Overview
Version
| FineBI Version | LDAP Domain Synchronization Plugin Version | Functional Change |
|---|---|---|
6.0 | V2.0 | / |
Application Scenario
You hope to synchronize users from the LDAP server, but you need to dump data from the LDAP server into other tables, which is unsafe and troublesome.
You hope to directly synchronize users from the LDAP server to the decision-making platform, with the LDAP authentication configurations directly reused.
Function Description
You can directly select Synchronize from LDAP Server when setting user synchronization after installing the LDAP Domain Synchronization plugin.
Introduction
Plugin Installation
You can obtain the plugin at https://community.finereport.com/market/.
For details about installing plugins, see Plugin Management.
Plugin Introduction
You can set User Source to Synchronize from LDAP Server when synchronizing users after installing the plugin, as shown in the following figure.
Example
Configuring LDAP Authentication
Log in to the FineBI system as the admin, choose System Management > User Management > Global Setting, set Authentication Method to LDAP Authentication, and enter the configuration information, as shown in the following figure.
For details about how to configure the LDAP authentication, see LDAP Authentication.
Click Test Connection after entering the parameters. After the successful connection, click Save. The authentication method is configured successfully.
Going to the Edit Page for User Synchronization
First Use of the Synchronize User Function as the Admin
Log in to the FineBI system as the admin, choose System Management > User Management > All Users, and click Synchronize User.
A prompt box displaying "Sure to retain existing asynchronous data, including imported/added users, departments, positions, and roles?" pops up, as shown in the following figure.
The following table describes the update logic for different options.
| Option | Definition |
|---|---|
Reserved | If the existing user is not in the synchronized dataset, the user's information and permissions will be reserved without modification. If the existing user (with the same username) is in the synchronized server dataset, the following situations exist.
|
Clear | All the usernames, names, passwords, phone numbers, email addresses, departments, positions, roles, and permissions of users (manually added or imported into the system) will be deleted. Users need to be resynchronized. |
Note:Based on the update logic, if some user information is updated after the initial synchronization,
only users (changed to the synchronous type) can be automatically updated in the later synchronization.
The dataset cannot overwrite and update built-in data in later synchronization, otherwise errors will be reported.
Non-first Use of the Synchronize User Function in the FineBI System
Click Synchronized User Management as the admin and select Edit to go to the Synchronize User configuration page.
Configuring the Synchronizing User Function
Set User Source to Synchronize from LDAP Server. The system automatically reads the configuration in section "Configuring LDAP Authentication" and tests the connection. The following figure shows the configuration of Synchronize User.
Note:1. If you have previously configured Synchronize User with User Source set to Server Dataset, a prompt will pop up toindicate that all synchronized data (including users and the users' departments, positions, roles, and permissions) will be cleared after you switch the user source. Click OK to finish the LDAP user synchronization.
2. If the LDAP authentication connection fails in section "Configuring LDAP Authentication", a prompt (in red font) displaying "LDAP connection failed. Check the related configuration in Synchronized User - LDAP Authentication." will appear.
Synchronization Frequency
You can set Sync Frequency to Fixed Interval or Expression Setting.
1. Fixed Interval
If you select Fixed Interval, the frequency of synchronizing users from the LDAP server is fixed interval (default value: 43,200 seconds).
If you set the synchronization frequency, the system can automatically synchronize users based on the set interval. Thus, data that is updated in the LDAP server can be constantly synchronized to the FineBI system.
Note:
2. Expression Setting
If you select Expression Setting, you can set the execution time of a task through the Cron expression. The execution time (namely the triggering time) can be composed of different time frequencies such as executing repeatedly every day, executing repeatedly every other day, or executing only once.
User Editability
If you select User Info Editable in Sync Status (deselected by default), you can edit user information in the synchronization status.
You can edit the username, mobile number, and email address. The existing users' above information will no longer be updated during the automatic/manual synchronization. The following table shows the specific function.
Note:User Attribute
You need to first set ObjectClass in User Attribute and then set the attribute values in ObjectClass.
Note:1. You do not need to configure the password when configuring Synchronize User, because LDAP password authentication will be used.
2. You can search values, manually enter values, or copy and paste values (recognized by line breaks) in batch in User Attribute.
| Configuration Item | Description | Mandatory or Not |
|---|---|---|
ObjectClass | Allows you to select an ObjectClass (used to store user attributes). | Mandatory |
User Duplication Verification Field | Allows you to verify duplicate users through User ID or Username. 1. If you select User ID, the User ID and Username fields are synchronized. The value of User ID in the table is the user ID in the LDAP server when you synchronize users. 2. If you select Username, the Username field will be synchronized. The value of User ID in the table is generated randomly by the system. | Mandatory |
User ID | Allows you to select a UID (namely the user ID) in the user attributes. You need to set this configuration item only when you select User ID in User Duplication Verification Field. | |
Username | Allows you to select a username in the user attributes. The usernames stored in the LDAP server cannot be double byte Japanese or Hangul characters. Otherwise, a prompt displaying "Incorrect Username or Password" will pop up when you log in to the system. | Mandatory |
Name | Allows you to select a name in the user attributes. | Mandatory |
Mobile | Allows you to select a mobile number in the user attributes. | Optional |
Mailbox | Allows you to select an email address in the user attributes. | Optional |
Department Attribute
You need to first set ObjectClass in User Attribute and then set the attribute values in ObjectClass.
You can keep Department Attribute unconfigured. However, if you have set an ObjectClass, you need to set a department name/department ID.
Note:| Configuration Item | Description | Mandatory or Not |
|---|---|---|
ObjectClass | Allows you to select an ObjectClass (used to store department attributes). | Optional However, all configuration items must be set consistently. That is, if you do not set a configuration item, all configuration items need to be empty. If you set a configuration item, all configuration items need to be set. |
Department Duplication Verification Field | Allows you to verify duplicate departments through Department ID or Department Name. 1. If you select Department ID, the Department ID and Department Name fields are synchronized. The value of Department ID in the table is the department ID in the LDAP server when you synchronize users. 2. If you select Department Name, the Department Name field will be synchronized. The value of Department ID in the table is generated randomly by the system. | |
Department ID | Allows you to select a UID (namely the department ID) in the department attributes. You need to set this configuration item only when you select Department ID in Department Duplication Verification Field. | |
Department Name | Allows you to select a department name in the department attributes. |
Role Attribute
You need to first set ObjectClass in Role Attribute and then set the attribute values in ObjectClass.
You can keep Role Attribute unconfigured. However, if you have set an ObjectClass, you need to set a role name/role ID.
Note:| Configuration Item | Description | Mandatory or Not |
|---|---|---|
ObjectClass | Allows you to select an ObjectClass (used to store role attributes). | Optional However, all configuration items must be set consistently. That is, if you do not set a configuration item, all configuration items need to be empty. If you set a configuration item, all configuration items need to be set. |
Role Duplication Verification Field | Allows you to verify duplicate departments through Role ID or Role Name. 1. If you select Role ID, the Role ID and Role Name fields are synchronized. The value of Role ID in the table is the role ID in the LDAP server when you synchronize users. 2. If you select Role Name, the Role Name field will be synchronized. The value of Role ID in the table is generated randomly by the system. | |
Role ID | Allows you to select a UID (namely the role ID) in the role attributes. You need to set this configuration item only when you select Role ID in Role Duplication Verification Field. | |
Role Name | Allows you to select a role name in the role attributes. |
Effect Display
If the LDAP server authentication is successful and the user synchronization in the LDAP domain is successful, you can log in to the FineBI system by entering the username and password (stored in the LDAP server) on the login page. Then you can perform relevant operations based on your permissions, as shown in the following figure.
Note:1. If the entered username does not exist in the system, the corresponding username is disabled, or the BI user limit is enabled (with the entered username excluded), the system will not be connected with the LDAP server and a prompt displaying "Incorrect Username or Password" or "Username Unavailable" will pop up.
2. The usernames stored in the LDAP server cannot use double byte Japanese or Hangul characters. Otherwise, a prompt displaying "Incorrect Username or Password" will pop up when you log in to the system.
The passwords stored in the LDAP server cannot use double byte Japanese or Hangul characters. Otherwise, a prompt displaying "Incorrect Username or Password" will pop up when you log in to the system.
