MicroStrategy7.2.2LDAP配置

1、What is new in MicroStrategy Intelligence Server 7i - 7.2.2 for Lightweight Directory Access Protocol (LDAP)?The following document discusses the Lightweight Directory Access Protocol (LDAP) and its integration with the MicroStrategy Intelligence Server, some of which have been available since Micro

2、Strategy Intelligence Server 7i - 7.2.0, along with the new features introduced in MicroStrategy Intelligence Server 7i - 7.2.2 as they relate to LDAP. Terminology: Lightweight Directory Access Protocol (LDAP): is a directory-structured way to store data. LDAP is most commonly used to store user inf

3、ormation across the organization or customer base. Rather than creating a new set of users for use in MicroStrategy Intelligence Server, users wish to be able to use their existing user base stored in LDAP servers to perform authentication and other access checks. LDAP allows the authentication of u

4、sers so that they only need to remember one ID and one Password (PWD) to use applications such as MicroStrategy through all enterprise resources. In some cases, users with a Secure Socket Layer (SSL) will use Certificates instead of User ID and PWD. LDAP Attributes: Each entry in an LDAP directory h

5、as one or more pieces of data associated with it, which are called attributes. For example, for the entry in place of a person, one can think of that person's name, e-mail, address, position, location, telephone, etc. as attributes of that entry. Each attribute of an entry can have one or more d

6、ata values. Object Classes (type): Each entry has a type that specifies the object class of the attributes that can be stored in that entry. For example, if one needs to represent a person with an entry, one can select an object class that would allow the attributes that will help identify this entr

7、y better. When an entry is created, the object class to which it belongs must be specified as every entry should belong to an object class. Distinguished Names: Entries have several characteristics. Each entry is uniquely identified by a name called the Distinguished Name or DN. Every directory entr

8、y is uniquely identified by its Distinguished Name. An entry's DN is composed of its RDN with the RDN of its parent, its parent's parent and so on to the root of the tree. Secure Socket Layer (SSL): A public domain protocol for authenticating and encrypting sensitive information over the int

9、ernet. The most popular implementation of the SSL protocol (by Netscape) uses RSA public key cryptography. That is an implementation of a concept called 'public key encryption'-a technique that uses a pair of keys (a public and a private key) to authenticate and encrypt clients' and data

10、 in the communication between the server and its client. Public key encryption employs the idea of a 'certificate' to ensure that the handing of the public keys between the client and the server occurs in a trustworthy way. LDAP Authentication: Figure 1: MicroStrategy LDAP Authentication wit

11、h Novell eDirectory 1. At startup, MicroStrategy Intelligence Server opens a connection to the LDAP Server using the LDAP Server Host and Port information provided in the MicroStrategy Intelligence Server configuration. If SSL is enabled, the LDAP Server certificate also used in the initialization.

12、The connection is opened using LDAP v3 API, which is part of each vendor's SDK API. The vendor's DLLs containing the API must be listed in the MicroStrategy Intelligence Server configuration and their path must be part of the system > path variable on the MicroStrategy Intelligence Server

13、 machine. 2. Once a session is initialized, MicroStrategy Intelligence Server will issue the LDAP API call (LDAP_SIMPLE_BIND_S) to bind to the LDAP Server using the Authentication user distinguished name (DN) and password provided in the MicroStrategy Intelligence Server configuration. Once bound to

14、 the LDAP Server, MicroStrategy Intelligence Server will wait for a user to attempt to log in using LDAP authentication mode. In Figure 1 above, the authentication user DN is: cn=Admin, o=administration. NOTE: The LDAP Authentication User must have appropriate read and search access rights on the di

15、rectory being searched. 3. When a user logs in using the LDAP authentication option, they provide their LDAP login and password in the dialog presented by MicroStrategy Desktop or MicroStrategy Web. This login and password will be the same set that may have been previously entered to gain authentica

16、tion through some other application. 4. Using the login, MicroStrategy Intelligence Server will issue the LDAP API call (LDAP_SEARCH_S) to search the directory for the given user. MicroStrategy Intelligence Server will start its user search using the search root distinguished name provided in the co

17、nfiguration. The search filter used in the search will be the one entered in the User search filter box in the configuration. Examples of search filters are provided below. Example User Search Filters: Vendor Search Filter Novell (&(objectClass=person) (cn=#LDAP_LOGIN#) ADS (&(objectClass=pe

18、rson) (sAMAccount=#LDAP_LOGIN#) Sun/iPlanet (&(objectClass=person) (uid=#LDAP_LOGIN#) NOTE: In the search filters above, the #LDAP_LOGIN# value is a placeholder for the login entered by the user. 5. Once the user has been found in the directory the user's DN (resulting from the user search)

19、and password (entered at login) will be verified against the LDAP server with the same bind operation used for the authentication user when MicroStrategy Intelligence Server first started. 6. Using the user's DN, MicroStrategy Intelligence Server will issue another LDAP API search call to find t

20、o which groups the user is a member. The group search filter will be the one entered in the Group search filter box in the configuration. Some examples are provided below. Example Group Search Filters: Vendor Search Filter Novell (&(objectClass= groupOfNames) (member=#LDAP_DN#) ADS (&(object

21、Class= group) (member=#LDAP_DN#) Iplanet (&(objectClass=groupOfUniqueNames)(uniquemember=#LDAP_DN#) NOTE: Search filters may be enhanced to change the results of the search. In the example below (for iPlanet), the group search filter will only return groups that have a description containing the

22、 string mstr: (&(objectClass=groupOfUniqueNames)(uniquemember=#LDAP_DN#) (description=*mstr*) 7. Having all of the necessary user and group information, MicroStrategy Intelligence Server determines if it needs to import the user and/or group information into the metadata. Details about user and

23、group importing options are discussed below under the headings Import Users and Import Groups. 8. Once the import is complete a runtime user is created on MicroStrategy Intelligence Server with the access rights and privileges from user groups to which the user is a member. Once the runtime user has

24、 been created, the appropriate session object is passed back to the client. Anonymous LDAP Authentication: When using anonymous LDAP authentication, users may log with any user name with and empty password. Anonymous LDAP users are able to access the project, browse objects, run and manipulate repor

25、ts, but they are not able to create their own objects or schedule report executions. All Anonymous LDAP users share a single History List. NOTE: Anonymous LDAP users inherit their privileges from the LDAP Public and the Public / Guest groups; they are not part of the 'Everyone' group. LDAP p

26、ublic users will not have permission to save application objects or schedule requests regardless of the permissions assigned to these groups. Import Users: If the Import Users checkbox is selected, when the user logs in and is authenticated, the user is imported if this was not previously done. Spec

27、ifically, a matching MicroStrategy user is created in the MicroStrategy metadata and automatically mapped to the LDAP user logging in using the DN as the link (the unique identifier in LDAP). That user can, then, be placed in a user group or assigned privileges as any MicroStrategy user. If the Impo

28、rt Users checkbox is clear, when the user logs in and is authenticated, if there is no user in the MicroStrategy metadata already linked to this LDAP user, the user is imported as a temporary user only for the time of the connection. Therefore, once the connection is terminated, the temporary user d

29、isappears from the system (the user is actually not physically created in the metadata but simply in memory on the MicroStrategy Intelligence Server). It is important to note that this type of user will not have access to full functionality. LDAP users that are not imported, similar to LDAP Public u

30、sers will not be able to create any objects, schedule reports and documents or have a persistent inbox. One can use any LDAP attribute to identify import users login name and user name. For example, if a user has a 'jdoe' login and a 'John Doe' user name, the MicroStrategy administra

31、tor may configure MicroStrategy Intelligence Server to import the user login using the cn attribute and the user name as uid attribute if using Novell eDirectory. Each LDAP vendor uses slightly different attribute to store user information, which is why MicroStrategy Intelligence Server offers the f

32、lexibility to select the naming attributes. Regardless of whether or not the check box is selected, if the user logging in has a matching MicroStrategy user that is linked to him, the LDAP user assumes the pro that MicroStrategy user. Regardless of whether or not the checkbox is selected, the relati

33、onship between the user and the groups they belong to in LDAP that have an existing linked MicroStrategy group is preserved at login, but it is not persisted in the MicroStrategy metadata. For example, UserA belongs to Group1 and Group2 in LDAP. Group1 has an equivalent MicroStrategy group that is l

34、inked to it, while Group2 does not. When UserA logs in, the user is associated with Group1, inheriting all its security. This feature allows for group memberships to be maintained in LDAP without requiring any manual synchronization with MicroStrategy. The latest information is always read from the

35、LDAP server each time a user logs in. If no group is found, the user is still a member of the LDAP Users group and inherits typical security associated with that group. If your user base is large and can be broken into groups with common profiles across all users of that group, it might be convenien

36、t for you not to import users. User - Synchronize at Login: If the synchronize at login check box is selected, when the user is logged in as authenticated, MicroStrategy Intelligence Server will update imported user login, user name, and LDAP link information if it has changed in the in the LDAP dir

37、ectory since the last login. MicroStrategy Intelligence Server will first check the metadata to determine if the LDAP link is present. If it is present the user login and user name will be updated, if necessary. If the LDAP link does not exist, MicroStrategy Intelligence Server will check if the use

38、r login is present in the metadata, if it is the LDAP link information will be updated. LDAP LinkExists User Login or User Name Exists Comment Yes No Update user login and user name on linked user Yes Yes For the same user - No updates, information is correct. For different users - Import fails beca

39、use user cannot be resolved, logged in as temporary LDAP User. No No Create new user under LDAP Users group No Yes Update LDAP link and on user The 'Synchronize at login' option allows administrators to dynamically link LDAP users that may already exist in the metadata. Previously, this link

40、 would have had to be done manually. This option also allows administrators to dynamically keep user information stored in the MicroStrategy metadata in synch with user information store in the LDAP directory. If the synchronize at login check box is clear, users will be logged in as the user with t

41、he matching LDAP link or a new user will be created. If the link does not exist, but the user name does exist, the user will not be imported, and will be logged in as a temporary LDAP user. Import Groups: Independent from the previous setting, this setting controls the import of LDAP groups to which

42、 the user that logs in belongs in LDAP. If this check box is selected, when a user logs in and is authenticated, any LDAP group to which the user belongs (that does not already have a MicroStrategy group linked to it) is imported and stored within the MicroStrategy metadata. Administrators may assig

43、n privileges, permissions and security filters to groups allowing LDAP users to dynamical inherit these properties without having to be assigned them in the metadata. If this check box is clear, when the user logs in and authenticated, no LDAP group is imported. Group - Synchronize at Login: Similar

44、 to users, the group name may be synchronized each time a user belonging to a group logs in using LDAP Authentication. The following logic will be applied depending on if the group information has been updated. LDAP LinkExists Group Name Exists Comment Yes No Update group name on linked group Yes Ye

45、s For the same group - do nothingFor different groups - group import fails No No Create new group under LDAP Users group No Yes Update group LDAP link on existing group NOTE: The MicroStrategy Knowledge Base document TN5300-072-0273 is helpful in describing how users are imported into MicroStrategy.

46、 LDAP Configuration: Below are the settings used by MicroStrategy Intelligence Server 7i - 7.2.2. These may be configured using the MicroStrategy Intelligence Server Configuration in MicroStrategy Desktop. General Settings 7i - 7.2.2 Setting Comment Host Hostname or IP Address of the LDAP Server Por

47、t Port 389 is the default port for clear text LDAP. Port 636 is SSL Security connection Checkbox indicating SSL is being used Server certificate file Path and name of certificate used for SSL. Vendor Name of the LDAP vendor, allows defaults to be populated in GUI. 7i - 7.2.2 default values are: Acti

48、ve Directory, Novell, Sun ONE/iPlanet, and Other providers. Vendor SDK DLL names MicroStrategy Intelligence Server will load the DLL name(s) listed here and get the necessary functions from the LDAP DLL's. The DLL's location must exist in the System > Path variable on the MicroStrategy In

49、telligence Server machine. 7i - 7.2.2 Setting Comment Configuration Settings User distinguished name (DN) Distinguished name of the user that will search the LDAP repository. This is sometimes called the bind DN. This DN must have at a minimum read and search access rights to the required user and g

50、roup objects. User password Password for Authentication User. Search root distinguished name (DN) Directory location from where to start the user and group search. Not needed for Novell. User search filter Filter string used in the LDAP API call ldap_search_s to find if a user exists in the director

51、y Group search filter Filter string used in the LDAP API call ldap_search_s to find the groups for a given distinguished name 7i - 7.2.2 Setting Comment User/Group Import Settings Import User Allows the import of the user into the MicroStrategy metadata User Login Attribute String used to identify t

52、he LDAP attribute that should be used for the user login. For example: jdoe User Name Attribute String used to identify the LDAP attribute that should be used for the user name. For example: John Doe Synch user at login Allow import/update of users that already exist in the metadata Import Group All

53、ows the import of the user into the MicroStrategy metadata Group Name Attribute String used to identify the LDAP attribute that should be used for the group name Synch group at login Allow import/update of groups that already exist in the metadata MicroStrategy Intelligence Server 7i - 7.2.2 Vendor

54、Specific Defaults: Based on the vendor, MicroStrategy Intelligence Server should supply the correct default values to the GUI. The vendor defaults will be reset if the vendor's name is changed in the General Settings of the LDAP configuration. Novell NDS eDirectory 8.6.2: Setting Novell Vendor N

55、ovell eDirectory Vendor SDK DLL Names Ldapsdk.dll; ldapssl.dll User Search Filter (&(objectClass=person) (cn=#LDAP_LOGIN#) Group Search Filter (&(objectClass= groupOfNames) (member=#LDAP_DN#) User Login cn User Name cn Group Name cn Vendor Notes: · The search root is not required for No

56、vell eDirectory. The default root may be set using ConsoleOne (eDirectory configuration GUI). · Novell International Cryptographic Infrastructure (NICI) must be installed on the MicroStrategy Intelligence Server and LDAP Server machines for SSL to work correctly. The MicroStrategy Knowledge doc

57、uments TN5300-072-0229 and TN5300-072-0203 are helpful for configuring MicroStrategy Intelligence Server 7i - 7.2.0 with Novell eDirectory. Microsoft Active Directory: Setting Microsoft ADS Vendor Microsoft Active Directory Vendor SDK DLL Names wldap32.dll User Search Filter (&(objectClass=perso

58、n) (sAMAccount=#LDAP_LOGIN#) Group Search Filter (&(objectClass= group) (member=#LDAP_DN#) User Login sAMAccount User Name cn Group Name cn Sun ONE Directory Server 5.1: Setting Sun ONE/iPlanet Vendor Sun ONE/iPlanet Vendor SDK DLL Names NSLDPA32v50.dll, nsldapssl32v50.dll User Search Filter (&a

59、mp;(objectClass=person) (uid=#LDAP_LOGIN#) Group Search Filter (&(objectClass= groupOfUniqueNames) (uniquemember= #LDAP_DN#) User Login uid User Name cn Group Name cn Other Vendors: Setting Sun ONE/iPlanet Vendor Other vendors Vendor SDK DLL Names None (defaults to Novell DLL's) User Search Filter (&(ob