Changing to the LDAP Security DAO 2.x-3.0.x

By default, the Pentaho BI Platform comes with Hibernate-based security data access object (DAO) enabled. Often, enterprises have an existing directory server accessible by LDAP. This page shows you how to switch to the "LDAP" DAO. The instructions below describe a sample LDAP directory using ApacheDS. LDAP browsers such as Apache Directory Studio or JXplorer can be used to browse the objects in your directory.

1. Edit pentaho-spring-beans.xml
   Change the Spring XML files to use the LDAP DAOs instead of the Hibernate ones. Open pentaho-solutions/system/pentaho-spring-beans.xml and look for the following section:
   pentaho-spring-beans.xml

   <beans>
     <!-- some lines omitted -->
     <import resource="applicationContext-acegi-security.xml" />
     <import resource="applicationContext-common-authorization.xml" />
     <import resource="applicationContext-acegi-security-ldap.xml" />
     <import resource="applicationContext-pentaho-security-ldap.xml" />
   </beans>
   

2. Start the directory
   In Windows, just start the Apacheds service in the Services dialog. In Linux, the command might be as simple as service apacheds start.
3. Import the LDIF
   The sample Spring XML files applicationContext-acegi-security-ldap.xml and applicationContext-pentaho-security-ldap.xml assume the records below. If you already have an existing directory, or you wish to alter the sample LDIF files, you'll need to adjust the LDAP queries in the aforementioned Spring XML files. To make use of the sample LDIF file, use an LDAP browser, such as Apache Directory Studio or JXplorer, to import it. Note: You may or may not have success importing the LDIF file below. If you run into errors, manually create the records
   Sample LDIF

   version: 1
   
   dn: uid=joe,ou=users,ou=system
   mail: joe.pentaho@pentaho.org
   objectclass: inetOrgPerson
   objectclass: organizationalPerson
   objectclass: person
   objectclass: top
   uid: joe
   cn: joe
   businesscategory: cn=ceo,ou=roles,ou=system
   businesscategory: cn=Admin,ou=roles,ou=system
   userpassword:: cGFzc3dvcmQ=
   sn: Pentaho
   
   dn: uid=suzy,ou=users,ou=system
   mail: suzy.pentaho@pentaho.org
   objectclass: inetOrgPerson
   objectclass: organizationalPerson
   objectclass: person
   objectclass: top
   uid: suzy
   cn: suzy
   userpassword:: cGFzc3dvcmQ=
   businesscategory: cn=cto,ou=roles,ou=system
   businesscategory: cn=is,ou=roles,ou=system
   sn: Pentaho
   
   dn: uid=tiffany,ou=users,ou=system
   mail: tiffany.pentaho@pentaho.org
   objectclass: inetOrgPerson
   objectclass: organizationalPerson
   objectclass: person
   objectclass: top
   uid: tiffany
   cn: tiffany
   businesscategory: cn=devmgr,ou=roles,ou=system
   businesscategory: cn=dev,ou=roles,ou=system
   userpassword:: cGFzc3dvcmQ=
   sn: Pentaho
   
   dn: uid=pat,ou=users,ou=system
   mail: pat.pentaho@pentaho.org
   objectclass: inetOrgPerson
   objectclass: organizationalPerson
   objectclass: person
   objectclass: top
   uid: pat
   cn: pat
   businesscategory: cn=dev,ou=roles,ou=system
   userpassword:: cGFzc3dvcmQ=
   sn: Pentaho
   
   dn: cn=Sales,ou=groups,ou=system
   cn: Sales
   objectclass: groupofuniquenames
   objectclass: top
   uniquemember: uid=joe,ou=users,ou=system
   
   dn: cn=Marketing,ou=groups,ou=system
   cn: Marketing
   objectclass: groupofuniquenames
   objectclass: top
   uniquemember: uid=suzy,ou=users,ou=system
   
   dn: cn=Development,ou=groups,ou=system
   cn: Development
   objectclass: groupOfUniqueNames
   objectclass: top
   uniquemember: uid=pat,ou=users,ou=system
   uniquemember: uid=tiffany,ou=users,ou=system
   
   dn: ou=roles,ou=system
   ou: roles
   objectclass: organizationalUnit
   objectclass: top
   
   dn: cn=devmgr,ou=roles,ou=system
   l: Orlando
   objectclass: organizationalRole
   objectclass: top
   description: Development Manager
   roleoccupant: uid=tiffany,ou=users,ou=system
   cn: devmgr
   
   dn: cn=cto,ou=roles,ou=system
   cn: cto
   description: CTO Role
   objectclass: organizationalRole
   objectclass: top
   roleoccupant: uid=suzy,ou=users,ou=system
   l: Orlando
   st: Florida
   
   dn: cn=ceo,ou=roles,ou=system
   cn: ceo
   description: CEO Role
   objectclass: organizationalRole
   objectclass: top
   roleoccupant: uid=joe,ou=users,ou=system
   l: Orlando
   st: Florida
   
   dn: cn=is,ou=roles,ou=system
   cn: is
   description: Information Systems
   objectclass: organizationalRole
   objectclass: top
   roleoccupant: uid=suzy,ou=users,ou=system
   l: Orlando
   st: Florida
   
   dn: cn=dev,ou=roles,ou=system
   objectclass: organizationalRole
   objectclass: top
   roleoccupant: uid=pat,ou=users,ou=system
   roleoccupant: uid=tiffany,ou=users,ou=system
   cn: dev
   
   dn: cn=Admin,ou=roles,ou=system
   objectclass: organizationalRole
   objectclass: top
   roleoccupant: uid=joe,ou=users,ou=system
   roleoccupant: uid=admin,ou=system
   cn: Admin
   
   dn: cn=Authenticated,ou=roles,ou=system
   objectclass: organizationalRole
   objectclass: top
   roleoccupant: uid=joe,ou=users,ou=system
   roleoccupant: uid=suzy,ou=users,ou=system
   roleoccupant: uid=suzy,ou=users,ou=system
   roleoccupant: uid=pat,ou=users,ou=system
   roleoccupant: uid=pat,ou=users,ou=system
   roleoccupant: uid=tiffany,ou=users,ou=system
   roleoccupant: uid=tiffany,ou=users,ou=system
   cn: Authenticated
   
   dn: cn=Anonymous,ou=roles,ou=system
   cn: Anonymous
   objectclass: organizationalRole
   objectclass: top

   Note: The passwords in the LDIF above ('cGFzc3dvcmQ=') are equivalent to a hash of the word 'password.'  Therefore, for authentication purposes, all the users above share the same password: 'password'.

4. Start the application server
   Now that the directory is running and the LDIF has been imported, start the application server.
5. Stop the directory
   In Windows, just stop the Apacheds in the Services dialog. In Linux, run service apacheds stop.

Troubleshooting

Having problems? Check out the troubleshooting section.