on 09-08-2014 5:16 PM
Currently on BIP 4.1 SP2 (Windows/Tomcat) using Enterprise authentication, but want to set up LDAP authentication. I've looked at the SAP documentation, but it isn't very clear which options to use in my situation:
Under the "New Alias Option" my sense says to select "Assign each added LDAP alias to an account with the same name," and this would take care of the 25% of users whose Enterprise username matches their LDAP username.
Under the "Alias Update Options" I think I should choose "Create new aliases only when the user logs on," since it mentions having many users in LDAP but not all of them will use BIP.
If I have to manually add the aliases for all 350 initially so be it, I'm more looking for how to avoid having erroneous accounts/aliases created automatically.
Am I on the right track?
Brian,
There are two ways you can achieve your goal, but it will require some manual process as their Enterprise login doesn't match their LDAP alias.
Selecting the option "Create new aliases only when the user logs on" will avoid the problem of creating the 100K accounts. However, users should log on at least once for the account to be created so you can assign manually to the correct alias when the username doesn't match.
I believe it is easier to create a group in LDAP with all your users as you can force the creation of the alias and assign manually in one single operation. Also, potentially, any LDAP user accessing the BI Launchpad portal should be able to log in and create an account.
Regards,
Julian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
My strong preference is to leave only the authentication piece to LDAP, and manage all other aspects like Groups manually within the CMC. If a user does not have an account with a corresponding LDAP alias, they would just receive an error message if they try to log in.
Every other n-tier app we have integrated with LDAP (or Shibboleth) operates in this manner, so it would be surprising to me if BIP did not.
Let me ask another way: am I required to map LDAP groups if I use LDAP authentication?
From the admin guide, it seems like I am: "Users are authenticated against the LDAP directory server, and have their membership in a mapped LDAP group verified before the CMS grants them an active BI platform session"
Here's the issue. We have spent a great deal of time organizing users into groups strictly inside the CMC, and prefer this way of managing them in the future. I'm part of a small IT department that has direct control over managing BIP, but zero control over LDAP. Requiring new users to be added to an LDAP group will probably tack a week on to access requests.
The only reason we want to use LDAP is to allow users to have one username/password they can use on all systems.
If you want users to login using the LDAP authentication you MUST map a group they are a member of for password sync at the very minimum. However if you have the users already created as Enterprise users you could configure Trusted Authentication SSO and the end users would not be prompted for a password... No LDAP needed.
1593628 - Setting up Trusted Authentication in BI4 for BIlaunchPad and Opendocument using QUERY_STRING
-Josh
User | Count |
---|---|
84 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.