LDAP Properties
Connection Information (Context)
These entries define the connection to the LDAP server and the user/password used to perform directory searches against it.
| LDAP Property | Purpose | Example |
|---|---|---|
| contextSource.providerUrl | LDAP connection URL | contextSource.providerUrl=ldap://holly:389/DC=Valyant,DC=local |
| contextSource.userDn | Distinguished name of a user with read access to directory | contextSource.userDn=CN=Administrator,CN=Users,DC= Valyant,DC=local |
| contextSource.password | Password for the specified user | contextSource.password=secret |
Users
These options control how the LDAP server is searched for usernames that are entered in the Pentaho login dialog box.
The {0} token is replaced by the username from the login dialog.
The example above defines DC=Valyant,DC=local in contextSource.providerURL. Given that definition, you would not need to repeat that in userSearch.searchBase below because it is appended automatically to the defined value here.
| LDAP Property | Purpose | Example |
|---|---|---|
| userSearch.searchBase | Base (by username) for user searches | userSearch.searchBase=CN=Users |
| userSearch.searchFilter | Filter (by username) for user searches. The attribute you specify here must contain the value that you want your users to log into Pentaho with. Active Directory usernames are represented by sAMAccountName; full names are represented by displayName. | userSearch.searchFilter= (sAMAccountName={0}) |
Populator
The populator matches fully distinguished user names from userSearch to distinguished role names for roles those users belong to.
The {0} token will be replaced with the user DN found during a user search; the {1} token is replaced with the username entered in the login screen.
| LDAP Property | Purpose | Example |
|---|---|---|
| populator.convertToUpperCase | Indicates whether or not retrieved role names are converted to uppercase | populator.convertToUpperCase=false |
| populator.groupRoleAttribute | The attribute to get role names from | populator.groupRoleAttribute=cn |
| populator.groupSearchBase | Base (by user DN or username) for role searches. | populator.groupSearchBase=ou= Pentaho |
| populator.groupSearchFilter | The special nested group filter for Active Directory is shown in the example; this will not work with non-MSAD directory servers. | populator.groupSearchFilter= (memberof:1.2.840.113556.1.4.1941:= ({0})) |
| populator.rolePrefix | A prefix to add to the beginning of the role name found in the group role attribute; the value can be an empty string. | populator.rolePrefix= |
| populator.searchSubtree | Indicates whether or not the search must include the current object and all children. If set to false, the search must include the current object only. | populator.searchSubtree=true |
All Authorites Search
These entries populate roles that appear in the Admin tab . These should be similar or identical to the Populator entries.
| LDAP Property | Purpose | Example |
|---|---|---|
| allAuthoritiesSearch.roleAttribute | The attribute used for role values | allAuthoritiesSearch.roleAttribute=cn |
| allAuthoritiesSearch.searchBase | Base for all roles searches | allAuthoritiesSearch.searchBase=ou= Pentaho |
| allAuthoritiesSearch.searchFilter | Filter for all roles searches. Active Directory requires that the objectClass value be set to group. | allAuthoritiesSearch.searchFilter= (objectClass=group) |
All User Name Search
These entries populate the users that appear on the Admin tab and can only be set manually in the /pentaho-solutions/system/applicationContext-security-ldap.properties file. These entities are not made available in the User Console.
| LDAP Property | Purpose | Example |
|---|---|---|
| allUsernamesSearch.usernameAttribute | The attribute used for user values | allUsernamesSearch. usernameAttribute=sAMAccountName |
| allUsernamesSearch.searchBase | Base for "all users" searches | allUsernamesSearch.searchBase= CN=users |
| allUsernamesSearch.searchFilter | Filter for "all users" searches | allUsernamesSearch.searchFilter= objectClass=person |