#1 2013-07-22 19:21:11

jsohl
Member
Registered: 2013-07-22

LDAP Authentication?

Is it possible to setup ReportServer to use LDAP for authentication and/or permission management?
We have a large number of users and use Active Directory to manage them. We would like to setup ReportServer to use this existing infrastructure.
I have not found any documentation on this. But in reportserver.properties I see a section on ### authenticator configuration ## and reference to PAM. And in the Filesystem section of the UI I see a number of configuration files as well. So I suspect advanced configuration is possible.
Any help would be greatly appreciated.
Thank You

Offline

#2 2013-07-22 21:27:34

Thorsten J. Krause
Guest

Re: LDAP Authentication?

Hi jsohl,

you are right, technicaly ReportServer comes with everything that is needed for active directory (or other ldap/sso) integration. Unfortunately configuration is not exactly straightforward. I'll try to find the time to write down some detailed instructions over the week.

Cheers,
Thorsten

#3 2013-07-22 21:54:50

jsohl
Member
Registered: 2013-07-22

Re: LDAP Authentication?

I really appreciate it. If there is anything I can do to help out, let me know.
If you want, you can just send me the basics. If I have time I can help you flush out the documentation.
Thanks again,
Jacob

Offline

#4 2013-07-29 13:42:20

Thorsten J. Krause
Guest

Re: LDAP Authentication?

Hi Jacob,

just so you don't think I forgot you: I'm still at it, but last week was really busy. I'm confident I'll have a useful answer for you, soon.

Cheers,
Thorsten

#5 2013-08-06 09:27:27

Thorsten J. Krause
Guest

Re: LDAP Authentication?

Hi Jacob,
I finally finished the blog post I promised.

http://blog.datenwerke.net/2013/08/Repo … ation.html

Sorry that took so long, but the post grew rather long.
Let me know if that helps you.

Cheers,
Thorsten

#6 2013-08-07 17:36:29

jsohl
Member
Registered: 2013-07-22

Re: LDAP Authentication?

That's a really great post. Thanks writing this up and explaining the different steps and scripts.

Offline

#7 2013-08-08 22:14:45

jsohl
Member
Registered: 2013-07-22

Re: LDAP Authentication?

I used your scripts and was able to setup LDAP import and authentication successfully. But I found an issue. Every authentication attempt is being logged by tomcat in /var/log/tomcat6/catalina.out. That would be fine except it is logging the password as well:

auth jacob.sohl:testpassword
user: Jacob Sohl
trze
u: Jacob Sohl

Can I configure something to change the logging output?
Thanks again.

P.S. Do you have a wiki setup? I could help put some of your tutorials there if you like?

Offline

#8 2013-08-08 22:47:34

Thorsten J. Krause
Guest

Re: LDAP Authentication?

Well that's rather embarrassing... I just completely forgot to remove those lines.
I fixed the script and uploaded it again.

http://www2.datenwerke.net/files/blog/2 … pam.groovy


There is no wiki, but you could just post it here and we would mark the post as sticky or move it to a separate section.

#9 2013-08-08 23:51:41

jsohl
Member
Registered: 2013-07-22

Re: LDAP Authentication?

The issue was in hookldappam.groovy. The following section was printing out information about every authentication attempt. Since logging is useful I just changed the output a little. For authentication logging it would also be useful to include time of login. But don't know what function would print that information.
Thanks again!

public User authenticate(String username, String cleartextPassword){
		/* Print only the username attempting to authenticate */
		System.out.println("auth: " + username);
		User user = getUserOrNull(username);

		/* Name in ReportServer database. */
		System.out.println("user: " + user);
		if(null == user)
			return null;
		
		LdapAuthenticator authenticator = new LdapAuthenticator();	
		if(authenticator.authenticate(user, cleartextPassword)){

 		/* LDAP was successful */
 			System.out.println("LDAP successful");
			return user;
		}else{

		/* Not sure this is needed. Gets printed even for local users. */
			System.out.println("LDAP failed.");
			return null;
		}
	}

Offline

#10 2013-08-08 23:55:13

jsohl
Member
Registered: 2013-07-22

Re: LDAP Authentication?

I had this thread open all day and didn't see your post until I sent mine. LOL

Offline

#11 2013-10-14 09:09:45

sspiros
Member
Registered: 2013-10-08

Re: LDAP Authentication?

After messing around with self-signed certificates I managed to fetch all my users from the openldap in the reportserver. LDAP is running only on port 636 using SSL. Both of the scripts you provided executed successfully. (In the table RS_USERMANAGER_NODE at the field origin the entries are saved as ldaps://<IP>:<PORT>cn=.... so I changed the scripts accordingly)
Authentication is not working. Watching the logs at the ldap I get:

Oct 11 19:35:22 clearbox slapd[25781]: conn=1687 fd=22 ACCEPT from IP=###.###.###.###:47021 (IP=###.###.###.###:636)
Oct 11 19:35:22 clearbox slapd[25781]: conn=1687 fd=22 TLS established tls_ssf=256 ssf=256
Oct 11 19:35:22 clearbox slapd[25781]: conn=1687 op=0 BIND dn="cn=Spiros Sotiropoulos,ou=Users,ou=Accounts,#############" method=128
Oct 11 19:35:22 clearbox slapd[25781]: conn=1687 op=0 BIND dn="cn=Spiros Sotiropoulos,ou=Users,ou=Accounts,#############" mech=SIMPLE ssf=0
Oct 11 19:35:22 clearbox slapd[25781]: conn=1687 op=0 RESULT tag=97 err=0 text=
Oct 11 19:35:22 clearbox slapd[25781]: conn=1687 op=1 SRCH base="cn=Spiros Sotiropoulos,ou=Users,ou=Accounts,#############" scope=0 deref=3 filter="(objectClass=*)"
Oct 11 19:35:22 clearbox slapd[25781]: conn=1687 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

I noticed that after the last BIND and RESULT it's doing a SRCH while it just should close the connection successfully.
The connection is secured so wireshark is not an option. Are there any logs stored at the reportserver? Where should I start digging?

Offline

#12 2013-10-14 10:41:25

Thorsten J. Krause
Guest

Re: LDAP Authentication?

Hi Spiros,
your logfiles look fine.

Might this not be an issue with the ldap authentication, but merely a case of insufficient ReportServer privileges i.e. the user was authenticated but is not allowed to log on to rs?

Open Administration -> Permission Management -> ReportServer Access and verify that your user (or one of its parent units) is permitted to log on.

If thats not the cause you could add some debug outputs to the hookldappam script. The actual authenitcation happens in the authenticate method starting from line 97.

Hope that helps,
Thorsten

#13 2013-10-15 07:28:02

sspiros
Member
Registered: 2013-10-08

Re: LDAP Authentication?

Yep, you were right it was an issue of permissions.
Thanks!

Offline

#14 2021-05-07 11:33:27

eduardo
Administrator
Registered: 2016-11-01
Website

Re: LDAP Authentication?

Hi sspiros,

pls note we published the ldaptester.groovy script here:
https://github.com/infofabrik/reportserver-samples/

which allows you to safely test your LDAP settings before importing them into the "real" ldapimport.groovy script (or ldap.cf configuration file).

Regards,
Eduardo

Offline

Board footer

Powered by FluxBB