Pentaho

 View Only

 Pentaho 7.0 CE + openldap

  • Pentaho
  • Pentaho
MIREYA MARTINEZ SAIZ's profile image
MIREYA MARTINEZ SAIZ posted 04-10-2018 15:12

Hi,

I am trying to configure Pentaho 7.0 CE with LDAP authentication (OpenLDAP). I've followed instructions of the Pentaho Business Analytics Cookbook that looks so easy, but it doesn't work in my environment.

I've modified the following files with my ldap configuration:

applicationContext-security-ldap.properties

security.properties

and when I try to open Pentaho, only admin user can be logged but it loses access to the Administration tab functionality... If I try to log in with rest of LDAP users it gives me an error message.

I've found that some people change as well these files:

applicationContext-spring-security.xml

repository.spring.properties

pentaho.xml

Anyone can suggest me which configuration is the best to follow?

How can I test that my applicationContext-security-ldap.properties is well defined?

Thanks,


#Pentaho
Ana Gonzalez's profile image
Ana Gonzalez

These are the files I have modified to integrate OpenLDAP with Pentaho:

  • <PENTAHO_HOME>/pentaho-solutions/system/pentaho.xml: In this file a set to false the value in tags <login-show-users-list> and <login-show-sample-user-hint>. This is so the login page doesn't show the default users that come with pentaho installation (admin, suzy)
  • <PENTAHO_HOME>/pentaho-solutions/system/security.properties: change the value of provider to ldap instead of jackrabbit.
  • <PENTAHO_HOME>/pentaho-solutions/system/applicationContext-security-ldap.properties: This file defines how to search LDAP, we used this document (I suppose there's a similar document in Pentaho 7 documentation, we configured it the same in Pentaho 6.1, Pentaho 7.1 and Pentaho 8.0, so I don't think there have been changes) to know what each property meant, we test with a terminal to LDAP the correct values for queries.

# LDAP server and user for queries if it's neccessary. In our case the anonimous user can query LDAP, so userDn and password properties is empty.

contextSource.providerUrl=ldap://host:port

contextSource.userDn=QueryUser

contextSource.password=QueryUserPassword

# These properties determine how the user login in the screen is searched . The token {0} is sustituted by the user in login screen.

# It is equivalent to perform this search in a terminal window:

# $ ldapsearch -x -h ldaphost -b "userSearch.searchBase.value" 'userSearch.searchFilter.value (with the token substituted)'

# With my examples, the search would be: $ ldapsearch -x -h ldaphost -b "ou=people,dc=company,dc=com" '(uid=myuser)'

userSearch.searchBase=yourvalue # in our case, we perform this search: ou=people,dc=company,dc=com

userSearch.searchFilter=yourvalue # in our case, we have (uid={0})

# These properties the queries to look for the user group membership. token {0} is the user DN and token {1} is the name of the user in Pentaho login screen. Our users are stored with the uid in the memberUid of the group, but there is more than one way to organize this in LDAP, so you have to determine how to do these queries in your LDAP server

# $ ldapsearch -x -h ldaphost -b "populator.groupSearchBase.value" 'populator.groupSearchFilter.value' populator.groupRoleAttribute.value

# With my examples, the search would be: $ ldapsearch -x -h ldaphost -b "ou=groups,dc=mycompany,dc=com" '(memberUid=myuser)' uid

populator.convertToUpperCase=false

populator.groupSearchBase=ou=groups,dc=mycompany,dc=com

populator.groupSearchFilter=(memberUid={1})

populator.groupRoleAttribute=uid

populator.rolePrefix=

populator.searchSubtree=false

# How to get the name of all groups. We have personalize this search so we only get groups with at least one memberUid

# $ ldapsearch -x -h ldaphost -b "ou=groups,dc=mycompany,dc=com" '(&(objectClass=posixGroup)(memberUid=*))' uid

allAuthoritiesSearch.searchBase=ou=groups,dc=mycompany,dc=com

allAuthoritiesSearch.searchFilter=(&(objectClass=posixGroup)(memberUid=*))

allAuthoritiesSearch.roleAttribute=uid

# How you get all usernames. In Pentaho we needed the parameter searchFilter informed or we get an error, although it is not necessary in the terminal search

# $ ldapsearch -x -h myhost -b "ou=people,dc=mycompany,dc=com" uid

allUsernamesSearch.searchBase=ou=people,dc=mycompany,dc=com

allUsernamesSearch.searchFilter=objectClass=inetOrgPerson

allUsernamesSearch.usernameAttribute=uid

# This two properties define which user and group in LDAP are administrators in pentaho

adminRole=uid=AdminPentahoGroup,ou=groups,dc=mycompany,dc=com

adminUser=uid=AdminPentahoUser,ou=people,dc=mycompany,dc=com

  • <PENTAHO_HOME>/pentaho-solutions/system/data-access/settings.xml: Change the description of role Administrator for the adminRole uid in previous file, AdminPentahoGroup in my example
  • <PENTAHO_HOME>/pentaho-solutions/system/applicationContext-spring-security-ldap.xml: change Administrator for the adminRole uid in <entry key="${ldap.adminRole}" value="Administrator"/>.
  • <PENTAHO_HOME>/pentaho-solutions/system/repository.spring.properties: I found this blog entry about how to avoid messages in the log: "User admin not found in directory" change this:

singleTenantAdminDefaultUserName=AdminPentahoUser

singleTenantAdminUserName=AdminPentahoUser

singleTenantAdminDefaultAuthorityName=AdminPentahoGroup

singleTenantAdminAuthorityName=AdminPentahoGroup

  • <PENTAHO_HOME>/pentaho-solutions/system/applicationContext-spring-security.xml: I found some blog entries talking about changes in this file, but in my case it wasn't necessary.

Hope this helps. Regards

MIREYA MARTINEZ SAIZ's profile image
MIREYA MARTINEZ SAIZ

Hi Ana,

thanks a lot for the reply. I managed finally to configure my installation.

Do you know the reason for the modification of these two files? I didn't changed and my ldap configuration works.

  • <PENTAHO_HOME>/pentaho-solutions/system/data-access/settings.xml
  • <PENTAHO_HOME>/pentaho-solutions/system/applicationContext-spring-security-ldap.xml
Ana Gonzalez's profile image
Ana Gonzalez

The <PENTAHO_HOME>/pentaho-solutions/system/data-access/settings.xml file is modified to adapt to your adminRole in LDAP, but it might not be necessary in modern versions of Pentaho, I have modified it in Pentaho 8, but I haven't tried without modifying it.

The <PENTAHO_HOME>/pentaho-solutions/system/applicationContext-spring-security-ldap.xml file I don't remember what was supposed to be changed, I have it in my notes in case something later came out, to look for more information, but I haven't changed it either.

Regards