Version
Version
| Report Server Version | Plugin Version | Functional Change |
6.0 | V1.7.3 | Added multi-domain synchronization and LDAPS functions based on the original Multiple LDAP Users Synchronization plugin. |
6.0 |
V1.7.5 | 1. Optimized the synchronization speed. 2. Added some functions, including resynchronizing user types during user synchronization, plugin deletion clearing no configurations, supporting some special characters, and allowing users with the same name in multiple domains to be synchronized. 3. Added limitations on user type selection. Specifically, the Platform User type needs to be ticked before the current user type configuration takes effect. |
6.0 | V1.7.7 | Supported clusters. |
6.0 | V1.7.9 | Allowed the letter case of usernames to be unchanged. |
| 6.0 | V1.8.0 | Supported content expansion for synchronization. |
Application Scenarios
When user information is stored in multiple LDAP servers, you (as the admin) may want to use a plugin to achieve multi-domain LDAP authentication in FineBI, to synchronize users from LDAP servers to the platform, and to reuse the corresponding configuration.
Add the function which allows synchronizing users from multiple LDAP domains based on the original Multiple LDAP Users Synchronization plugin.
Support LDAPS configuration and allow synchronizing multi-domain users.
Support Active Directory (AD) domain structure where a single user belongs to multiple groups (such as using security groups) to link the user and the groups.
Functions
After installing the Multi-Domain LDAP Authentication (Enhanced) plugin, you can configure Multi-Domain LDAP Authentication under Global Setting > Authentication Method. When you synchronize users, you can select Synchronize from Multiple LDAP Servers. LDAPS is supported in both multi-domain authentication and user synchronization.
Note:1. Super admins are not affected by LDAP authentication and still use Built-in Authentication.
2. Users with the same account in different domains share this account on FineBI and can log with their own passwords.
3. If you disable the plugin, the system automatically switches to Built-in Authentication. But the configurations of Multi-Domain LDAP Authentication set before still work if the plugin is re-enabled.
4. External database PostgreSQL is not supported currently. If you have special requirements, contact technical support.
Introduction
Plugin Installation
You can obtain the plugin at Multi-Domain LDAP Authentication (Enhanced).
For details about how to install plugins to the FineBI system, see Plugin Management.
Plugin Introduction
After installing the plugin, you can configure Multi-Domain LDAP Authentication under Global Setting > Authentication Method.
When synchronizing users, you can select Synchronize from Multiple LDAP Servers as the user source.
Example
Configuring LDAP Authentication
Log in to FineBI as the admin, choose System Management > User Management > Global Setting, select Multi-Domain LDAP Authentication as the authentication method for synchronizing users, and enter the configuration information.
After the parameters are entered, click Test Connection and Save. If a prompt box pops up saying "Successful Connection", the authentication method is configured successfully.
After all URLs are added, click Save, log out of the FineBI system, and perform re-login.
Configuring LDAPS Authentication
Section "Configuring LDAP Authentication" introduces the configuration method for common LDAP authentication. Note the following points if LDAPS connection is required.
1. The URL format is ldaps://IP address:Port number.
2. Enable SSL Authentication and enter the path where the authentication is located.
Note:
Opening the Editing Page of Synchronizing User
1. First use of Synchronize User as the admin
Log in to FineBI as the admin, choose System Management > User Management > All Users, and click Synchronize User.
A prompt box pops up saying "Sure to retain existing asynchronous data, including imported/added users, departments, positions, and roles?"
The following table shows the update logic for different selections.
| Selection | Definition |
Reserved | If a user is not in the synchronized dataset, the user information and permissions remain unchanged. If a user is in the synchronized dataset (with the same username): The user's username and permissions remain unchanged. The user's name, password, mobile number, and mailbox are updated. If the user's current department, position, and role exist in the synchronized dataset, they are updated. If the user's current department, position, and role do not exist in the synchronized server dataset, they remain unchanged. |
Clear | Delete all the platform information of manually added/imported users, including their username, name, password, mobile number, mailbox, department, position, role, and permissions, and you can synchronize users again. |
Note:1. According to the update logic for selection, information of some users may be updated after initial synchronization.
2. Only synchronized users are automatically updated in the future.
3. For subsequent synchronizations, you cannot overwrite the dataset or update its built-in data. Otherwise, conflicts occur, triggering an error prompt.
2. Non-first use of Synchronize User in the FineBI system
Click Synchronized User Management as the admin and select Edit to open the Synchronize User configuration page.
Configuring Users for Synchronization
Select Synchronize from Multiple LDAP Servers as the user source, and the system automatically reads the configuration in section "Configuring LDAP Authentication". Test the connection.
The configuration of Synchronize User is shown in the following figure.
Note:
Sync Frequency
Two supported types of synchronization frequency: Fixed Interval and Expression Setting
Fixed Interval
If you select Fixed Interval, the system automatically synchronizes user data from the LDAP server to FineBI at fixed intervals which default to 43,200 seconds and can be modified.
Note:
Expression Setting
If you select Expression Setting, you can schedule user synchronization to run periodically at specified times, dates, or intervals.
User Editability
User Info Editable in Sync Status is unticked by default. If it is ticked, user information can be edited by corresponding synchronized users.
Synchronized users can edit their name, mobile number, and mailbox. The above fields of existing users will no longer be updated during automatic or manual synchronization.
The following table shows the specific introduction.
Note:| User Type | Explanation |
Super admin | 1. During re-synchronization, the name, mobile number, and mailbox of existing users in the platform will no longer be updated. 2. Super admins can edit the name, mobile number, and mailbox of existing users in the platform, but cannot edit the role. 3. Super admins can edit their own name, password, mobile number, and mailbox in Account Setting. 4. Super admins can use the Forgot Password function under System Management > System Setting > Login. |
Subordinate admin | 1. Subordinate admins (with corresponding permissions) can modify the name, mobile number, and mailbox of synchronized users, but cannot edit the role and password. 2. Subordinate admins (with corresponding permissions) can modify the name, password, mobile number, and mailbox of built-in users, but cannot edit the role. 3. Subordinate admins can edit their own name, mobile number, and mailbox in Account Setting. |
Ordinary user | Ordinary users can edit their own name, mobile number, and mailbox in Account Setting. |
Enabling LDAP URL
Click or . Then you can set the synchronization status of each domain as Enabled or Disabled.
Click . Then you can edit the synchronous attributes of the domain.
User Attribute
You need to first select ObjectClass in the user attribute field, and then select the attribute value within ObjectClass.
Note:
| Configuration Item | Explanation | Required or Optional |
ObjectClass | Select an ObjectClass used to store the user attribute. | Required |
User Duplication Verification Field | User duplication verification can be achieved through User ID or Username. 1. If you select User ID, the User ID field is synchronized. The field value of User ID is the user ID in the LDAP server when you synchronize users. 2. If you select Username, the Username field is synchronized. The field value of User ID is randomly generated by the system. | Required |
User ID | This field is required only when User ID is selected in User Duplication Verification Field. Select the UID (User ID) in the user attribute. | Required |
Username | Select the username in the user attribute. Username stored in the LDAP server cannot use double-byte Japanese, traditional Chinese, or Korean characters. Otherwise, the message Incorrect Username or Password is displayed if the user logs in to the system. | Required |
User Type | Select BI Edit User or Platform User. Note: Select BI Design User—Data Analysis User or BI Design User—Data Processing User in FineBI versions of 5.X. | Optional |
| Username Conversion Policy | 1. Plugin of versions earlier than V1.7.9 The case of usernames is uniformly converted to lowercase during user synchronization. 2. Plugin of V1.7.9 and later versions Add a new Username Conversion Policy function that allows users to select Keep Case Unchanged. If this option is ticked, the case of the original username remains unchanged during user synchronization.
Note:If the external database is case-sensitive and historical synchronization of LDAP users has been performed, ticking Keep Case Unchanged causes synchronization failure. You need to clear the historical data and perform re-synchronization. After configuration modification, re-synchronization may cause the loss of certain user configuration permissions. For example, if the user ANNA was originally synchronized and stored as anna, ticking Keep Case Unchanged and re-synchronizing will save the user as ANNA. In this case, the role configuration previously assigned to anna will be lost, and ANNA will not inherit the role configuration of anna. | Optional You are not advised to tick this option if you do not have special requirements. Username stored in the database is in lowercase by default. |
Name | Select the name in the user attribute. | Required |
Mobile | Select the mobile number in the user attribute. | Optional |
Mailbox | Select the mailbox in the user attribute. | Optional |
| Expansion Attribute | Select other contents (batch selection supported) to be synchronized.
Note: | Optional |
Department Attribute
You need to first select ObjectClass in the department attribute field, and then select the attribute value within ObjectClass.
The department attribute can be left unconfigured. If ObjectClass is selected, however, the department name/department ID must be configured.
Note:
| Configuration Item | Explanation | Required or Optional |
ObjectClass | Select an ObjectClass used to store the department attribute. | Optional The configuration items here should be left empty/be entered for all. |
Department Duplication Verification Field | Department duplication verification can be achieved through Department ID or Department Name. 1. If you select Department ID, the Department ID field is synchronized. The field value of Department ID is the department ID in the LDAP server when you synchronize users. 2. If you select Department Name, the Department Name field is synchronized. The field value of Department ID is randomly generated by the system. | |
Department ID | This field is required only when Department ID is selected in Department Duplication Verification Field. Select the UID (Department ID) in the department attribute. | |
Department Name | Select the department name in the department attribute. |
Role Attribute
You need to first select ObjectClass in the role attribute field, and then select the attribute value within ObjectClass.
The role attribute can be left unconfigured. If ObjectClass is selected, however, the role name/role ID must be configured.
| Configuration Item | Explanation | Required or Optional |
ObjectClass | Select an ObjectClass used to store the role attribute. | Optional The configuration items here should be left empty/be entered for all. |
Role Duplication Verification Field | Role duplication verification can be achieved through Role ID or Role Name. 1. If you select Role ID, the Role ID and field is synchronized. The field value of Role ID is the role ID in the LDAP server when you synchronize users. 2. If you select Role Name, the Role Name field is synchronized. The field value of Role ID is randomly generated by the system. | |
Role ID | This field is required only when Role ID is selected in Role Duplication Verification Field. Select the UID (Role ID) in the role attribute. | |
Role Name | Select the role name in the role attribute. |
Security Group Attribute (Sync with Security Group as Department)
In AD domain, Security Group is an object used for managing and assigning permissions. Security group, an important concept in AD, allows admins to group a set of users or computers together and assign access permissions for specific resources or objects to the group.
This configuration is used to achieve the synchronization of users that corresponds to members of the security group.
Note:1. Security Group Attribute and Department Attribute cannot be configured simultaneously, otherwise, a message is displayed, saying "Department attributes and security group attributes cannot be configured at the same time."
2. Security Group Attribute and the custom department attribute cannot be configured simultaneously, otherwise, a message is displayed, saying "Custom department attributes and security group attributes cannot be configured at the same time."
The general applicable structure is shown in the following figure.
The configuration items are shown in the following figure.
| Configuration Item | Explanation | Required or Optional |
ObjectClass | Select an ObjectClass used to store the security group (department) attribute. After ObjectClass is selected, load all security groups based on ObjectClass (as options in the drop-down checkbox of Group Selection). | Optional The configuration items here should be left empty/be entered for all. |
Group Name | If the Group Name attribute is selected, value of the LDAP attribute corresponding to the Group Name field is taken as the display value in the drop-down option of Group Selection. | Optional If this field is set to empty, the drop-down option of Group Selection reads CN by default. |
Group Selection Group Department Mapping | After the security group is selected, the group department mapping is automatically loaded into the mapping table, and the Department Name column supports manual input. | Optional The configuration items here should be left empty/be entered for all. |
Demonstration
If the LDAP system authentication and the LDAP domain user synchronization are successful, you can click OK to start synchronization. The following figure shows that two LDAP URLs are enabled.
Successful synchronization is shown in the following figure.
After entering the username and password stored in the LDAP server, you can log in to FineBI and perform corresponding operations according to the assigned permissions in the platform.
Note:1. If the entered account does not exist in the platform, or the corresponding user in the platform is disabled, or user limitation is enabled in the platform and the user is not included, the platform does not connect with the LDAP server and a message Incorrect Username or Password or Username Unavailable is displayed on the login page.
2. Username stored in the LDAP server cannot use double-byte Japanese, traditional Chinese, or Korean characters. Otherwise, the message Incorrect Username or Password is displayed if the user logs in to the system.
Password stored in the LDAP server cannot use double-byte Japanese, traditional Chinese, simplified Chinese, or Korean characters. Otherwise, the message Incorrect Username or Password is displayed if the user logs in to the system.
