Changing to the LDAP Security DAO
- Former user (Deleted)
- Former user (Deleted)
By default, the Pentaho BI Platform comes with Hibernate-based security data access object (DAO) enabled. Often, enterprises have an existing directory server accessible by LDAP. This page shows you how to switch to the "LDAP" DAO. The instructions below describe a sample LDAP directory using ApacheDS. LDAP browsers such as Apache Directory Studio or JXplorer can be used to browse the objects in your directory.
- Edit pentaho-spring-beans.xml
Change the Spring XML files to use the LDAP DAOs instead of the Hibernate ones. Openpentaho-solutions/system/pentaho-spring-beans.xmland look for the following section:pentaho-spring-beans.xml<beans> <!-- some lines omitted --> <import resource="applicationContext-spring-security.xml" /> <import resource="applicationContext-common-authorization.xml" /> <import resource="applicationContext-spring-security-ldap.xml" /> <import resource="applicationContext-pentaho-security-ldap.xml" /> </beans>
- Start the directory
In Windows, just start theApachedsservice in the Services dialog. In Linux, the command might be as simple asservice apacheds start. - Import the LDIF
The sample Spring XML filesapplicationContext-spring-security-ldap.xmlandapplicationContext-pentaho-security-ldap.xmlassume the records below. If you already have an existing directory, or you wish to alter the sample LDIF files, you'll need to adjust the LDAP queries in the aforementioned Spring XML files. To make use of the sample LDIF file, use an LDAP browser, such as Apache Directory Studio or JXplorer, to import it. Note: You may or may not have success importing the LDIF file below. If you run into errors, manually create the records.Sample LDIFversion: 1
dn: uid=joe,ou=users,ou=system
mail: joe.pentaho@pentaho.org
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
uid: joe
cn: joe
businesscategory: cn=ceo,ou=roles,ou=system
businesscategory: cn=Admin,ou=roles,ou=system
userpassword:: cGFzc3dvcmQ=
sn: Pentaho
dn: uid=suzy,ou=users,ou=system
mail: suzy.pentaho@pentaho.org
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
uid: suzy
cn: suzy
userpassword:: cGFzc3dvcmQ=
businesscategory: cn=cto,ou=roles,ou=system
businesscategory: cn=is,ou=roles,ou=system
sn: Pentaho
dn: uid=tiffany,ou=users,ou=system
mail: tiffany.pentaho@pentaho.org
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
uid: tiffany
cn: tiffany
businesscategory: cn=devmgr,ou=roles,ou=system
businesscategory: cn=dev,ou=roles,ou=system
userpassword:: cGFzc3dvcmQ=
sn: Pentaho
dn: uid=pat,ou=users,ou=system
mail: pat.pentaho@pentaho.org
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
uid: pat
cn: pat
businesscategory: cn=dev,ou=roles,ou=system
userpassword:: cGFzc3dvcmQ=
sn: Pentaho
dn: cn=Sales,ou=groups,ou=system
cn: Sales
objectclass: groupofuniquenames
objectclass: top
uniquemember: uid=joe,ou=users,ou=system
dn: cn=Marketing,ou=groups,ou=system
cn: Marketing
objectclass: groupofuniquenames
objectclass: top
uniquemember: uid=suzy,ou=users,ou=system
dn: cn=Development,ou=groups,ou=system
cn: Development
objectclass: groupOfUniqueNames
objectclass: top
uniquemember: uid=pat,ou=users,ou=system
uniquemember: uid=tiffany,ou=users,ou=system
dn: ou=roles,ou=system
ou: roles
objectclass: organizationalUnit
objectclass: top
dn: cn=devmgr,ou=roles,ou=system
l: Orlando
objectclass: organizationalRole
objectclass: top
description: Development Manager
roleoccupant: uid=tiffany,ou=users,ou=system
cn: devmgr
dn: cn=cto,ou=roles,ou=system
cn: cto
description: CTO Role
objectclass: organizationalRole
objectclass: top
roleoccupant: uid=suzy,ou=users,ou=system
l: Orlando
st: Florida
dn: cn=ceo,ou=roles,ou=system
cn: ceo
description: CEO Role
objectclass: organizationalRole
objectclass: top
roleoccupant: uid=joe,ou=users,ou=system
l: Orlando
st: Florida
dn: cn=is,ou=roles,ou=system
cn: is
description: Information Systems
objectclass: organizationalRole
objectclass: top
roleoccupant: uid=suzy,ou=users,ou=system
l: Orlando
st: Florida
dn: cn=dev,ou=roles,ou=system
objectclass: organizationalRole
objectclass: top
roleoccupant: uid=pat,ou=users,ou=system
roleoccupant: uid=tiffany,ou=users,ou=system
cn: dev
dn: cn=Admin,ou=roles,ou=system
objectclass: organizationalRole
objectclass: top
roleoccupant: uid=joe,ou=users,ou=system
roleoccupant: uid=admin,ou=system
cn: Admin
dn: cn=Authenticated,ou=roles,ou=system
objectclass: organizationalRole
objectclass: top
roleoccupant: uid=joe,ou=users,ou=system
roleoccupant: uid=suzy,ou=users,ou=system
roleoccupant: uid=pat,ou=users,ou=system
roleoccupant: uid=tiffany,ou=users,ou=system
cn: Authenticated
dn: cn=Anonymous,ou=roles,ou=system
cn: Anonymous
objectclass: organizationalRole
objectclass: top
Note: The passwords in the LDIF above ('cGFzc3dvcmQ=') are equivalent to a hash of the word 'password.'Â Therefore, for authentication purposes, all the users above share the same password: 'password'.
Note: Be sure to leave a blank line at the end of this file. Otherwise, the last entry may not import correctly.
Note: The above LDIF assumes the following nodes already exist (as is the case with ApacheDS):
dn: ou=users,ou=system
ou: users
objectclass: organizationalUnit
objectclass: top
dn: ou=groups,ou=system
ou: groups
objectclass: organizationalUnit
objectclass: top - The default LDAP configuration should work with the above LDIF. If you want to change the LDAP server host or anything else about the configuration, see Security Data Access Objects.
- Start the application server
Now that the directory is running and the LDIF has been imported, start the application server. - Stop the directory
In Windows, just stop theApachedsin the Services dialog. In Linux, runservice apacheds stop.
Troubleshooting
Having problems? Check out the troubleshooting section.