Random Thoughts

Views on life

How to configure LDAP for Crystal Reports Server/BusinessObjects Enterprise/Edge

Posted by Hemanta Banerjee on October 21, 2010


To simplify administration, BOE supports user and group accounts that are created using external directories such as LDAP, Active Directory and NT. In my previous post I had described the process for configuring Windows NT authentication. Similar to setting up the authentication for NT the administrator needs to perform some basic setup to configure the server with the information needed to connect to the LDAP server.

Before I go to the setup needed in CMC, let me walk through some of the key concepts in a LDAP deployment. In my setup I have setup a freeware directory server Apache Directory. This is easy to setup and free so it works best for my testing. For the LDAP client I have used another freeware directory client from the Apache foundation called Apache Directory Studio.

image

You can easily create new users and groups using the directory studio and works great for the testing purposes. Ofcourse in a real production environment none of this would be necessary as you would be connecting to your corporate LDAP server. In order to make the administration simpler define a group in your LDAP server that will hold all the BOE users. I am calling it BOEUsers.

image

Now we can go to CMC and add this group in the LDAP configuration for BOE. You can add new authentication providers in BOE by clicking on the Authentication link in CMC.

image

After enabling LDAP, enter the connection details for the LDAP server. In my case I have installed on the localhost and my baseDN is dc=example,dc=com. You would also need to provide the logon credentials for the user which can be used by BOE to connect to the LDAP server for authentication. In my case I have used the admin ID however this is not essential. You can use any ID with read privileges on the baseDN.

image

You would also need to provide the LDAP group that will be mapped to BOE. I have used the BOEUsers group defined earlier. You will also need to define a couple of other parameters relating to how to map the users. For new deployments choose the options as shown below. If you want to map existing BOE users to LDAP userid’s then you can choose “Assign each added LDAP alias to an account with the same name” in the alias options. Also if your group mapped above contains only BOE users then the option selected in the Alias Update section will suffice. Otherwise if there are other users in the group who would not have access to BOE you can choose “Create new users when the user logs in” option in the Alias update options.

image

Now click on update. If you have selected the options above you will notice that the users from the LDAP group have now been imported as BOE users.

image

And the user has been mapped to the corresponding LDAP alias.

image

Now you can add this user to any BOE group for access control assignment and other security settings. The user can logon by selecting LDAP as the authentication mode in Infoview.

image

Enable Selection of Authentication Mode for Infoview and CMC

By default the authentication drop down is not displayed in Infoview. But you can enable it with a few settings. You need to change some settings on the web.xml file for your infoview application. The web.xml file is stored in the <INSTALLDIR>\Tomcat55\webapps\InfoViewApp\WEB-INF.web.xml and <INSTALLDIR>\Tomcat55\webapps\CmcApp\WEB-INF.web.xml.

To prompt users for the authentication type on the logon screen, locate the <authentication.visible> parameter and change its <param-value> from false to true. You would need to restart the Tomcat application server after this change.

<!– You can specify the default Authentication types here –>
<!– secEnterprise, secLDAP, secWinAD, secSAPR3 –>
<context-param>
<param-name>authentication.default</param-name>
<param-value>secEnterprise</param-value>
</context-param>
<!– Choose whether to let the user change the authentication type –>
<!– If it isn’t shown the default authentication type from above will be used –>
<context-param>
<param-name>authentication.visible</param-name>
<param-value>true</param-value>
</context-param>

Remember to stop TOMCAT and clear the tomcat cache at <INSTALLDIR>\Tomcat55\work\Catalina\localhost. Restart the application server and you should see the drop down for authentication providers in your Infoview logon page.

Now the user can logon to the system with their NT password.

image

How does LDAP Integration work

The diagram below is a summary of how LDAP authentication works between BusinessObjects and the LDAP server. When BOE is integrated with LDAP users and passwords are stored in LDAP and no longer defined in the Business Objects repository. The BusinessObjects clients authenticate against LDAP at runtime. The LDAP users inherit security from repository groups which are mapped to the LDAP group using repository group mapping.

iLDAP attribute (could be “role” attribute) to repository group mapping

image

The BusinessObjects LDAP users belong to group(s) that exist in the Business Objects repository. Access rights are attached to these repository profiles and to their parent groups. The authorization is made in two phases (1) At login, the system retrieves the list of security profiles associated to the user, by querying the LDAP corporate directory (2) Then the system computes the user access rights by combining the access rights associated to user security profiles in the repository.

image

Advertisements

6 Responses to “How to configure LDAP for Crystal Reports Server/BusinessObjects Enterprise/Edge”

  1. […] How to configure LDAP for Crystal Reports Server/BusinessObjects Enterprise/Edge […]

  2. domain name…

    How to configure LDAP for Crystal Reports Server/BusinessObjects Enterprise/Edge « HOW TO Business Intelligence…

  3. conspiracy news database…

    […]How to configure LDAP for Crystal Reports Server/BusinessObjects Enterprise/Edge « HOW TO Business Intelligence[…]…

  4. Cheap views…

    […]How to configure LDAP for Crystal Reports Server/BusinessObjects Enterprise/Edge « HOW TO Business Intelligence[…]…

  5. Copdir said

    Copdir…

    […]How to configure LDAP for Crystal Reports Server/BusinessObjects Enterprise/Edge « HOW TO Business Intelligence[…]…

  6. Australian business directory SEO friendly…

    […]How to configure LDAP for Crystal Reports Server/BusinessObjects Enterprise/Edge « HOW TO Business Intelligence[…]…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: