Skip to main content
Pentaho Documentation

Create LDAP/JDBC Hybrid Configuration for the DI Server

Overview

Explains how to create an LDAP/JDBC Hybrid configuration on the DI Server.

You must have a working directory server with an established configuration, and a database containing your user roles before continuing.

It is possible to use a directory server for user authentication and a JDBC security table for role definitions. This is common in situations where LDAP roles cannot be redefined for DI Server use. Follow the below instructions to switch the BA Server's authentication backend from the Pentaho data access object to an LDAP/JDBC hybrid.

Note: Replace the pentahoAdmins and pentahoUsers references in the examples below with the appropriate roles from your LDAP configuration.
  1. Stop the DI Server and Spoon.
  2. Open /pentaho-solutions/system/security.properties with a text editor, then change the value of the property provider to ldap.
  3. Open the /pentaho-solutions/system/pentahoObjects.spring.xml with a text editor, then find this code block and change the providerName to jdbc.
      <!-- Reference to a bean in one of the applicationContext-pentaho-security-*.xml; selected by configured provider-->
      <pen:bean id="activeUserRoleListService" class="org.pentaho.platform.api.engine.IUserRoleListService">
        <pen:attributes>
          <pen:attr key="providerName" value="${security.provider}"/>
        </pen:attributes>
      </pen:bean>
    
       <pen:publish as-type="INTERFACES">
         <pen:attributes>
        <pen:attr key="priority" value="50"/>
          </pen:attributes>
        </pen:publish>
    
        </pen:bean> 
  4. Edit the /pentaho-solutions/system/applicationContext-pentaho-security-jdbc.xml file and add the following two bean definitions, changing the connection and JDBC details to match your security database.
    <bean id="dataSource" 
    class="org.springframework.jdbc.datasource.DriverManagerDataSource">
         <property name="driverClassName" value="org.hsqldb:hsql://localhost:9002/userdb" />
         <property name="url" value="jdbc:hsqldb:hsql://localhost:9002/userdb" />
         <property name="username" value="sa" />
         <property name="password" value="" />
    </bean>
    <bean id="userDetailsService"
    class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
         <property name="dataSource">
            <ref local="dataSource" />
         </property>
         <property name="authoritiesByUsernameQuery">
            <value> <![CDATA[SELECT username, authority FROM
            granted_authorities WHERE username = ?}}></value>
         </property>
         <property name="usersByUsernameQuery">
            <value> <![CDATA[SELECT username, 
            password, enabled FROM users WHERE username = ?]]>
            </value>
         </property>
    </bean>
  5. Save and close the file, then open /pentaho-solutions/system/applicationContext-pentaho-security-jdbc.xml. Find this code block and change Admin to an appropriate administrator role in your JDBC authentication database.
    <!-- map ldap role to pentaho security role -->
    <util:map id="jdbcRoleMap">
       <entry key="Admin" value="Administrator"/>
    </util:map>
  6. Close applicationContext-pentaho-security-jdbc.xml.
  7. Open /pentaho-solutions/system/applicationContext-springsecurity-ldap.xml file and replace the populator bean definition with this one.
    <bean id="populator" class="org.springframework.security.
    	ldap.populator.UserDetailsServiceLdapAuthoritiesPopulator">	
        <constructor-arg ref="jdbcUserDetailsService" />	
    </bean>
  8. Delete the /tomcat/work/ and /tomcat/temp/ directories.
  9. If needed, configure the Pentaho LDAP connection as explained in LDAP Properties.
  10. Start the DI Server and Spoon, then log into Spoon.

The DI Server is configured to authenticate users against your directory server.