反馈已提交
网络繁忙
6.0
V2.0
/
You hope to synchronize users from the LDAP server, but you need to dump data from the LDAP server into other tables, which is unsafe and troublesome.
You hope to directly synchronize users from the LDAP server to the decision-making platform, with the LDAP authentication configurations directly reused.
You can directly select Synchronize from LDAP Server when setting user synchronization after installing the LDAP Domain Synchronization plugin.
You can obtain the plugin at https://community.finereport.com/market/.
For details about installing plugins, see Plugin Management.
You can set User Source to Synchronize from LDAP Server when synchronizing users after installing the plugin, as shown in the following figure.
Log in to the FineBI system as the admin, choose System Management > User Management > Global Setting, set Authentication Method to LDAP Authentication, and enter the configuration information, as shown in the following figure.
For details about how to configure the LDAP authentication, see LDAP Authentication.
Click Test Connection after entering the parameters. After the successful connection, click Save. The authentication method is configured successfully.
First Use of the Synchronize User Function as the Admin
Log in to the FineBI system as the admin, choose System Management > User Management > All Users, and click Synchronize User.
A prompt box displaying "Sure to retain existing asynchronous data, including imported/added users, departments, positions, and roles?" pops up, as shown in the following figure.
The following table describes the update logic for different options.
Reserved
If the existing user is not in the synchronized dataset, the user's information and permissions will be reserved without modification.
If the existing user (with the same username) is in the synchronized server dataset, the following situations exist.
The user's username will not change with the user's permissions preserved.
The user's name, password, phone number, and email address will be updated.
If the user's current department, position, and role exist in the synchronized server dataset, all the above information will be updated.
If the user's current department, position, and role do not exist in the synchronized server dataset, all the above information will remain unchanged.
Clear
All the usernames, names, passwords, phone numbers, email addresses, departments, positions, roles, and permissions of users (manually added or imported into the system) will be deleted. Users need to be resynchronized.
Note:Based on the update logic, if some user information is updated after the initial synchronization,only users (changed to the synchronous type) can be automatically updated in the later synchronization.The dataset cannot overwrite and update built-in data in later synchronization, otherwise errors will be reported.
Based on the update logic, if some user information is updated after the initial synchronization,
only users (changed to the synchronous type) can be automatically updated in the later synchronization.
The dataset cannot overwrite and update built-in data in later synchronization, otherwise errors will be reported.
Non-first Use of the Synchronize User Function in the FineBI System
Click Synchronized User Management as the admin and select Edit to go to the Synchronize User configuration page.
Set User Source to Synchronize from LDAP Server. The system automatically reads the configuration in section "Configuring LDAP Authentication" and tests the connection. The following figure shows the configuration of Synchronize User.
Note:1. If you have previously configured Synchronize User with User Source set to Server Dataset, a prompt will pop up toindicate that all synchronized data (including users and the users' departments, positions, roles, and permissions) will be cleared after you switch the user source. Click OK to finish the LDAP user synchronization.2. If the LDAP authentication connection fails in section "Configuring LDAP Authentication", a prompt (in red font) displaying "LDAP connection failed. Check the related configuration in Synchronized User - LDAP Authentication." will appear.
1. If you have previously configured Synchronize User with User Source set to Server Dataset, a prompt will pop up toindicate that all synchronized data (including users and the users' departments, positions, roles, and permissions) will be cleared after you switch the user source. Click OK to finish the LDAP user synchronization.
2. If the LDAP authentication connection fails in section "Configuring LDAP Authentication", a prompt (in red font) displaying "LDAP connection failed. Check the related configuration in Synchronized User - LDAP Authentication." will appear.
You can set Sync Frequency to Fixed Interval or Expression Setting.
1. Fixed Interval
If you select Fixed Interval, the frequency of synchronizing users from the LDAP server is fixed interval (default value: 43,200 seconds).
If you set the synchronization frequency, the system can automatically synchronize users based on the set interval. Thus, data that is updated in the LDAP server can be constantly synchronized to the FineBI system.
Note:The synchronization frequency cannot be too high, otherwise the backend logs will be constantly refreshed, leading to the infinite expansion of the log volume.
2. Expression Setting
If you select Expression Setting, you can set the execution time of a task through the Cron expression. The execution time (namely the triggering time) can be composed of different time frequencies such as executing repeatedly every day, executing repeatedly every other day, or executing only once.
If you select User Info Editable in Sync Status (deselected by default), you can edit user information in the synchronization status.
You can edit the username, mobile number, and email address. The existing users' above information will no longer be updated during the automatic/manual synchronization. The following table shows the specific function.
Note:Since LDAP Authentication is enabled, all synchronized users (except for the super admin and built-in users) cannot perform password-related operations (such as Encryption Method, Forget Password, Change Password, and Reset Password).
Super admin
1. The name, password, mobile number, and email address of existing users on the platform will no longer be updated when users are synchronized again.
2. The super admin can edit the name, mobile number, and email address of all existing users on the platform. The super admin cannot edit the role information of all existing users.
3. The super admin can edit their own name, password, mobile number, and email address in Account Setting.
4. The super admin can use the Forgot Password function on the login page.
Subordinate admin (in the synchronized users)
1. Subordinate admins can modify the name, mobile number, and email address (for which they have permissions) of synchronized users, but cannot edit the role and password information of synchronized users.
2. Subordinate admins can modify the name, password, mobile number, and email address (for which they have permissions) of built-in users, but cannot edit the role information of built-in users.
3. Subordinate admins can edit their own name, mobile number, and email address in Account Setting.
Common users (in the synchronize users)
Common users can edit their own name, mobile number, and email address in Account Setting.
You need to first set ObjectClass in User Attribute and then set the attribute values in ObjectClass.
Note:1. You do not need to configure the password when configuring Synchronize User, because LDAP password authentication will be used.2. You can search values, manually enter values, or copy and paste values (recognized by line breaks) in batch in User Attribute.
1. You do not need to configure the password when configuring Synchronize User, because LDAP password authentication will be used.
2. You can search values, manually enter values, or copy and paste values (recognized by line breaks) in batch in User Attribute.
ObjectClass
Allows you to select an ObjectClass (used to store user attributes).
Mandatory
User Duplication Verification Field
Allows you to verify duplicate users through User ID or Username.
1. If you select User ID, the User ID and Username fields are synchronized. The value of User ID in the table is the user ID in the LDAP server when you synchronize users.
2. If you select Username, the Username field will be synchronized. The value of User ID in the table is generated randomly by the system.
User ID
Allows you to select a UID (namely the user ID) in the user attributes.
You need to set this configuration item only when you select User ID in User Duplication Verification Field.
Username
Allows you to select a username in the user attributes.
The usernames stored in the LDAP server cannot be double byte Japanese or Hangul characters. Otherwise, a prompt displaying "Incorrect Username or Password" will pop up when you log in to the system.
Name
Allows you to select a name in the user attributes.
Mobile
Allows you to select a mobile number in the user attributes.
Optional
Mailbox
Allows you to select an email address in the user attributes.
You can keep Department Attribute unconfigured. However, if you have set an ObjectClass, you need to set a department name/department ID.
Allows you to select an ObjectClass (used to store department attributes).
However, all configuration items must be set consistently. That is, if you do not set a configuration item, all configuration items need to be empty. If you set a configuration item, all configuration items need to be set.
Department Duplication Verification Field
Allows you to verify duplicate departments through Department ID or Department Name.
1. If you select Department ID, the Department ID and Department Name fields are synchronized. The value of Department ID in the table is the department ID in the LDAP server when you synchronize users.
2. If you select Department Name, the Department Name field will be synchronized. The value of Department ID in the table is generated randomly by the system.
Department ID
Allows you to select a UID (namely the department ID) in the department attributes.
You need to set this configuration item only when you select Department ID in Department Duplication Verification Field.
Department Name
Allows you to select a department name in the department attributes.
You need to first set ObjectClass in Role Attribute and then set the attribute values in ObjectClass.
You can keep Role Attribute unconfigured. However, if you have set an ObjectClass, you need to set a role name/role ID.
Allows you to select an ObjectClass (used to store role attributes).
Role Duplication Verification Field
Allows you to verify duplicate departments through Role ID or Role Name.
1. If you select Role ID, the Role ID and Role Name fields are synchronized. The value of Role ID in the table is the role ID in the LDAP server when you synchronize users.
2. If you select Role Name, the Role Name field will be synchronized. The value of Role ID in the table is generated randomly by the system.
Role ID
Allows you to select a UID (namely the role ID) in the role attributes.
You need to set this configuration item only when you select Role ID in Role Duplication Verification Field.
Role Name
Allows you to select a role name in the role attributes.
If the LDAP server authentication is successful and the user synchronization in the LDAP domain is successful, you can log in to the FineBI system by entering the username and password (stored in the LDAP server) on the login page. Then you can perform relevant operations based on your permissions, as shown in the following figure.
1. If the entered username does not exist in the system, the corresponding username is disabled, or the BI user limit is enabled (with the entered username excluded), the system will not be connected with the LDAP server and a prompt displaying "Incorrect Username or Password" or "Username Unavailable" will pop up.
2. The usernames stored in the LDAP server cannot use double byte Japanese or Hangul characters. Otherwise, a prompt displaying "Incorrect Username or Password" will pop up when you log in to the system.
The passwords stored in the LDAP server cannot use double byte Japanese or Hangul characters. Otherwise, a prompt displaying "Incorrect Username or Password" will pop up when you log in to the system.
feedback
鼠标选中内容,快速反馈问题
鼠标选中存在疑惑的内容,即可快速反馈问题,我们将会跟进处理。
不再提示
10s后关闭