Ricky

链接

RSS

RSS Link
修改DLL
Pentaho配置Active Directory验证

SpagoBI集成LDAP访问

Ricky posted @ 2017年3月20日 16:36 in Other , 300 阅读

SpagoBI 5.2集成AD访问

官方手册是在太老了, 花了一天时间才搞定

1. 仍然是修改三个参数

SPAGOBI.SECURITY.PORTAL-SECURITY-CLASS.className=it.eng.spagobi.security.LdapSecurityProviderImpl 
SPAGOBI.SECURITY.USER-PROFILE-FACTORY-CLASS.className=it.eng.spagobi.security.LdapUserProfileFactoryImpl 
SPAGOBI.SECURITY.PORTAL-SECURITY-INIT-CLASS.className=it.eng.spagobi.security.init.LdapSecurityProviderInit

2. ldap_authirizations.xml

 

<?xml version="1.0" encoding="UTF-8"?> 
<LDAP_AUTHORIZATIONS default="FALSE"> 
<CONFIG> 

<!-- SERVER --> 
<HOST>10.16.10.98</HOST> 
<PORT>389</PORT> 
<ADMIN_USER>ldapadmin@tfsad.com</ADMIN_USER> <!-- THIS IS KEY --> 
<ADMIN_PSW>password</ADMIN_PSW> <!-- password in clear text --> 
<BASE_DN>DC=tfsad,DC=com</BASE_DN> <!-- base domain, if any --> 

<!-- USERS --> 
<USER_SEARCH_PATH>ou=XXX</USER_SEARCH_PATH> <!-- SpagoBI will look for users under this node - Our user OU is STAFF --> 
<USER_OBJECT_CLASS>user</USER_OBJECT_CLASS> <!-- class for users' objects --> 
<USER_ID_ATTRIBUTE_NAME>sAMAccountName</USER_ID_ATTRIBUTE_NAME> <!-- name of the attribute containing the user identifier --> 
<USER_NAME_ATTRIBUTE_NAME>name</USER_NAME_ATTRIBUTE_NAME> <!-- name of the attribute(*) containing the user name --> 
<SUPER_ADMIN_ATTRIBUTE_NAME>superAdmin</SUPER_ADMIN_ATTRIBUTE_NAME> <!-- name of the attribute(*) containing the super admin flag --> 
<!-- (*) SPAGOBI attribute, not LDAP attribute!!! It must match the "name" attribute of one USER_ATTRIBUTE tag below --> 
<USER_MEMBEROF_ATTRIBUTE_NAME>memberOf</USER_MEMBEROF_ATTRIBUTE_NAME> <!-- this attribute has to contain the list of groups the user belongs to --> 

<!-- list of the users' attributes to be loaded when querying the LDAP --> 
<USER_ATTRIBUTE name="id">sAMAccountName</USER_ATTRIBUTE> <!-- LDAP attribute to be considered as SpagoBI attribute --> 
<USER_ATTRIBUTE name="name">name</USER_ATTRIBUTE> 
<USER_ATTRIBUTE name="mail">mail</USER_ATTRIBUTE> 
<USER_ATTRIBUTE name="memberOf">memberOf</USER_ATTRIBUTE> 
<USER_ATTRIBUTE name="superAdmin">superAdmin</USER_ATTRIBUTE> --> 

<!-- GROUPS --> 
<GROUP_SEARCH_PATH>OU=XXX</GROUP_SEARCH_PATH> <!-- SpagoBI will look for groups under this node --> 
<GROUP_OBJECT_CLASS>group</GROUP_OBJECT_CLASS> <!-- class for groups' objects --> 
<GROUP_ID_ATTRIBUTE_NAME>cn</GROUP_ID_ATTRIBUTE_NAME> <!-- the attribute containing the name of the group --> 

<!-- list of the users' attributes to be loaded when querying the LDAP --> 
<!-- <GROUP_ATTRIBUTE>ou</GROUP_ATTRIBUTE> --> 
<GROUP_ATTRIBUTE>cn</GROUP_ATTRIBUTE> 

<ACCESS_GROUP_NAME></ACCESS_GROUP_NAME> <!-- Access group name: if specified, users must belong to this group in order to enter SpagoBI --> 
<GROUP_MEMBERS_ATTRIBUTE_NAME></GROUP_MEMBERS_ATTRIBUTE_NAME> <!-- this attribute has to contain the list of users belonging to this group, in case the ACCESS_GROUP_NAME is specified --> 

</CONFIG> 
</LDAP_AUTHORIZATIONS> 

注意密码是明文,而不是加密过的

3. AD中添加superAdmin自定义属性

添加时需要具有Enterprise Admin和Schema Admin组的权限,另外需要在注册表中确认Update Schema Allowded是否设置为1

添加后需要重启AD服务,参考http://www.morgantechspace.com/2013/08/how-to-create-custom-attribute-in.html

4. 添加角色映射

参考https://www.spagoworld.org/jforum/posts/list/3600.page

 



登录 *


loading captcha image...
(输入验证码)
or Ctrl+Enter