反馈已提交
网络繁忙
6.0
V1.7.3
Added multi-domain synchronization and LDAPS functions based on the original Multiple LDAP Users Synchronization plugin.
V1.7.5
1. Optimized the synchronization speed.
2. Added some functions, including resynchronizing user types
during user synchronization, plugin deletion clearing no configurations, supporting some special characters, and allowing users with the same name in multiple domains to be synchronized.
3. Added limitations on user type selection. Specifically, the
Platform User type needs to be ticked before the current user
type configuration takes effect.
V1.7.7
Supported clusters.
V1.7.9
Allowed the letter case of usernames to be unchanged.
When user information is stored in multiple LDAP servers, you (as the admin) may want to use a plugin to achieve multi-domain LDAP authentication in FineBI, to synchronize users from LDAP servers to the platform, and to reuse the corresponding configuration.
Add the function which allows synchronizing users from multiple LDAP domains based on the original Multiple LDAP Users Synchronization plugin.
Support LDAPS configuration and allow synchronizing multi-domain users.
Support Active Directory (AD) domain structure where a single user belongs to multiple groups (such as using security groups) to link the user and the groups.
After installing the Multi-Domain LDAP Authentication (Enhanced) plugin, you can configure Multi-Domain LDAP Authentication under Global Setting > Authentication Method. When you synchronize users, you can select Synchronize from Multiple LDAP Servers. LDAPS is supported in both multi-domain authentication and user synchronization.
1. Super admins are not affected by LDAP authentication and still use Built-in Authentication.
2. Users with the same account in different domains share this account on FineBI and can log with their own passwords.
3. If you disable the plugin, the system automatically switches to Built-in Authentication. But the configurations of Multi-Domain LDAP Authentication set before still work if the plugin is re-enabled.
4. External database PostgreSQL is not supported currently. If you have special requirements, contact technical support.
You can obtain the plugin at Multi-Domain LDAP Authentication (Enhanced).
For details about how to install plugins to the FineBI system, see Plugin Management.
After installing the plugin, you can configure Multi-Domain LDAP Authentication under Global Setting > Authentication Method.
When synchronizing users, you can select Synchronize from Multiple LDAP Servers as the user source.
Log in to FineBI as the admin, choose System Management > User Management > Global Setting, select Multi-Domain LDAP Authentication as the authentication method for synchronizing users, and enter the configuration information.
After the parameters are entered, click Test Connection and Save. If a prompt box pops up saying "Successful Connection", the authentication method is configured successfully.
After all URLs are added, click Save, log out of the FineBI system, and perform re-login.
Section "Configuring LDAP Authentication" introduces the configuration method for common LDAP authentication. Note the following points if LDAPS connection is required.
1. The URL format is ldaps://IP address:Port number.
2. Enable SSL Authentication and enter the path where the authentication is located.
1. First use of Synchronize User as the admin
Log in to FineBI as the admin, choose System Management > User Management > All Users, and click Synchronize User.
A prompt box pops up saying "Sure to retain existing asynchronous data, including imported/added users, departments, positions, and roles?"
The following table shows the update logic for different selections.
Reserved
If a user is not in the synchronized dataset, the user information and permissions
remain unchanged.
If a user is in the synchronized dataset (with the same username):
The user's username and permissions remain unchanged.
The user's name, password, mobile number, and mailbox are updated.
If the user's current department, position, and role exist in the synchronized dataset, they are updated.
If the user's current department, position, and role do not exist in the synchronized
server dataset, they remain unchanged.
Clear
Delete all the platform information of manually added/imported users, including their username, name, password, mobile number, mailbox, department, position, role,
and permissions, and you can synchronize users again.
1. According to the update logic for selection, information of some users may be updated after initial synchronization.
2. Only synchronized users are automatically updated in the future.
3. For subsequent synchronizations, you cannot overwrite the dataset or update its built-in data. Otherwise, conflicts occur, triggering an error prompt.
2. Non-first use of Synchronize User in the FineBI system
Click Synchronized User Management as the admin and select Edit to open the Synchronize User configuration page.
Select Synchronize from Multiple LDAP Servers as the user source, and the system automatically reads the configuration in section "Configuring LDAP Authentication". Test the connection.
The configuration of Synchronize User is shown in the following figure.
Sync Frequency
Two supported types of synchronization frequency: Fixed Interval and Expression Setting
Fixed Interval
If you select Fixed Interval, the system automatically synchronizes user data from the LDAP server to FineBI at fixed intervals which default to 43,200 seconds and can be modified.
Expression Setting
If you select Expression Setting, you can schedule user synchronization to run periodically at specified times, dates, or intervals.
User Editability
User Info Editable in Sync Status is unticked by default. If it is ticked, user information can be edited by corresponding synchronized users.
Synchronized users can edit their name, mobile number, and mailbox. The above fields of existing users will no longer be updated during automatic or manual synchronization.
The following table shows the specific introduction.
Super admin
1. During re-synchronization, the name, mobile number, and mailbox of existing users in the platform will no longer be updated.
2. Super admins can edit the name, mobile number, and mailbox of existing users in the platform, but cannot edit the role.
3. Super admins can edit their own name, password, mobile number, and mailbox in
Account Setting.
4. Super admins can use the Forgot Password function under System Management > System Setting > Login.
Subordinate admin
1. Subordinate admins (with corresponding permissions) can modify the name, mobile
number, and mailbox of synchronized users, but cannot edit the role and password.
2. Subordinate admins (with corresponding permissions) can modify the name,
password, mobile number, and mailbox of built-in users, but cannot edit the role.
3. Subordinate admins can edit their own name, mobile number, and mailbox in Account Setting.
Ordinary user
Ordinary users can edit their own name, mobile number, and mailbox in Account
Setting.
Enabling LDAP URL
Click or . Then you can set the synchronization status of each domain as Enabled or Disabled.
Click . Then you can edit the synchronous attributes of the domain.
User Attribute
You need to first select ObjectClass in the user attribute field, and then select the attribute value within ObjectClass.
ObjectClass
Select an ObjectClass used to store the user attribute.
Required
User Duplication Verification Field
User duplication verification can be achieved through
User ID or Username.
1. If you select User ID, the User ID field is synchronized. The field value of User ID is the user ID in the LDAP
server when you synchronize users.
2. If you select Username, the Username field is synchronized. The field value of User ID is randomly generated by the system.
User ID
This field is required only when User ID is selected in
User Duplication Verification Field.
Select the UID (User ID) in the user attribute.
Username
Select the username in the user attribute.
Username stored in the LDAP server cannot use
double-byte Japanese, traditional Chinese, or Korean characters. Otherwise, the message Incorrect Username or Password is displayed if the user logs in to the system.
User Type
Select BI Edit User or Platform User.
Note: Select BI Design User—Data Analysis User or BI Design User—Data Processing User in FineBI versions of 5.X.
Optional
1. Plugin of versions earlier than V1.7.9
The case of usernames is uniformly converted to lowercase during user synchronization.
2. Plugin of V1.7.9 and later versions
Add a new Username Conversion Policy function that
allows users to select Keep Case Unchanged. If this
option is ticked, the case of the original username remains unchanged during user synchronization.
If the external database is case-sensitive and
historical synchronization of LDAP users has
been performed, ticking Keep Case
Unchanged causes synchronization failure. You need to clear the historical data and perform re-synchronization.
After configuration modification, re-synchronization may cause the loss of certain user configuration permissions. For example, if the user ANNA was originally synchronized and stored as anna, ticking Keep Case Unchanged and re-synchronizing will save the user as ANNA. In this case,
the role configuration previously assigned to
anna will be lost, and ANNA will not inherit the
role configuration of anna.
You are not advised to tick this
option if you do
not have special
requirements.
Username stored in the database is in lowercase by
default.
Name
Select the name in the user attribute.
Mobile
Select the mobile number in the user attribute.
Mailbox
Select the mailbox in the user attribute.
Select other contents (batch selection supported) to be synchronized.
Department Attribute
You need to first select ObjectClass in the department attribute field, and then select the attribute value within ObjectClass.
The department attribute can be left unconfigured. If ObjectClass is selected, however, the department name/department ID must be configured.
Select an ObjectClass used to store the department
attribute.
The configuration items here
should be left empty/be entered
for all.
Department Duplication Verification Field
Department duplication verification can be achieved through Department ID or Department Name.
1. If you select Department ID, the Department ID field is synchronized. The field value of Department ID is the department ID in the LDAP server when you synchronize users.
2. If you select Department Name, the Department Name
field is synchronized. The field value of Department ID is
randomly generated by the system.
Department ID
This field is required only when Department ID is selected in Department Duplication Verification Field.
Select the UID (Department ID) in the department attribute.
Department Name
Select the department name in the department attribute.
Role Attribute
You need to first select ObjectClass in the role attribute field, and then select the attribute value within ObjectClass.
The role attribute can be left unconfigured. If ObjectClass is selected, however, the role name/role ID must be configured.
Select an ObjectClass used to store the role attribute.
The configuration
items here should be left empty/be
entered for all.
Role Duplication Verification Field
Role duplication verification can be achieved through
Role ID or Role Name.
1. If you select Role ID, the Role ID and field is synchronized. The field value of Role ID is the role ID in the LDAP server when you synchronize users.
2. If you select Role Name, the Role Name field is
synchronized. The field value of Role ID is randomly
generated by the system.
Role ID
This field is required only when Role ID is selected in Role Duplication Verification Field.
Select the UID (Role ID) in the role attribute.
Role Name
Select the role name in the role attribute.
Security Group Attribute (Sync with Security Group as Department)
In AD domain, Security Group is an object used for managing and assigning permissions. Security group, an important concept in AD, allows admins to group a set of users or computers together and assign access permissions for specific resources or objects to the group.
This configuration is used to achieve the synchronization of users that corresponds to members of the security group.
1. Security Group Attribute and Department Attribute cannot be configured simultaneously, otherwise, a message is displayed, saying "Department attributes and security group attributes cannot be configured at the same time."
2. Security Group Attribute and the custom department attribute cannot be configured simultaneously, otherwise, a message is displayed, saying "Custom department attributes and security group attributes cannot be configured at the same time."
The general applicable structure is shown in the following figure.
The configuration items are shown in the following figure.
Select an ObjectClass used to store the security group (department) attribute.
After ObjectClass is selected, load all security
groups based on ObjectClass (as options in the
drop-down checkbox of Group Selection).
The configuration items
here should be left empty/be entered for all.
Group Name
If the Group Name attribute is selected, value of the LDAP attribute corresponding to the Group Name
field is taken as the display value in the drop-down
option of Group Selection.
If this field is set to empty, the drop-down option of
Group Selection reads
CN by default.
Group Selection
Group Department Mapping
After the security group is selected, the group department mapping is automatically loaded into the
mapping table, and the Department Name column
supports manual input.
If the LDAP system authentication and the LDAP domain user synchronization are successful, you can click OK to start synchronization. The following figure shows that two LDAP URLs are enabled.
Successful synchronization is shown in the following figure.
After entering the username and password stored in the LDAP server, you can log in to FineBI and perform corresponding operations according to the assigned permissions in the platform.
1. If the entered account does not exist in the platform, or the corresponding user in the platform is disabled, or user limitation is enabled in the platform and the user is not included, the platform does not connect with the LDAP server and a message Incorrect Username or Password or Username Unavailable is displayed on the login page.
2. Username stored in the LDAP server cannot use double-byte Japanese, traditional Chinese, or Korean characters. Otherwise, the message Incorrect Username or Password is displayed if the user logs in to the system.
Password stored in the LDAP server cannot use double-byte Japanese, traditional Chinese, simplified Chinese, or Korean characters. Otherwise, the message Incorrect Username or Password is displayed if the user logs in to the system.
feedback
鼠标选中内容,快速反馈问题
鼠标选中存在疑惑的内容,即可快速反馈问题,我们将会跟进处理。
不再提示
10s后关闭