Skip to main content
Pentaho Documentation

Use Nested Roles in LDAP

It is possible to nest user roles such that one role includes all of the users of another role. Doing this external to the core LDAP structure prevents recursive directory queries to find all parents of a given child role. Follow the directions below to modify the BA Server to support nested roles for LDAP and MSAD authentication types.

  1. Stop the BA Server or service.
    sh /usr/local/pentaho/server/biserver-ee/stop-pentaho.sh
    
  2. Open the /pentaho/server/biserver-ee/pentaho-solutions/system/applicationContext-spring-security-ldap.xml file with a text editor.
  3. In the populator bean definition, replace DefaultLdapAuthoritiesPopulator with NestedLdapAuthoritiesPopulator
    <bean id="populator" class="org.pentaho.platform.plugin.services.security.userrole.ldap.NestedLdapAuthoritiesPopulator">
    
  4. Save the file, then edit /pentaho/server/biserver-ee/pentaho-solutions/system/applicationContext-pentaho-security-ldap.xml. This and the next step are only necessary if the roles that serve as "parents" to nested roles cannot be returned by a traditional all authorities search.
  5. Add an extraRoles bean to the list of transformers in the ChainedTransformers bean, and set properties for each parent role (represented by example_role below).
    <bean id="allAuthoritiesSearch" class="org.pentaho.platform.plugin.services​.security.userrole.ldap.search.GenericLdapSearch">
        <!-- omitted -->
        <constructor-arg index="2">
            <bean class="org.apache.commons.collections.functors.ChainedTransformer">
                <constructor-arg index="0">
                    <list>
                        <bean class="org.pentaho.platform.plugin.services.security.​userrole.ldap.transform.SearchResultToAttrValueList">
                            <!-- omitted -->
                        </bean>
                        <bean class="org.pentaho.platform.plugin.services.security.userrole.​ldap.transform.ExtraRoles">
                            <property name="extraRoles">
                                <set>
                                    <value>example_role</value>
                                </set>
                            </property>
                        </bean>
                        <bean class="org.pentaho.platform.plugin.services.security.​userrole.ldap.transform.StringToGrantedAuthority">
                            <!-- omitted -->
                        </bean>
                    </list>
                </constructor-arg>
            </bean>
        </constructor-arg>
    </bean>
    
  6. Save the file, close your text editor, and start the BA Server.
    sh /usr/local/pentaho/server/biserver-ee/start-pentaho.sh
    
The BA Server can now efficiently handle nested roles with LDAP or Active Directory authentication.