Skip to main content
Pentaho Documentation

LDAP security

Parent article

To use Lightweight Directory Access Protocol (LDAP) for user security, you must switch from the default Pentaho security to LDAP, then you must configure LDAP.

Switch to LDAP

To connect to your LDAP server, you must import the certificate into the JRE's truststore/keystore used by the Pentaho Server (java/lib/security/cacerts).

Procedure

  1. From the User Console Home menu, click Administration, then select Authentication from the left.

    The Authentication interface appears. Local - Use basic Pentaho Authentication is selected by default.
  2. Select the External - Use LDAP / Active Directory server option.

    User console authentication set to external The LDAP Server Connection fields populate with a default URL, user name, and password.
  3. Change the Server URL, User Name, and Password as needed.

  4. Click Test Server Connection to verify the connection to your LDAP server and to complete the set up.

  5. Click the node to select the Pentaho System Administrator user and role to match your LDAP configuration, then click OK.

    NoteThe Admin user is required for all system-related operations, including the creation of user folders. The Administrator Role is required for mapping a third-party admin role to the Pentaho admin role (Administrator). This is required for all ABS functionality to work properly.
  6. Select your LDAP Provider from the drop-down menu.

  7. Configure the LDAP connection as explained in LDAP properties.

  8. Stop the Pentaho server.

  9. You may be using monitoring functions on your server, such as SNMP. Whether you are using monitoring or not, you will need to perform the following configuration file changes:

    • If you are using monitoring, do the following:
      1. In a text editor, open the pentaho.jms.cfg file in the server/pentaho-server/pentaho-solutions/system/karaf/etc folder.
      2. Change the username and password to match the values defined previously in this task.
      3. Save and close the file.
    • If you are not using monitoring, do the following:
      1. In a text editor, open the org.apache.karaf.features.cfg file located in the server/pentaho-server/pentaho-solutions/system/karaf/etc folder.
      2. Remove the following line: pentaho-monitoring-to-snmp
      3. Save and close the file.
      4. Delete the contents of all the sub-folders in the server/pentaho-server/pentaho-solutions/system/karaf/caches/default/ folder
  10. Restart the Pentaho Server and test the LDAP functionality..

Results

The Pentaho Server is now configured to authenticate users against your LDAP directory server.

Manual configuration

You must have a working LDAP server with an established configuration before continuing. Follow the instructions below to manually switch from Pentaho default security to LDAP security.

Procedure

  1. Stop the Pentaho Server.

  2. Edit the securities.properties file located in the /pentaho-solutions/system folder.

    1. Change provider=jackrabbit to provider=ldap

    2. Save and close the file.

  3. Edit the /pentaho-solutions/system/applicationContext-security-ldap.properties file.

    1. Modify the settings to match your LDAP configuration.

      userSearch.searchBase=OU\=YourDomainCustomerCareUsers,DC\=YourDomainCustomerCare,DC\=com
      allAuthoritiesSearch.roleAttribute=cn
      allAuthoritiesSearch.searchBase=OU\=YourDomainCustomerCareGroups,DC\=YourDomainCustomerCare,DC\=com
      userSearch.searchFilter=(sAMAccountName\={0})
      allUsernamesSearch.searchFilter=objectClass\=Person
      allAuthoritiesSearch.searchFilter= (objectClass\=group)
      providerType=ldapCustomConfiguration
      contextSource.userDn=youradminUser@YourDomaincustomercare.com
      populator.rolePrefix=
      allUsernamesSearch.searchBase=OU\=YourDomainCustomerCareUsers,DC\=YourDomainCustomerCare,DC\=com
      adminUser=CN\=YourAdminUserDN,OU\=OrlandoFL,OU\=NAMER,OU\=Support,OU\=YourDomainCustomerCareUsers,DC\=YourDomainCustomerCare,DC\=com
      adminRole=CN\=YourAdminRole,OU\=YourDomainCustomerCareGroups,DC\=YourDomainCustomerCare,DC\=com
      populator.groupSearchBase=OU\=YourDomainCustomerCareGroups,DC\=YourDomainCustomerCare,DC\=com
      populator.convertToUpperCase=false
      populator.searchSubtree=false
      allUsernamesSearch.usernameAttribute=sAMAccountName
      populator.groupRoleAttribute=cn
      contextSource.providerUrl=ldap\://10.100.7.17\:389
      contextSource.password=********
      populator.groupSearchFilter=(member\={0})
      
    2. Save and close the file.

  4. Edit the /pentaho/server/pentaho-server/pentaho-solutions/system/repository.spring.properties file.

    1. Replace admin in the following line: singleTenanatAdminUserName=admin with the value of the adminUser’ssAMAccountName as defined in the applicationContext-security-ldap.properties file.

    2. Save and close the file.

  5. Delete the following directory: /pentaho/server/pentaho-server/pentaho-solutions/system/jackrabbit/repository

    CautionDo not delete the repository.xml file, which is also located in the following directory: /pentaho-server/pentaho-solutions/system/jackrabbit
  6. You may be using monitoring functions on your Pentaho Server, such as SNMP. Whether you are using monitoring or not, you will need to perform the following configuration file changes:

    • If you are using monitoring, do the following:
      1. Open the /pentaho-server/pentaho-solutions/system/karaf/etc/pentaho.jms.cfg file and change the userName and password to match the values defined in Step 4.
    • If you are not using monitoring, do the following:
      1. Open the pentaho-solutions/system/karaf/etc/org.apache.karaf.features.cfg, and
      2. Find and remove the following line:
        pentaho-monitoring-to-snmp,pentaho-monitoring-jms-broker,
        
      3. Save and close the file.
      4. Delete the contents of the pentaho-solutions/system/karaf/caches/default/* folder/folders.
  7. Restart the Pentaho Server and test the LDAP functionality.

Results

The Pentaho Server is now configured to authenticate users against your directory server. The LDAP properties reference article contains supplemental information for LDAP values.

Use nested roles

It is possible to nest user roles such that one role includes all of the users of another role. Doing this external to the core LDAP structure prevents recursive directory queries to find all parents of a given child role. Follow the directions below to modify the Pentaho Server to support nested roles for LDAP and MSAD authentication types.

Procedure

  1. Stop the Pentaho Server or service.

    sh /usr/local/pentaho/server/pentaho-server/stop-pentaho.sh
  2. Open the /pentaho/server/pentaho-server/pentaho-solutions/system/applicationContext-spring-security-ldap.xml file with a text editor.

  3. In the populator bean definition, replace DefaultLdapAuthoritiesPopulator with: NestedLdapAuthoritiesPopulator

    <bean id="populator" class="org.pentaho.platform.plugin.services.security.userrole.ldap.NestedLdapAuthoritiesPopulator">
  4. Save the file, then edit /pentaho/server/pentaho-server/pentaho-solutions/system/applicationContext-pentaho-security-ldap.xml.

    This and the next step are only necessary if the roles that serve as "parents" to nested roles cannot be returned by a traditional all authorities search.
  5. Add an extraRoles bean to the list of transformers in the ChainedTransformers bean, and set properties for each parent role (represented by example_role below).

    <bean id="allAuthoritiesSearch" class="org.pentaho.platform.plugin.services​.security.userrole.ldap.search.GenericLdapSearch">
        <!-- omitted -->
        <constructor-arg index="2">
            <bean class="org.apache.commons.collections.functors.ChainedTransformer">
                <constructor-arg index="0">
                    <list>
                        <bean class="org.pentaho.platform.plugin.services.security.​userrole.ldap.transform.SearchResultToAttrValueList">
                            <!-- omitted -->
                        </bean>
                        <bean class="org.pentaho.platform.plugin.services.security.userrole.​ldap.transform.ExtraRoles">
                            <property name="extraRoles">
                                <set>
                                    <value>example_role</value>
                                </set>
                            </property>
                        </bean>
                        <bean class="org.pentaho.platform.plugin.services.security.​userrole.ldap.transform.StringToGrantedAuthority">
                            <!-- omitted -->
                        </bean>
                    </list>
                </constructor-arg>
            </bean>
        </constructor-arg>
    </bean>
  6. Save the file, close your text editor, and start the Pentaho Server.

    sh /usr/local/pentaho/server/pentaho-server/start-pentaho.sh

Results

The Pentaho Server can now handle nested roles with LDAP or Active Directory authentication.

LDAP properties

You can configure LDAP values by editing the /pentaho-solutions/system/applicationContext-security-ldap.properties file in your Pentaho Server folder.

Connection information (context)

These entries define connections involving LDAP users (typically administrators) that can execute folder searches.
LDAP PropertyPurposeExample
context.Source.providerUrlLDAP connection URLcontextSource.providerUrl=ldap://holly:389/DC=Valyant,DC=local
contextSource.userDnDistinguished name of a user with read access to directorycontextSource.userDn=CN= Administrator, CN=Users,DC=Valyant,DC=local
contextSource.passwordPassword for the specified usercontextSource.password=secret

Users

These options control how the LDAP server is searched for user names that are entered in the Pentaho login dialog box.
NoteThe {0} token will be replaced by the user name from the login dialog box.
NoteThe example above defines DC=Valyant,DC=local in contextSource.providerURL. Given that definition, you would not need to repeat that in userSearch.searchBase below because it will be appended automatically to the defined value here.
LDAP PropertyPurposeExample
userSearch.searchBaseBase (by user name) for user searchesuserSearch.searchBase=CN=Users
userSearch.searchFilterFilter (by user name) for user searches. The attribute you specify here must contain the value that you want your users to log into Pentaho with. Active Directory user names are represented by sAMAccountName; full names are represented by displayName.userSearch.searchFilter=(sAMAccountName={0})

Populator

The populator matches fully distinguished user names from userSearch to distinguished role names for roles those users belong to.
NoteThe {0} token will be replaced with the user DN found during a user search; the {1} token is replaced with the user name entered in the login screen.
LDAP PropertyPurposeExample
populator.convertToUpperCaseIndicates whether or not retrieved role names are converted to uppercasepopulator.convertToUpperCase=false
populator.groupRoleAttributeThe attribute to get role names frompopulator.groupRoleAttribute=cn
populator.groupSearchBaseBase (by user DN or user name) for role searches.populator.groupSearchBase=ou= Pentaho
populator.groupSearchFilterThe special nested group filter for Active Directory is shown in the example; this will not work with non-MSAD directory servers.populator.groupSearchFilter= (memberof:1.2.840.113556.1.4.1941: =({0}))
populator.rolePrefixA prefix to add to the beginning of the role name found in the group role attribute; the value can be an empty string.populator.rolePrefix=
populator.searchSubtreeIndicates whether or not the search must include the current object and all children. If set to false, the search must include the current object only.populator.searchSubtree=true

All authorities search

These entries populate the Pentaho Server Access Control List (ACL) roles. These should be similar or identical to the populator entries.
LDAP PropertyPurposeExample
allAuthoritiesSearch.roleAttributeThe attribute used for role valuesallAuthoritiesSearch.roleAttribute=cn
allAuthoritiesSearch.searchBaseBase for "all roles" searchesallAuthoritiesSearch.searchBase=ou= Pentaho
allAuthoritiesSearch.searchFilterFilter for "all roles" searches. Active Directory requires that the objectClass value be set to group.allAuthoritiesSearch.searchFilter= (objectClass=group)

All user name search

These entries populate the Pentaho Server ACL users.
LDAP PropertyPurposeExample
allUsernamesSearch.username AttributeThe attribute used for user valuesallUsernamesSearch.username Attribute= sAMAccountName
allUsernamesSearch.searchBaseBase for "all users" searchesallUsernamesSearch.searchBase= CN=users
allUsernamesSearch.searchFilterFilter for "all users" searchesallUsernamesSearch.searchFilter= objectClass=person