Skip to main content
Hitachi Vantara Lumada and Pentaho Documentation

Manual MSAD Configuration

Before you can manually make changes to the Microsoft Active Directory (MSAD) configuration; you must configure Pentaho to authenticate against Active Directory as described here.  


MSAD allows you to uniquely specify users in two ways (Kerberos notation or Windows domain notation), in addition to the standard Distinguished Name (DN) method. If the standard DN is not working, try one of the following methods. Each of the following examples is shown in the context of the userDn property of the Spring Security DefaultSpringSecurityContextSource bean.

The examples in this section use DefaultSpringSecurityContextSource. You may need to use the same notation (Kerberos or Windows domain) in all your DN patterns.

The following code block is an example of the Kerberos notation for



The following code block is an example of the Windows domain notation for MYCOMPANY\pentahoadmin:




If more than one Active Directory instance is serving folder information, it may be necessary to enable referral, shown in the following code block. This is accomplished by modifying the DefaultSpringSecurityContextSource bean:

<bean id="contextSource" class="">
    <constructor-arg value="${contextSource.providerUrl}"/>
    <property name="userDn" value="${contextSource.userDn}"/>
    <property name="password" value="${contextSource.password}"/>
    <property name="referral" value="follow" />

Nested Groups

You can pull nested groups for Pentaho within Microsoft Active Directory.

In the populator group search filter, enter the following filter for MSAD nested groups:


This filter will search down the entire tree of nested groups. Please note that this attribute only works for Microsoft Active Directory configurations.

See Also

The LDAP Properties reference article contains supplemental information for LDAP values. 

Learn more

Manage users and roles in the Pentaho User Console (PUC).

Learn more