Some LDAP implementations are case-insensitive for user names, most notably Microsoft Active Directory. You might run into an issue where a user name typed into the login screen does not exactly match the letter case of that user's ID in the directory, but the server will authenticate it anyway and may give the user improper access to parts of the BA Server. For example, if Bill is the valid user ID, and someone types in bILL at the User Console login screen, the incorrectly typed one will authenticate, but it may have improper access to parts of the BA Server.
Follow these instructions to force case-sensitivity and fix this potential security risk.
- Stop the BA Server.
- Edit the /pentaho/server/biserver-ee/pentaho-solutions/system/applicationContext-spring-security-ldap.xml file.
- Find the daoAuthenticationProvider bean, and below the last </constructor-arg> therein, and add the <property> definition shown in the example:
<property name="userDetailsContextMapper"> <ref local="ldapContextMapper" /> </property>
- After the </bean> tag for daoAuthenticationProvider, add the following bean definition, changing the ldapUsernameAttribute from samAccountName to the value that matches your environment:
<bean id="ldapContextMapper" class="org.pentaho.platform.engine.security.UseridAttributeLdapContextMapper"> <property name="ldapUsernameAttribute" value="samAccountName" /> </bean>
- Start the BA Server.