To simplify administration, BOE supports user and group accounts that are created using external directories such as LDAP, Active Directory and NT. In my previous post I had described the process for configuring Windows NT authentication. Similar to setting up the authentication for NT the administrator needs to perform some basic setup to configure the server with the information needed to connect to the LDAP server.
Before I go to the setup needed in CMC, let me walk through some of the key concepts in a LDAP deployment. In my setup I have setup a freeware directory server Apache Directory. This is easy to setup and free so it works best for my testing. For the LDAP client I have used another freeware directory client from the Apache foundation called Apache Directory Studio.
You can easily create new users and groups using the directory studio and works great for the testing purposes. Ofcourse in a real production environment none of this would be necessary as you would be connecting to your corporate LDAP server. In order to make the administration simpler define a group in your LDAP server that will hold all the BOE users. I am calling it BOEUsers.
Now we can go to CMC and add this group in the LDAP configuration for BOE. You can add new authentication providers in BOE by clicking on the Authentication link in CMC.
After enabling LDAP, enter the connection details for the LDAP server. In my case I have installed on the localhost and my baseDN is dc=example,dc=com. You would also need to provide the logon credentials for the user which can be used by BOE to connect to the LDAP server for authentication. In my case I have used the admin ID however this is not essential. You can use any ID with read privileges on the baseDN.
You would also need to provide the LDAP group that will be mapped to BOE. I have used the BOEUsers group defined earlier. You will also need to define a couple of other parameters relating to how to map the users. For new deployments choose the options as shown below. If you want to map existing BOE users to LDAP userid's then you can choose "Assign each added LDAP alias to an account with the same name" in the alias options. Also if your group mapped above contains only BOE users then the option selected in the Alias Update section will suffice. Otherwise if there are other users in the group who would not have access to BOE you can choose "Create new users when the user logs in" option in the Alias update options.
Now click on update. If you have selected the options above you will notice that the users from the LDAP group have now been imported as BOE users.
And the user has been mapped to the corresponding LDAP alias.
Now you can add this user to any BOE group for access control assignment and other security settings. The user can logon by selecting LDAP as the authentication mode in Infoview.
By default the authentication drop down is not displayed in Infoview. But you can enable it with a few settings. You need to change some settings on the web.xml file for your infoview application. The web.xml file is stored in the <INSTALLDIR>Tomcat55webappsInfoViewAppWEB-INF.web.xml and <INSTALLDIR>Tomcat55webappsCmcAppWEB-INF.web.xml.
To prompt users for the authentication type on the logon screen, locate the <authentication.visible> parameter and change its <param-value> from false to true. You would need to restart the Tomcat application server after this change.
<!-- You can specify the default Authentication types here --> <!-- secEnterprise, secLDAP, secWinAD, secSAPR3 --> <context-param> <param-name>authentication.default</param-name> <param-value>secEnterprise</param-value> </context-param> <!-- Choose whether to let the user change the authentication type --> <!-- If it isn't shown the default authentication type from above will be used --> <context-param> <param-name>authentication.visible</param-name>
<param-value>true</param-value>
</context-param>
Remember to stop TOMCAT and clear the tomcat cache at <INSTALLDIR>Tomcat55workCatalinalocalhost. Restart the application server and you should see the drop down for authentication providers in your Infoview logon page.
Now the user can logon to the system with their NT password.
The diagram below is a summary of how LDAP authentication works between BusinessObjects and the LDAP server. When BOE is integrated with LDAP users and passwords are stored in LDAP and no longer defined in the Business Objects repository. The BusinessObjects clients authenticate against LDAP at runtime. The LDAP users inherit security from repository groups which are mapped to the LDAP group using repository group mapping.
iLDAP attribute (could be "role" attribute) to repository group mapping
The BusinessObjects LDAP users belong to group(s) that exist in the Business Objects repository. Access rights are attached to these repository profiles and to their parent groups. The authorization is made in two phases (1) At login, the system retrieves the list of security profiles associated to the user, by querying the LDAP corporate directory (2) Then the system computes the user access rights by combining the access rights associated to user security profiles in the repository.
