Skip to main content
Pentaho Documentation

Manual LDAP/JDBC Hybrid Configuration

You might need to use a directory server for user authentication and a JDBC security table for role definitions. This is common in situations where LDAP roles can't be redefined for BA Server use. These instructions help you switch the BA Server's authentication back-end from the Pentaho data access object to an LDAP/JDBC hybrid.

Before You Begin

Before you begin configuring LDAP and JDBC for the BA Server, you'll need to verify a couple of things. 

Task Description
Check For Functional Directory Server Make sure that you have a working directory server with an established configuration.
Verify Database with User Roles Verify that you have a database containing your user roles.
Verify that Server Has Been Configured for LDAP Make sure that your server has been properly configured with LDAP.

Preparing the BA Server for Hybrid LDAP/JDBC 

After you finish the prerequisite tasks above, there are a few things that you need to do in order set up a hybrid LDAP/JDBC configuration successfully.

These sections will guide you through the remaining steps of this process:

  • Add JDBC as Role Provider
  • Change Provider Name
  • Enter Connection Information and Map Admin Role
  • Update LDAP Populator Bean
  • Configure LDAP Connection through PUC

Make sure that you replace the pentahoAdmins and pentahoUsers references in the examples below with the appropriate roles from your LDAP configuration.

Step 1: Add JDBC as Role Provider

  1. Stop the User Console and BA Server.
  2. Locate the pentaho-solutions/system directory and open the security.properties file with any text editor.
  3. Find the provider=ldap line and add this value below it:
    role.provider=jdbc
  4. Save and close the file.

Step 2: Change Provider Name

  1. In the same directory, open the pentahoObjects.spring.xml with any text editor.
  2. Find this code block and change the providerName to jdbc.
<!-- Reference to a bean in one of the applicationContext-pentaho-security-*.xml; selected by configured provider-->
  <pen:bean id="activeUserRoleListService" class="org.pentaho.platform.api.engine.IUserRoleListService">
    <pen:attributes>
      <pen:attr key="providerName" value="${security.provider}"/>
    </pen:attributes>
  </pen:bean> 
  1. Save and close the file.

Step 3: Enter Connection Information and Map Admin Role

  1. In the pentaho-solutions/system directory, open the applicationContext-spring-security-jdbc.properties file with any text editor.
  2. Find and edit the dataSource bean to show your database connection information.
  3. Find this code block and change Admin to an appropriate administrator role for your JDBC authentication database.
    <!-- map ldap role to pentaho security role -->
    <util:map id="jdbcRoleMap">
       <entry key="Admin" value="Administrator"/>
    </util:map>
    
  1. Save and close the file.

Step 4: Update LDAP Populator Bean

  1. In the pentaho-solutions/system directory, open the applicationContext-springsecurity-ldap.xml file.
  2. Find the populator bean and replace that definition as shown here:

Remove Old Bean

<bean id="populator" class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
    <constructor-arg index="0">
      <ref local="contextSource" />
    </constructor-arg>
    ...
  </bean>

Add New Bean

<bean id="populator" class="org.springframework.security.
ldap.populator.UserDetailsServiceLdapAuthoritiesPopulator">
<constructor-arg ref="jdbcUserDetailsService" />
</bean>
  1. Save and close the file.
  2. Delete the tomcat/work/ and tomcat/temp/ directories.

Step 5: Configure LDAP Connection through PUC

  1. Start the BA Server and User Console.
  2. Log into the User Console.
  3. Configure the Pentaho LDAP connection as explained in LDAP Properties.

The BA Server is configured to authenticate users against your directory server.