MSAD security
To use Microsoft Active Directory (MSAD) for user security, you must switch from the default Pentaho security to MSAD, then you must configure MSAD.
Switch to MS Active Directory
Procedure
From User Console Home menu, click Administration, then select Authentication from the left. The Authentication interface appears.
Local - Use basic Pentaho Authentication is selected by default.Select the External - Use LDAP / Active Directory server option.
The LDAP Server Connection fields populate with a default URL, user name, and password.Change the Server URL, User Name, and Password as needed.
Click Test Server Connection to verify the connection to your server and to complete the set up.
Click the Browse buttons to select the Pentaho System Administrator user and role to match your configuration. Click OK.
The text box auto-populates with the selected values.Select Custom Configuration.
For Users:
For Search Base, enter the path where your users are located.
CN=Users,DC=MyDomain,DC=com
For Search Filter, enter the attribute that users log in with.
(sAMAccountName={0})
For Roles:
For Role Attributes, enter the attribute that is used for roles/groups.
CN
For Role Search Filter, enter in the ObjectClass that defines that these are roles or groups.
(objectClass=group)
For Role Search Base, enter in the path where your roles or groups are located.
OU=groups,DC=MyDOmain,DC=com
For Populator:
For Group Role Attribute, enter in the Attribute that is used for groups.
CN
For Group Search Base, enter in the path to where your groups are located.
OU=groups,DC=MyDOmain,DC=com
Set the Group Search Filter for the attribute to use:
(member={0})
NoteThe following example works only for Microsoft Active Directory configurations.You can search down the entire tree to pull only MSAD nested groups by entering the following filter:populator.groupSearchFilter=(member:1.2.840.113556.1.4.1941:={0})
Click Test.
The LDAP Populator Test dialog box opens.Enter the LDAP/MSAD User Name and User DN, then click OK.
You can see the groups and roles that the user is a member of in Microsoft Active Directory.Click Close to close the results window, and then click Save.
Delete the server/pentaho-server/pentaho-solutions/system/karaf/caches folder.
Restart the Pentaho Server.
Results
Manual configuration
After you have switched Pentaho to authenticate against Active Directory, you can proceed with configuring MSAD.
Binding
MSAD allows you to uniquely specify users in two ways (Kerberos notation or Windows domain
notation), in addition to the standard Distinguished Name (DN) method. If the standard DN is
not working, try one of the following methods. Each of the following examples is shown in
the context of the userDn property of the Spring Security
DefaultSpringSecurityContextSource
bean.
DefaultSpringSecurityContextSource
. You may need to use the same notation
(Kerberos or Windows domain) in all your DN patterns.The following code block is an example of the Kerberos notation for pentahoadmin@mycompany.com:
File: applicationContext-security-ldap.properties
contextSource.providerUrl=ldap\://mycompany\:389 contextSource.userDn=pentahoadmin@mycompany.com contextSource.password=omitte
The following code block is an example of the Windows domain notation for MYCOMPANY\pentahoadmin:
File: applicationContext-security-ldap.properties
contextSource.providerUrl=ldap\://mycompany\:389 contextSource.userDn=MYCOMPANY\pentahoadmin contextSource.password=omitted
Referrals
If more than one Active Directory instance is serving folder information, it may be
necessary to enable referral, shown in the following code
block. This is accomplished by modifying the
DefaultSpringSecurityContextSource
bean:
<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <constructor-arg value="${contextSource.providerUrl}"/> <property name="userDn" value="${contextSource.userDn}"/> <property name="password" value="${contextSource.password}"/> <property name="referral" value="follow" /> </bean>
Nested groups
In the Populator Group Search Filter, enter the following filter for MSAD nested groups:
populator.groupSearchFilter=(member:1.2.840.113556.1.4.1941:={0})
This filter will search down the entire tree of nested groups.
See also
The LDAP Properties reference article contains supplemental information for LDAP values.
Manage users and roles in the Pentaho User Console (PUC).