Configuring BusinessObjects for use with LDAP

This topic describes how to configure BusinessObjects Business Intelligence (BI) for use with Lightweight Directory Access Protocol (LDAP).

In addition to using these instructions, review the "Configuring LDAP authentication" section in the Business Intelligence Platform Administrator Guide at PDFs.

Before you begin

Review the following prerequisites and gather the information that you need for this procedure.

  1. Review the information in Authentication and authorization.
  2. BusinessObjects BI must already be installed in your environment before you can set up LDAP.
  3. Determine the sequence for completing this procedure based on your authentication needs, as follows:
    • If you are not going to use BusinessObjects BI Enterprise authentication in your environment, complete this procedure before installing BMC Decision Support – Network Automation.
    • If you are going to use BusinessObjects BI Enterprise authentication and LDAP in your environment, first install BMC Decision Support – Network Automation, run ETL and URG Mapper, and then complete this procedure.
  4. Review this procedure and ask your LDAP administrator for the correct information and settings that you need to use in your environment. Have the following information on hand before you begin this procedure:
    • LDAP host name and port number
    • LDAP directory type
    • LDAP distinguished name
    • LDAP server administrator credentials
    • Secure socket layer (SSL) authentication type
    • Single sign-on (SSO) authentication type

To configure BusinessObjects for use with LDAP

  1. Log on to the Central Management Console (CMC) as described in Accessing the Central Management Console.
  2. Click Authentication.
  3. Double-click LDAP to open it.
  4. Click Start LDAP Configuration Wizard.
    The wizard displays the following panel.

  5. Enter the name of the LDAP computer in your environment in the following format: hostName:portNumber.
    For example, it might look like the following:
    myserver.mycompany.com:3268
  6. Click Add and then Next.
  7. From the LDAP Server Type menu, select the LDAP server type for your environment  and click Next.

    Note

    If you are configuring LDAP against Microsoft Windows Active Directory, see Restrictions when configuring LDAP against Windows Active Directory.

    If you are not using full names (for example, Mack Jones) but log on names (for example, mjones), then after selecting Microsoft Active Directory Application Server from the list, click Show Attribute Mappings, and then change the values of User Name and Default User Search Attribute from cn to sAMAccountName.


    The wizard displays the following panel.

  8. Enter the Base LDAP Distinguished Name for your environment using the format that is appropriate for your environment (something similar to the following):
    ou=<organization_unit>,dc=<domain_component>,dc=<domain_component>,dc=<domain_component>
    For example, it might look like the following:
    ou=Security,dc=myserver,dc=mycompany,dc=com
  9. Click Next.
    The wizard displays the following panel.

  10. In the LDAP Server Administration Credentials area, specify the distinguished name and password for a user account that has read rights to the LDAP server and click Next.
    The credentials vary based on your LDAP server configuration. Administrator credentials are not required.
    Use the complete name in the following format:
    cn=<admin_user_name>,ou=<organization_unit>,ou=<organization_unit>,dc=<domain_component>,dc=<domain_component>,dc=<domain_component>
    For example, it might look like the following:
    cn=reportsadmin,ou=Service Accounts,ou=Security,dc=myserver,dc=mycompany,dc=com
  11. From the Type of SSL authentication list, select your SSL authentication type and click Next.
  12. From the Authentication list, select your SSO authentication type, and click Next.
  13. In the following panel, specify how new LDAP users and aliases are created by BusinessObjects: 

  14. Click Finish.
    The wizard displays the following message:
    The wizard has now collected all the information it needs.
    Use the Finish button to save your LDAP settings.
    If the values were entered correctly, go to the next step.
    If there is a problem with any values that you entered, an error is displayed. Work with your LDAP administrator to correct the problems and retry this step.
  15. Click Finish.
    The next panel appears.

  16. In the Mapped LDAP Member Groups section, in the Add LDAP group field, enter a name for the LDAP group in which you want to store your users in BusinessObjects BI and click Add. Use the following format to enter the names:
    cn=<group_Name>,dc=<domain_component>,dc=<domain_component>,dc=<domain_component>
    For example, it might look like the following:
    cn=Users,dc=myserver,dc=mycompany,dc=com
  17. In the Attribute Binding Options section, select Import Full Name and Email Address.

  18. Click Update.
    If the group is validated, the LDAP group is added to Users and Groups in the CMC User and Groups page. To verify that the group was added, access Users and Groups as described in Accessing users and groups in the Central Management Console. It might take a little time before the group is added.
    If the group is not validated, an error is displayed and the group is not added to the User list. Work with your LDAP administrator to correct the problem and repeat these steps.

To enable the LDAP selection drop-down in the launch pad

  1. Navigate to the C:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom directory.
  2. Create a new file called BIlaunchpad.properties, edit it and add the following line to it:
    authentication.visible=true
  3. Save and close the file.
  4. Restart the Apache Tomcat web server.
    If the LDAP configuration does not take effect, try restarting the BusinessObjects services.

Restrictions when configuring LDAP against Windows Active Directory

If you configure LDAP against Windows Active Directory, consider the following restrictions:

  • If you are configuring LDAP against Active Directory, you can map your users. However, you cannot configure Active Directory single sign-on or single sign-on to the database. LDAP single sign-on methods such as, SiteMinder and trusted authentication, are still available.
  • Users who are members of only default groups from Active Directory cannot log on. Users must also be a member of another group that is created explicitly in Active Directory and this group must be mapped. For example, "domain users" group.
  • If a mapped domain local group contains a user from a different domain in the forest, the user from the different domain cannot log on.
  • Users from a universal group from a domain different than the DC specified as the LDAP host cannot log on.
  • You cannot map users and groups from Active Directory forests outside the forest where BusinessObjects BI Platform is installed by using the LDAP plug-in.
  • You cannot map in the Domain Users group in Active Directory.
  • You cannot map a computer local group.

Where to go from here

Performing the installation

Related topic

Configuring after installation

Was this page helpful? Yes No Submitting... Thank you

Comments