cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP Configuration

Go to solution
Former Member

on ‎09-08-2014 5:16 PM

0 Kudos

Currently on BIP 4.1 SP2 (Windows/Tomcat) using Enterprise authentication, but want to set up LDAP authentication. I've looked at the SAP documentation, but it isn't very clear which options to use in my situation:

  • LDAP directory contains >100K users, about 350 use BIP
  • Do not want to create any LDAP groups, only want to use it to authenticate the username/password
  • About 75% of the BIP users have Enterprise usernames that do NOT match their LDAP usernames

Under the "New Alias Option" my sense says to select "Assign each added LDAP alias to an account with the same name," and this would take care of the 25% of users whose Enterprise username matches their LDAP username.

Under the "Alias Update Options" I think I should choose "Create new aliases only when the user logs on," since it mentions having many users in LDAP but not all of them will use BIP.

If I have to manually add the aliases for all 350 initially so be it, I'm more looking for how to avoid having erroneous accounts/aliases created automatically.

Am I on the right track?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

julian_jimenez
Active Contributor
‎09-08-2014 6:20 PM
0 Kudos

Brian,

There are two ways you can achieve your goal, but it will require some manual process as their Enterprise login doesn't match their LDAP alias.

Selecting the option "Create new aliases only when the user logs on" will avoid the problem of creating the 100K accounts. However, users should log on at least once for the account to be created so you can assign manually to the correct alias when the username doesn't match.

I believe it is easier to create a group in LDAP with all your users as you can force the creation of the alias and assign manually in one single operation. Also, potentially, any LDAP user accessing the BI Launchpad portal should be able to log in and create an account.

Regards,
Julian


Show replies
Show replies
Former Member
‎09-08-2014 6:59 PM
0 Kudos

My strong preference is to leave only the authentication piece to LDAP, and manage all other aspects like Groups manually within the CMC. If a user does not have an account with a corresponding LDAP alias, they would just receive an error message if they try to log in.

Every other n-tier app we have integrated with LDAP (or Shibboleth) operates in this manner, so it would be surprising to me if BIP did not.

julian_jimenez
Active Contributor
‎09-09-2014 7:26 PM
0 Kudos

Brian, that is not correct. If you map a group that a LDAP user belongs to, he will have access to BI launchpad.

BusinessObjects does not require enterprise accounts. It can be fully functional with 3rd party accounts. In fact, that makes it more flexible than other applications.

Former Member
‎09-09-2014 8:04 PM
0 Kudos

Let me ask another way: am I required to map LDAP groups if I use LDAP authentication?

From the admin guide, it seems like I am: "Users are authenticated against the LDAP directory server, and have their membership in a mapped LDAP group verified before the CMS grants them an active BI platform session"

Here's the issue. We have spent a great deal of time organizing users into groups strictly inside the CMC, and prefer this way of managing them in the future. I'm part of a small IT department that has direct control over managing BIP, but zero control over LDAP. Requiring new users to be added to an LDAP group will probably tack a week on to access requests.

The only reason we want to use LDAP is to allow users to have one username/password they can use on all systems.

former_member189884
Contributor
‎09-09-2014 8:21 PM
0 Kudos

If you want users to login using the LDAP authentication you MUST map a group they are a member of for password sync at the very minimum. However if you have the users already created as Enterprise users you could configure Trusted Authentication SSO and the end users would not be prompted for a password... No LDAP needed.

1593628 - Setting up Trusted Authentication in BI4 for BIlaunchPad and Opendocument using QUERY_STRING

-Josh

Former Member
‎09-09-2014 8:40 PM
0 Kudos

This actually looks perfect, not sure how I missed this option. Thank you!

Answers (0)

Ask a Question