LDAP Properties
You can configure LDAP values by editing the /pentaho-solutions/system/applicationContext-security-ldap.properties file in your BA Server or DI Server directory, or through the User Console for the BA Server (the LDAP options in the console apply only to the BA Server, not the DI Server).
Connection Information (Context)
These entries define connections involving LDAP users (typically administrators) that can execute directory searches.
| LDAP Property | Purpose | Example |
|---|---|---|
| contextSource.providerUrl | LDAP connection URL | contextSource.providerUrl=ldap://holly:389/DC=Valyant,DC=local |
| contextSource.userDn | Distinguished name of a user with read access to directory | contextSource.userDn=CN= Administrator, CN=Users,DC=Valyant,DC=local |
| contextSource.password | Password for the specified user | contextSource.password=secret |
Users
These options control how the LDAP server is searched for user names that are entered in the Pentaho login dialog box.
| LDAP Property | Purpose | Example |
|---|---|---|
| userSearch.searchBase | Base (by user name) for user searches | userSearch.searchBase=CN=Users |
| userSearch.searchFilter | Filter (by user name) for user searches. The attribute you specify here must contain the value that you want your users to log into Pentaho with. Active Directory user names are represented bysAMAccountName ; full names are represented by displayName. | userSearch.searchFilter= (sAMAccountName={0}) |
Populator
The populator matches fully distinguished user names from userSearch to distinguished role names for roles those users belong to.
| LDAP Property | Purpose | Example |
|---|---|---|
| populator.convertToUpperCase | Indicates whether or not retrieved role names are converted to uppercase | populator.convertToUpperCase=false |
| populator.groupRoleAttribute | The attribute to get role names from | populator.groupRoleAttribute=cn |
| populator.groupSearchBase | Base (by user DN or user name) for role searches. | populator.groupSearchBase=ou= Pentaho |
| populator.groupSearchFilter | The special nested group filter for Active Directory is shown in the example; this will not work with non-MSAD directory servers. | populator.groupSearchFilter= (memberof:1.2.840.113556.1.4.1941: =({0})) |
| populator.rolePrefix | A prefix to add to the beginning of the role name found in the group role attribute; the value can be an empty string. | populator.rolePrefix= |
| populator.searchSubtree | Indicates whether or not the search must include the current object and all children. If set to false, the search must include the current object only. | populator.searchSubtree=true |
All Authorities Search
These entries populate the BA Server Access Control List (ACL) roles. These should be similar or identical to the Populator entries.
| LDAP Property | Purpose | Example |
|---|---|---|
| allAuthoritiesSearch.roleAttribute | The attribute used for role values | allAuthoritiesSearch.roleAttribute=cn |
| allAuthoritiesSearch.searchBase | Base for "all roles" searches | allAuthoritiesSearch.searchBase=ou= Pentaho |
| allAuthoritiesSearch.searchFilter | Filter for "all roles" searches. Active Directory requires that the objectClass value be set to group. | allAuthoritiesSearch.searchFilter= (objectClass=group) |
All user name search
These entries populate the BA Server ACL users.
| LDAP Property | Purpose | Example |
|---|---|---|
| allUsernamesSearch.username Attribute | The attribute used for user values | allUsernamesSearch.username Attribute= sAMAccountName |
| allUsernamesSearch.searchBase | Base for "all users" searches | allUsernamesSearch.searchBase= CN=users |
| allUsernamesSearch.searchFilter | Filter for "all users" searches | allUsernamesSearch.searchFilter= objectClass=person |