Note: There are related HOWTOs: Changing to the LDAP Security DAO and Changing to the JDBC Security DAO.
Overview
Is it possible to authenticate via LDAP then fetch roles from a relational database? Yes! To accomplish this, make the following changes.
Steps
- Edit
pentaho-spring-beans.xml
to use a combination of LDAP and JDBC configuration files.pentaho-spring-beans.xml<beans> <!-- some lines omitted --> <import resource="applicationContext-spring-security.xml" /> <import resource="applicationContext-common-authorization.xml" /> <import resource="applicationContext-spring-security-ldap.xml" /> <import resource="applicationContext-pentaho-security-jdbc.xml" /> </beans>
- Open
applicationContext-spring-security-ldap.xml
. Replace thepopulator
bean definition with the one below.applicationContext-spring-security-ldap.xml<bean id="populator" class="org.springframework.security.ldap.populator.UserDetailsServiceLdapAuthoritiesPopulator"> <constructor-arg ref="userDetailsService" /> </bean>
- Staying in the same file, remove the
userDetailsService
bean. (We're removing it to replace it later with the JDBC-basedUserDetailsService
implementation:JdbcDaoImpl
.)applicationContext-spring-security-ldap.xml<!-- removed userDetailsService bean -->
- Open
applicationContext-pentaho-security-jdbc.xml
. Add the following two bean definitions. Both of these bean definitions were copied fromapplicationContext-spring-security-jdbc.xml
. (One is the JDBC-basedUserDetailsService
implementation; the other is a bean required by that implementation.)applicationContext-pentaho-security-jdbc.xml<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <property name="driverClassName" value="org.hsqldb.jdbcDriver" /> <property name="url" value="jdbc:hsqldb:hsql://localhost:9002/userdb" /> <property name="username" value="sa" /> <property name="password" value="" /> </bean> <bean id="userDetailsService" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl"> <property name="dataSource"> <ref local="dataSource" /> </property> <property name="authoritiesByUsernameQuery"> <value> <![CDATA[SELECT username, authority FROM granted_authorities WHERE username = ?]]> </value> </property> <property name="usersByUsernameQuery"> <value> <![CDATA[SELECT username, password, enabled FROM users WHERE username = ?]]> </value> </property> </bean>
- If you followed Changing to the JDBC Security DAO and Changing to the LDAP Security DAO, the default configuration should work without any changes. If you want to change the database host, the LDAP server host, or anything else about the configuration, see Security Data Access Objects.