Tuesday, April 20, 2010

BusinessObjects XI and OpenLDAP

Supported BOXI authentication methods / plug-ins


BusinessObjects 3.1 supports three modes of user authentication:
  1. Default Enterprise authentication which allows for complete user and security administration within the BusinessObjects Enterprise itself
  2. Utilization of a LDAP plug-in that allows the BusinessObjects Enterprise (BOE) to add, sync and authenticate users with a 3rd party LDAP directory
  3. Utilization of a Windows Active Directory (AD) / NT security plug-in to add and map users of an external database with those in the BOE.
This write-up provides a high-level overview of configuring BusinessObjects with OpenLDAP 4.1.17 on a Windows platform. BusinessObjects already has built-in plug-ins to support LDAP for Sun iPlanet Directory Server, Lotus Domino Directory Server, IBM Secureway, and Novell Directory Services (NDS). OpenLDAP is simply an open-source flavor of the user / group directory that coincidentally uses the same attribute mappings as Sun DS; for example:


It is important to note that attribute mappings must coincide between the LDAP directory and the BusinessObjects Enterprise for the authentication to work properly.

Now let’s review a LDAP structure that maps accordingly with the attributes above. In the example below, attributes are color coded to reflect how the mappings from the LDAP directory correspond to those set within the Central Management Console (CMC) of BusinessObjects:



Adding Dynamic LDAP Groups to The BOE
Once the source LDAP directory is configured properly, the LDAP Configuration Wizard under the Authentication section of CMC is used to configure BOXI. Enter all required information and when prompted to add groups, the full distinguished name (dn) of the dynamic LDAP group(s) must be entered as shown in the screenshot below.










Note: If there is no existing / corresponding Enterprise user account contained within the BOE, select “Create a new account for every added LDAP alias” when prompted for how new LDAP users and aliases are created. However, if Enterprise accounts exist and match exactly to usernames contained within the LDAP directory, select “Assign each added LDAP alias to an account with the same name.”

Managing Dynamic LDAP Groups within CMC
Once LDAP groups are synced with the BOE, they can be managed as with any other group contained in the Enterprise. Simply go to the Groups section in the CMC and set rights as needed. A recommended practice is to instantiate an Enterprise group and set the desired rights on it. Next, make the LDAP group a member of that parent Enterprise group so it inherits its rights. This allows any future LDAP groups to be added as needed, rather than setting rights explicitly on the new group itself.






No comments:

Post a Comment