Have any questions?
+44 1234 567 890
Chapter 17. Integrating ReportServer with an Active Directory using LDAP
17. Integrating ReportServer with an Active Directory using LDAP
In the following we will outline the necessary steps to connect ReportServer to an Active Directory using LDAP. As there are many valid ways to organize a company's directory (may it be AD or another vendors product) ReportServer allows you to customize all relevant LDAP options. This on one hand means, that the configuration might seem rather complex, but on the other hand it provides you with a maximum of flexibility.
To connect ReportServer to the Active Directory Service we will use ReportServer's integrated configuration. The whole process can be divided into two, mostly separate parts. One part is the synchronization of the user objects: we will automatically copy Users, Organizational Units and Groups from the directory to ReportServer and keep them updated. The second part is a mechanism that authenticates the previously imported users when they log into ReportServer.
17.1. Synchronizing Users
The current ldapimport.groovy script is available here: https://github.com/infofabrik/reportserver-samples/blob/main/src/net/datenwerke/rs/samples/admin/ldap/ldapimport.groovy.
The script reads its configuration from the sso/ldap.cf configuration file. As you may want to schedule the LDAP-import process, e.g. to import LDAP users every night, you can use the above script for this purpose. Otherwise, you can also use the ldapimport terminal command together with the sso/ldap.cf configuration file for manually importing LDAP users. With other words: for manually importing users use the ldapimport terminal command. For all other purposes use the ldapimport.groovy script above. Both basically achieve the same, but the script is scheduleable:
For scheduling this functionality periodically, schedule the ldapimport.groovy script via the scheduleScript terminal command as described in Section 19.56.
Note that you can (and should) use the ldaptest terminal commands for checking your LDAP configuration before letting the real import to happen. Details and example uses can be found in Section 19.37. The ldapschema (Section 19.36.), ldapguid (Section 19.33.), ldapfilter (Section 19.37.) and ldapinfo (Section 19.35.) terminal commands may also be useful for exploring your LDAP server and also the extended the ldaptest users, ldaptest groups and ldaptest organizationalUnits with a -s (schema) flag (refer to 19.37. ldaptest) While the -s flag allows you to explore the installed object class types of your users', OUs' and groups' object classes, the ldapschema allows you to explore any object class. For example, you may execute ldaptest users -s for printing the schema of the users' object class. You should get a list of optional attributes, required attributes, and the parent object class. Suppose the parent's object class is ''organizationalPerson''. You may then explore this object class with ldapschema objectClassInfo organizationalPerson. You may continue exploring the LDAP schemas until the top-most object class: ''top''.
Refer to the Configuration Guide for a detailed description of all configurable values of the ldap.cf configuration file: https://reportserver.net/en/guides/config/chapters/SSO-related-properties/#LDAP
17.2. Authenticating Users
As of ReportServer 4.3.0, LDAP authentication is supported out-of-the-box. For using it, you have to install the net.datenwerke.rs.ldap.service.ldap.pam.LdapPAM or net.datenwerke.rs.ldap.service.ldap.pam.LdapPAMAuthoritative PAM in your reportserver.properties configuration file as described here: https://reportserver.net/en/guides/config/chapters/configfile-reportserverproperties/
It reads your ldap.cf configuration file together with metadata of your previously imported users, and authenticates the given user against your LDAP server.
Now that you should have a basic understanding how the LDAP mechanism works, let's give it a try. Download the two files ldapimport.groovy and sso/ldap.cf to your computer.
Open the sso/ldap.cf with a text editor and change the configuration options to match your configuration. Details on these can be found in the Configuration Guide: https://reportserver.net/en/guides/config/chapters/SSO-related-properties/#LDAP
After you modified the file, open ReportServer in your browser and go to the fileserver section in the admin module.
Upload the ldapimport.groovy to a location below the bin directory. Open the terminal by pressing CTRL+ALT+T. Upload the sso/ldap.cf to the /etc directory and type the config reload terminal command in order to reload your configuration.
As noted above, it is important to test your LDAP configuration first, so try to execute the following commands in order, as they are based on previous configuration. For example, the ldaptest users assumes the filter is correct, so you should run ldaptest filter first.
ldaptest filter
ldaptest guid
ldaptest groups
ldaptest organizationalUnits
ldaptest users
ldaptest orphans
Check the output of the above commands. If you get the correct output for all test commands, congratulations, your LDAP is configured correctly and you are ready to proceed. If you have any error in the commands above, you have to check and correct your configuration in the ldap.cf configuration file. Don't forget to run config reload after each configuration change.
Now you are ready to import your users from your LDAP server.
For this purpose, change your current directory to the location where you put the script file using the cd command and execute the import script.
cd /fileserver/bin
exec -c ldapimport.groovy
The -c (commit) flag is important because otherwise changes to the data model made by the script would be reverted after execution.
If you now change over to the user manager section you can view the results of the import. Also some statistics were written to the server's logfile/console.
Now you have to give ''ReportServer access'' generic permission to your imported users in order for them to be able to log-in. This of course depends on your desired configuration, but the easiest way would be to give the required permission to the parent directory where your LDAP users reside. Details can be found here in Section 3.2.2.
After you have verified that the import was successful, and you set the required permissions, it's time to load the authenticator module. Edit your reportserver.properties and set your LdapPAM as shown below:
rs.authenticator.pams = net.datenwerke.rs.ldap.service.ldap.pam.LdapPAMAuthoritative
Restart your ReportServer after saving your reportserver.properties configuration.
Now you should be able to log in with your LDAP users.
Note you can also use the legacy LdapPAM script available here: https://github.com/infofabrik/reportserver-samples/blob/main/src/net/datenwerke/rs/samples/admin/ldap/legacyHookldappam.groovy
17.3. Possible Improvements
Using the scheduler to refresh users periodically To keep ReportServer's user database in sync with your company directory you would probably like to run the ldapimport.groovy script automatically from time to time. To do this, you can use the scheduleScript terminal command.