memberUid=*))' uid
allAuthoritiesSearch.searchBase=ou=groups,dc=mycompany,dc=com
allAuthoritiesSearch.searchFilter=(&(objectClass=posixGroup)(memberUid=*))
allAuthoritiesSearch.roleAttribute=uid
# How you get all usernames. In Pentaho we needed the parameter searchFilter informed or we get an error, although it is not necessary in the terminal search
# $ ldapsearch -x -h myhost -b "ou=people,dc=mycompany,dc=com" uid
allUsernamesSearch.searchBase=ou=people,dc=mycompany,dc=com
allUsernamesSearch.searchFilter=objectClass=inetOrgPerson
allUsernamesSearch.usernameAttribute=uid
# This two properties define which user and group in LDAP are administrators in pentaho
adminRole=uid=AdminPentahoGroup,ou=groups,dc=mycompany,dc=com
adminUser=uid=AdminPentahoUser,ou=people,dc=mycompany,dc=com
- <PENTAHO_HOME>/pentaho-solutions/system/data-access/settings.xml: Change the description of role Administrator for the adminRole uid in previous file, AdminPentahoGroup in my example
- <PENTAHO_HOME>/pentaho-solutions/system/applicationContext-spring-security-ldap.xml: change Administrator for the adminRole uid in <entry key="${ldap.adminRole}" value="Administrator"/>.
- <PENTAHO_HOME>/pentaho-solutions/system/repository.spring.properties: I found this blog entry about how to avoid messages in the log: "User admin not found in directory" change this:
singleTenantAdminDefaultUserName=AdminPentahoUser
singleTenantAdminUserName=AdminPentahoUser
singleTenantAdminDefaultAuthorityName=AdminPentahoGroup
singleTenantAdminAuthorityName=AdminPentahoGroup
- <PENTAHO_HOME>/pentaho-solutions/system/applicationContext-spring-security.xml: I found some blog entries talking about changes in this file, but in my case it wasn't necessary.
Hope this helps. Regards