Skip to main content
Pentaho Documentation

LDAP Properties

You can configure LDAP values by editing the /pentaho-solutions/system/applicationContext-security-ldap.properties file in your BA Server or DI Server directory, or through the User Console for the BA Server (the LDAP options in the console apply only to the BA Server, not the DI Server).

Connection Information (Context)

These entries define connections involving LDAP users (typically administrators) that can execute directory searches.

LDAP Property Purpose Example
contextSource.providerUrl LDAP connection URL contextSource.providerUrl=ldap://holly:389/DC=Valyant,DC=local
contextSource.userDn Distinguished name of a user with read access to directory contextSource.userDn=CN= Administrator, CN=Users,DC=Valyant,DC=local
contextSource.password Password for the specified user contextSource.password=secret

Users

These options control how the LDAP server is searched for user names that are entered in the Pentaho login dialog box.

Note: The {0} token will be replaced by the user name from the login dialogue.
Note: The example above defines DC=Valyant,DC=local in contextSource.providerURL. Given that definition, you would not need to repeat that in userSearch.searchBase below because it will be appended automatically to the defined value here.
LDAP Property Purpose Example
userSearch.searchBase Base (by user name) for user searches userSearch.searchBase=CN=Users
userSearch.searchFilter Filter (by user name) for user searches. The attribute you specify here must contain the value that you want your users to log into Pentaho with. Active Directory user names are represented bysAMAccountName ; full names are represented by displayName. userSearch.searchFilter= (sAMAccountName={0})

Populator

The populator matches fully distinguished user names from userSearch to distinguished role names for roles those users belong to.

Note: The {0} token will be replaced with the user DN found during a user search; the {1} token is replaced with the user name entered in the login screen.
LDAP Property Purpose Example
populator.convertToUpperCase Indicates whether or not retrieved role names are converted to uppercase populator.convertToUpperCase=false
populator.groupRoleAttribute The attribute to get role names from populator.groupRoleAttribute=cn
populator.groupSearchBase Base (by user DN or user name) for role searches. populator.groupSearchBase=ou= Pentaho
populator.groupSearchFilter The special nested group filter for Active Directory is shown in the example; this will not work with non-MSAD directory servers. populator.groupSearchFilter= (memberof:1.2.840.113556.1.4.1941: =({0}))
populator.rolePrefix A prefix to add to the beginning of the role name found in the group role attribute; the value can be an empty string. populator.rolePrefix=
populator.searchSubtree Indicates whether or not the search must include the current object and all children. If set to false, the search must include the current object only. populator.searchSubtree=true

All Authorities Search

These entries populate the BA Server Access Control List (ACL) roles. These should be similar or identical to the Populator entries.

LDAP Property Purpose Example
allAuthoritiesSearch.roleAttribute The attribute used for role values allAuthoritiesSearch.roleAttribute=cn
allAuthoritiesSearch.searchBase Base for "all roles" searches allAuthoritiesSearch.searchBase=ou= Pentaho
allAuthoritiesSearch.searchFilter Filter for "all roles" searches. Active Directory requires that the objectClass value be set to group. allAuthoritiesSearch.searchFilter= (objectClass=group)

All user name search

These entries populate the BA Server ACL users.

LDAP Property Purpose Example
allUsernamesSearch.username Attribute The attribute used for user values allUsernamesSearch.username Attribute= sAMAccountName
allUsernamesSearch.searchBase Base for "all users" searches allUsernamesSearch.searchBase= CN=users
allUsernamesSearch.searchFilter Filter for "all users" searches allUsernamesSearch.searchFilter= objectClass=person