Support

Lorem ipsum dolor sit amet:

24h / 365days

We offer support for our customers

Mon - Fri 8:00am - 5:00pm (GMT +1)

Get in touch

Cybersteel Inc.
376-293 City Road, Suite 600
San Francisco, CA 94102

Have any questions?
+44 1234 567 890

Drop us a line
info@yourdomain.com

About us

Lorem ipsum dolor sit amet, consectetuer adipiscing elit.

Aenean commodo ligula eget dolor. Aenean massa. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Donec quam felis, ultricies nec.

Chapter 17. Integrating ReportServer with an Active Directory using LDAP

17. Integrating ReportServer with an Active Directory using LDAP

In the following we will outline the necessary steps to connect ReportServer to an Active Directory using LDAP. As there are many valid ways to organize a company's directory (may it be AD or another vendors product) ReportServer allows you to customize all relevant LDAP options. This on one hand means, that the configuration might seem rather complex, but on the other hand it provides you with a maximum of flexibility.

To connect ReportServer to the Active Directory Service we will use ReportServer's integrated configuration. The whole process can be divided into two, mostly separate parts. One part is the synchronization of the user objects: we will automatically copy Users, Organizational Units and Groups from the directory to ReportServer and keep them updated. The second part is a mechanism that authenticates the previously imported users when they log into ReportServer.

17.1. Synchronizing Users

The current ldapimport.groovy script is available here: https://github.com/infofabrik/reportserver-samples/blob/main/src/net/datenwerke/rs/samples/admin/ldap/ldapimport.groovy.

The script reads its configuration from the sso/ldap.cf configuration file. As you may want to schedule the LDAP-import process, e.g. to import LDAP users every night, you can use the above script for this purpose. Otherwise, you can also use the ldapimport terminal command together with the sso/ldap.cf configuration file for manually importing LDAP users. With other words: for manually importing users use the ldapimport terminal command. For all other purposes use the ldapimport.groovy script above. Both basically achieve the same, but the script is scheduleable:

For scheduling this functionality periodically, schedule the ldapimport.groovy script via the scheduleScript terminal command as described in Section 19.56.

Note that you can (and should) use the ldaptest terminal commands for checking your LDAP configuration before letting the real import to happen. Details and example uses can be found in Section 19.37. The ldapschema (Section 19.36.), ldapguid (Section 19.33.), ldapfilter (Section 19.37.) and ldapinfo (Section 19.35.) terminal commands may also be useful for exploring your LDAP server and also the extended the ldaptest users, ldaptest groups and ldaptest organizationalUnits with a -s (schema) flag (refer to 19.37. ldaptest) While the -s flag allows you to explore the installed object class types of your users', OUs' and groups' object classes, the ldapschema allows you to explore any object class. For example, you may execute ldaptest users -s for printing the schema of the users' object class. You should get a list of optional attributes, required attributes, and the parent object class. Suppose the parent's object class is ''organizationalPerson''. You may then explore this object class with ldapschema objectClassInfo organizationalPerson. You may continue exploring the LDAP schemas until the top-most object class: ''top''.

Refer to the Configuration Guide for a detailed description of all configurable values of the ldap.cf configuration file: https://reportserver.net/en/guides/config/chapters/SSO-related-properties/#LDAP

17.2. Authenticating Users

As of ReportServer 4.3.0, LDAP authentication is supported out-of-the-box. For using it, you have to install the net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM or net.datenwerke.rs.ldap.service.ldap.pam.LdapPAMAuthoritative PAM in your reportserver.properties configuration file as described here: https://reportserver.net/en/guides/config/chapters/configfile-reportserverproperties/

It reads your ldap.cf configuration file together with metadata of your previously imported users, and authenticates the given user against your LDAP server.

Now that you should have a basic understanding how the LDAP mechanism works, let's give it a try. Download the two files ldapimport.groovy and sso/ldap.cf to your computer.

Open the sso/ldap.cf with a text editor and change the configuration options to match your configuration. Details on these can be found in the Configuration Guide: https://reportserver.net/en/guides/config/chapters/SSO-related-properties/#LDAP

After you modified the file, open ReportServer in your browser and go to the fileserver section in the admin module.

Upload the ldapimport.groovy to a location below the bin directory. Open the terminal by pressing CTRL+ALT+T. Upload the sso/ldap.cf to the /etc directory and type the config reload terminal command in order to reload your configuration.

As noted above, it is important to test your LDAP configuration first, so try to execute the following commands in order, as they are based on previous configuration. For example, the ldaptest users assumes the filter is correct, so you should run ldaptest filter first.

ldaptest filter
ldaptest guid
ldaptest groups
ldaptest organizationalUnits
ldaptest users
ldaptest orphans

Check the output of the above commands. If you get the correct output for all test commands, congratulations, your LDAP is configured correctly and you are ready to proceed. If you have any error in the commands above, you have to check and correct your configuration in the ldap.cf configuration file. Don't forget to run config reload after each configuration change.

Now you are ready to import your users from your LDAP server.

For this purpose, change your current directory to the location where you put the script file using the cd command and execute the import script.

cd /fileserver/bin
exec -c ldapimport.groovy

The -c (commit) flag is important because otherwise changes to the data model made by the script would be reverted after execution.

If you now change over to the user manager section you can view the results of the import. Also some statistics were written to the server's logfile/console.

Now you have to give ''ReportServer access'' generic permission to your imported users in order for them to be able to log-in. This of course depends on your desired configuration, but the easiest way would be to give the required permission to the parent directory where your LDAP users reside. Details can be found here in Section 3.2.2.

After you have verified that the import was successful, and you set the required permissions, it's time to load the authenticator module. Edit your reportserver.properties and set your LdapPAM as shown below:

rs.authenticator.pams = net.datenwerke.rs.ldap.service.ldap.pam.LdapPAMAuthoritative

Restart your ReportServer after saving your reportserver.properties configuration.

Now you should be able to log in with your LDAP users.

Note you can also use the legacy LdapPAM script available here: https://github.com/infofabrik/reportserver-samples/blob/main/src/net/datenwerke/rs/samples/admin/ldap/legacyHookldappam.groovy

17.3. Possible Improvements

Using the scheduler to refresh users periodically To keep ReportServer's user database in sync with your company directory you would probably like to run the ldapimport.groovy script automatically from time to time. To do this, you can use the scheduleScript terminal command.

InfoFabrik GmbH

Wir wollen, dass alle Unternehmen, Institutionen und Organisationen, die Daten auswerten, selbständig und zeitnah genau die Informationen erhalten, die sie für ein erfolgreiches Arbeiten benötigen.

InfoFabrik GmbH
Klingholzstr. 7
65189 Wiesbaden
Germany

+49 (0) 611 580 66 25

Kontaktieren Sie uns

Bitte rechnen Sie 5 plus 6.
Copyright 2007 - 2024 InfoFabrik GmbH. All Rights Reserved.

Auf unserer Website setzen wir Cookies und andere Technologien ein. Während einige davon essenziell sind, dienen andere dazu, die Website zu verbessern und den Erfolg unserer Kampagnen zu bewerten. Bei der Nutzung unserer Website werden Daten verarbeitet, um Anzeigen und Inhalte zu messen. Weitere Informationen dazu finden Sie in unserer Datenschutzerklärung. Sie haben jederzeit die Möglichkeit, Ihre Einstellungen anzupassen oder zu widerrufen.

Datenschutzerklärung Impressum
You are using an outdated browser. The website may not be displayed correctly. Close