LDAP Properties
You can configure LDAP values by editing the /pentaho-solutions/system/applicationContext-security-ldap.properties file in your Pentaho Server folder.
Connection Information (Context)
These entries define connections involving LDAP users (typically administrators) that can execute folder searches.
| LDAP Property | Purpose | Example |
|---|---|---|
contextSource.providerUrl | LDAP connection URL | contextSource.providerUrl=ldap://holly:389/DC=Valyant,DC=local |
contextSource.userDn | Distinguished name of a user with read access to directory | contextSource.userDn=CN= Administrator, CN=Users,DC=Valyant,DC=local |
contextSource.password | Password for the specified user | contextSource.password=secret |
Users
These options control how the LDAP server is searched for user names that are entered in the Pentaho login dialog box.
The {0} token will be replaced by the user name from the login dialog box.
The example above defines DC=Valyant,DC=local in contextSource.providerURL. Given that definition, you would not need to repeat that in userSearch.searchBase below because it will be appended automatically to the defined value here.
| LDAP Property | Purpose | Example |
|---|---|---|
userSearch.searchBase | Base (by user name) for user searches | userSearch.searchBase=CN=Users |
userSearch.searchFilter | Filter (by user name) for user searches. The attribute you specify here must contain the value that you want your users to log into Pentaho with. Active Directory user names are represented by sAMAccountName; full names are represented by displayName. | userSearch.searchFilter= (sAMAccountName={0}) |
Populator
The populator matches fully distinguished user names from userSearch to distinguished role names for roles those users belong to.
The {0} token will be replaced with the user DN found during a user search; the {1} token is replaced with the user name entered in the login screen.
| LDAP Property | Purpose | Example |
|---|---|---|
populator.convertToUpperCase | Indicates whether or not retrieved role names are converted to uppercase | populator.convertToUpperCase=false |
populator.groupRoleAttribute | The attribute to get role names from | populator.groupRoleAttribute=cn |
populator.groupSearchBase | Base (by user DN or user name) for role searches. | populator.groupSearchBase=ou= Pentaho |
populator.groupSearchFilter | The special nested group filter for Active Directory is shown in the example; this will not work with non-MSAD directory servers. | populator.groupSearchFilter= (memberof:1.2.840.113556.1.4.1941: =({0})) |
populator.rolePrefix | A prefix to add to the beginning of the role name found in the group role attribute; the value can be an empty string. | populator.rolePrefix= |
populator.searchSubtree | Indicates whether or not the search must include the current object and all children. If set to false, the search must include the current object only. | populator.searchSubtree=true |
All Authorities Search
These entries populate the Pentaho Server Access Control List (ACL) roles. These should be similar or identical to the Populator entries.
| LDAP Property | Purpose | Example |
|---|---|---|
allAuthoritiesSearch.roleAttribute | The attribute used for role values | allAuthoritiesSearch.roleAttribute=cn |
allAuthoritiesSearch.searchBase | Base for "all roles" searches | allAuthoritiesSearch.searchBase=ou= Pentaho |
allAuthoritiesSearch.searchFilter | Filter for "all roles" searches. Active Directory requires that the objectClass value be set to group. | allAuthoritiesSearch.searchFilter= (objectClass=group) |
All User Name Search
These entries populate the Pentaho Server ACL users.
| LDAP Property | Purpose | Example |
|---|---|---|
allUsernamesSearch.username Attribute | The attribute used for user values | allUsernamesSearch.username Attribute= sAMAccountName |
allUsernamesSearch.searchBase | Base for "all users" searches | allUsernamesSearch.searchBase= CN=users |
allUsernamesSearch.searchFilter | Filter for "all users" searches | allUsernamesSearch.searchFilter= objectClass=person |