Successfully!

Error!

Multi-Domain LDAP Authentication (Enhanced) Plugin

  • Last update:  2023-12-07

    • Version

    Version

    Report Server Version

    Plugin Version

    Functional Change

    11.0

    V1.7.3

    Added multi-domain synchronization and LDAPS functions based on the original Multiple LDAP Users Synchronization plugin.

     

     

     

     

    11.0

     

     

     

     

    V1.7.5

    1. Optimized the synchronization speed.

    2. Added some functions, including resynchronizing user types during user synchronization, plugin deletion clearing no configurations, supporting some special characters, and allowing users with the same name in multiple domains to be synchronized.

    3. Added limitations on user type selection. Specifically, the Platform User type needs to be ticked before the current user type configuration takes effect.

    11.0

    V1.7.7

    Supported clusters.

    11.0

    V1.7.9

    Allowed the letter case of usernames to be unchanged.

    11.0V1.8.0Supported content expansion for synchronization.

    Application Scenario

    If user information is stored in multiple LDAP servers, you (as the admin) may want to use a plugin to achieve multi-domain LDAP authentication in the decision-making platform, to synchronize users from LDAP servers to the platform, and to reuse corresponding configurations.

    • Add the function which allows synchronizing users from multiple LDAP domains based on the original Multiple LDAP Users Synchronization plugin.

    • Support LDAPS configuration and allow synchronizing multi-domain users.

    • Support Active Directory (AD) domain structure where a single user belongs to multiple groups (such as using security groups) to link the user and the groups.

    Function Introduction

    After installing the Multi-Domain LDAP Authentication (Enhanced) plugin, you can configure Multi-Domain LDAP Authentication under Global Setting > Authentication Method. When you synchronize users, you can select Synchronize from Multiple LDAP Servers. LDAPS is supported in both multi-domain authentication and user synchronization.

    iconNote:

    1. Super admins are not affected by LDAP authentication and still use Built-in Authentication.

    2. Users with the same account in different domains share this account on the decision-making platform and can log in with their own passwords.

    3. If you disable the plugin, the system automatically switches to Built-in Authentication. But the configurations of Multi-Domain LDAP Authentication set before still work if the plugin is re-enabled.

    4. External database PostgreSQL is not supported currently. If you have special requirements, contact technical support.

    Introduction

    Plugin Installation

    You can obtain the plugin at Multi Domain LDAP Authentication (Enhanced).

    For details about how to install plugins to the designer, see Designer Plugin Management.

    For details about how to install plugins to the server, see Server Plugin Management.

    Plugin Introduction

    After installing the plugin, you can configure Multi-Domain LDAP Authentication under Global Setting > Authentication Method.

    When synchronizing users, you can select Synchronize from Multiple LDAP Servers as the user source.

    Example

    Configuring LDAP Authentication

    Log in to the decision-making platform as the admin, choose System Management > User Management > Global Setting, select Multi-Domain LDAP Authentication as the authentication method for synchronizing users, and enter the configuration information.

     After the parameters are entered, click Test Connection and Save. If a prompt box pops up saying "Successful Connection", the authentication method is configured successfully.

    After all URLs are added, click Save, log out of the decision-making platform,  and perform re-login.

    Configuring LDAPS Authentication

    Section "Configuring LDAP Authentication" introduces the configuration method for common LDAP authentication. Note the following points if LDAPS connection is required.

    1. The URL format is ldaps://IP address:Port number.

    2. Enable SSL Authentication and enter the path where the authentication is located.

    iconNote:
    If the authentication is successfully installed on the server (where the FineReport project is located) and is trusted by the system, Java can automatically read the trusted authentication and there is no need to fill in the path.


    Opening the Editing Page of Synchronizing User

    1. First use of Synchronize User as the admin

    Log in to the decision-making platform as the admin, choose System Management > User Management > All Users, and click Synchronize User.

    A prompt box pops up saying "Sure to retain existing asynchronous data, including imported/added users, departments, positions, and roles?"

    The update logic for different selections is shown in the following table.

    Selection

    Explanation

    Reserved

    If a user is not in the synchronized dataset, the user information and permissions remain unchanged.

    If a user is in the synchronized dataset (with the same username):

    The user's username and permissions remain unchanged.

    The user's name, password, mobile number, and mailbox are updated.

    If the user's current department, position, and role exist in the synchronized dataset, they are updated.

    If the user's current department, position, and role do not exist in the synchronized dataset, they remain unchanged.

    Clear

    Delete all the platform information of manually added/imported users, including their   username, name, password, mobile number, mailbox, department, position, role, and permissions, and you can synchronize users again.

    iconNote:

    1. According to the update logic for selection, information of some users may be updated after initial synchronization.

    2. Only synchronized users are automatically updated in the future.

    3. For subsequent synchronizations, you cannot overwrite the dataset or update its built-in data. Otherwise, conflicts occur, triggering an error prompt.

    2. Non-first use of Synchronize User in the decision-making platform

    Click Synchronized User Management as the admin and select Edit to open the Synchronize User configuration page.

    Configuring Users for Synchronization

    Select Synchronize from Multiple LDAP Servers as the user source, and the system automatically reads the configuration in section "Configuring LDAP Authentication. " Test the connection. The configuration of Synchronize User is shown in the following figure.

    iconNote:
    If you have previously configured Synchronize User with Server Dataset as the user source, switching to Synchronize from Multiple LDAP Servers will clear all synchronized data including user information, departments, positions, roles, permissions, etc. Click OK on the prompt pop-up box, and LDAP user synchronization is finished.

    Sync Frequency

    Two supported types of synchronization frequency: Fixed Interval and Expression Setting

    Fixed Interval

    If you select Fixed Interval, the system automatically synchronizes user data from the LDAP server to the platform at fixed intervals which default to 43,200 seconds and can be modified.

    iconNote:
    The synchronization frequency should not be too high, that is, the interval value should not be too small. Otherwise, the backend logs will be constantly refreshed, leading to an infinite expansion of log volume.

    Expression Setting

    If you select Expression Setting, you can schedule user synchronization to run periodically at specified times, dates, or intervals.

    User Editability

    User Info Editable in Sync Status is unticked by default. If it is ticked, user information can be edited by corresponding synchronized users.

    Synchronized users can edit their names, mobile numbers, and mailboxes. The above fields of existing users will no longer be updated during automatic or manual synchronization.

    The specific introduction is shown in the following table.

    iconNote:
    Due to the use of LDAP authentication in synchronizing users, synchronized users (except for super admins and built-in users) cannot perform all password-related operations, including setting encryption methods, forgetting passwords, changing passwords, and resetting passwords.

    User Type

    Introduction

    Super admin

    1. During re-synchronization, the name, mobile number, and mailbox of existing users in the platform will no longer be updated.

    2. Super admins can edit the name, mobile number, and mailbox of existing users in the platform, but cannot edit the role.

    3. Super admins can edit their own name, password, mobile number, and mailbox in Account Setting.

    4. Super admins can use the Forgot Password function under System Management > System Setting > Login.

    Subordinate admin

    1. Subordinate admins (with corresponding permissions) can modify the name, mobile number, and mailbox of synchronized users, but cannot edit the role and password.

    2. Subordinate admins (with corresponding permissions) can modify the name, password, mobile number, and mailbox of built-in users, but cannot edit the role.

    3. Subordinate admins can edit their own name, mobile number, and mailbox in Account Setting.

    Ordinary user

    Ordinary users can edit their own name, mobile number, and mailbox in Account Setting.

    Enabling LDAP URL

    Click  or . Then you can set the synchronization status of each domain as Enabled or Disabled.

    Click . Then you can edit the synchronous attributes of the domain.

    User Attribute

    You need to first select ObjectClass in the user attribute field, and then select the attribute value within ObjectClass.

    iconNote:
    During configuration of Synchronize User, you do not need to configure the password because LDAP password authentication is used.

    Configuration Item

    Introduction

    Required or Optional

    ObjectClass

    Select an ObjectClass used to store the user attribute.

    Required

    User Duplication   Verification Field

    User duplication verification can be achieved through User ID or Username.

    1. If you select User ID, the User ID field is synchronized. The field value of User ID is the user ID in the LDAP server when you synchronize users.

    iconNote:
    If user A is an existing user of the platform, the synchronization fails and the user A information in the platform remains unchanged.

    2. If you select Username, the Username field is synchronized. The field value of User ID is randomly generated by the system.

    iconNote:
    If user A is an existing user of the platform, the synchronization proceeds and the user A information in the platform is retained and supplemented with different information from the LDAP server.

    3. If the CN field is configured in User Duplication Verification Field and there are users with duplicate CN in the LDAP source data:

    • In a single domain: Synchronization fails. You are advised to select a unique field here, such as the userPrincipalName or sAMAccountName login user field in the AD domain.

    • In multiple domains: Synchronization proceeds normally, and the user's department or role information in the platform is retained and supplemented with different information from the LDAP server.

    Required

    User ID

    Select the UID (User ID) in the user attribute.

    iconNote:
    This field is required only when User ID is selected in User Duplication Verification Field.

    Required

    Username

    Select the username in the user attribute.

    Username stored in the LDAP server cannot use double-byte Japanese, traditional Chinese, or Korean characters. Otherwise, a message "Incorrect Username or Password" is displayed if the user log in to the platform.

    Required

    User Type

    Select Platform User or Mobile Platform User.

    The configuration item is applicable to scenarios where platform users are classified, and can be ignored if no corresponding limitation is made.

    1. Plugin of V1.7.5 and later versions

    User type is resynchronized during each synchronization, and configuration changes or newly added values take effect with each synchronization. If the user type is set to empty during synchronization, the setting does not take effect, and the previous user type setting in the platform is retained.

    2. Plugin of V1.7.4 and earlier versions

    User type only takes effect during the initial configuration of synchronization. If user A's type has already been configured on the platform, even though a new user type is configured for A during LDAP synchronization, A's user type will not add. To make changes, contact the admin to manually modify the configuration of platform user type.

    Optional

    Username Conversion Policy1. Plugin of versions earlier than V1.7.9

    The case of usernames is uniformly converted to lowercase during user synchronization.

    2. Plugin of V1.7.9 and later versions

    Add a new Username Conversion Policy function that allows users to select Keep Case Unchanged. If this option is ticked, the case of the original username remains unchanged during user synchronization.

    iconNote:

    If the external database is case-sensitive and historical synchronization of LDAP users has been performed, ticking Keep Case Unchanged causes synchronization failure. You need to clear the historical data and perform re-synchronization.

    After configuration modification, re-synchronization may cause the loss of certain user configuration permissions. For example, if the user ANNA was originally synchronized and stored as anna, ticking Keep Case Unchanged and re-synchronizing will save the user as ANNA. In this case, the role configuration previously assigned to anna will be lost, and ANNA will not inherit the role configuration of anna.


    Optional

    You are not advised to tick this option if you do not have special requirements. Username stored in the database is in lowercase by default.

    Name

    Select the name in the user attribute.

    Required

    Mobile

    Select the mobile number in the user attribute.

    Optional

    Mailbox

    Select the mailbox in the user attribute.

    Optional

    Expansion Attribute

    Select other contents (batch selection supported) to be synchronized.

    ldap认证增强 图1.png

    iconNote:
    This function is supported in V1.8.0 and later versions. After this function is configured, data is stored in JSON format to the Fine_Extra_Properties table in FineDB.


    		Optional

    Department Attribute

    You need to first select ObjectClass in the department attribute field, and select the attribute value within ObjectClass.

    The department attribute can be left unconfigured. If ObjectClass is selected, however, the department name/department ID must be configured.

    iconNote:
    If a security group is used as the department for synchronization, the configuration in the section can be ignored.

    Configuration Item

    Introduction

    Required or Optional

    ObjectClass

    Select an ObjectClass used to store the department attribute.

    Optional

    The configuration items here should be left empty/be entered for all.

    Department   Duplication Verification Field

    Department duplication verification can be achieved through Department ID or Department   Name.

    1. If you select Department ID, the Department ID field is synchronized. The field value of Department ID is the department ID in the LDAP server when you synchronize users.

    2. If you select Department Name, the Department Name field is synchronized. The field value of Department ID is randomly generated by the system.

    Department ID

    This field is required only when Department ID is selected in Department Duplication Verification Field.

    Select the UID (Department ID) in the department attribute.

    Department Name

    Select the department name in the department attribute.

    Role Attribute

    You need to first select ObjectClass in the role attribute field, and then select the attribute value within ObjectClass.

    The role attribute can be left unconfigured. If ObjectClass is selected, however, the role name/role ID must be configured.

    Configuration Item

    Introduction

    Required or Optional

    ObjectClass

    Select an ObjectClass used to store the role attribute.

    Optional

    The configuration items here should be left empty/be entered for all.

    Role Duplication   Verification Field

    Role duplication verification can be achieved through Role ID or Role Name.

    1. If you select Role ID, the Role ID field is synchronized. The field value of Role ID is the role ID in the LDAP server when you synchronize users.

    2. If you select Role Name, the Role Name field is synchronized. The field value of Role ID is randomly generated by the system.

    Role ID

    This field is required only when Role ID is selected in Role Duplication   Verification Field.

    Select the UID (Role ID) in the role attribute.

    Role Name

    Select the role name in the role attribute.

    Security Group Attribute (Sync with Security Group as Department)

    In AD domain, Security Group is an object used for managing and assigning permissions. Security group, an important concept in AD, allows admins to group a set of users or computers together and assign access permissions for specific resources or objects to the group.

    This configuration is used to achieve the synchronization of users that corresponds to members of the security group.

    iconNote:

    1. Security Group Attribute and Department Attribute cannot be configured simultaneously, otherwise, a message is displayed, saying "Department attributes and security group attributes cannot be configured at the same time."

    2. Security Group Attribute and the custom department attribute cannot be configured simultaneously, otherwise, a message is displayed, saying "Custom department attributes and security group attributes cannot be configured at the same time."

    The general applicable structure is shown in the following figure.

    The configuration items are shown in the following figure.

    Configuration Item

    Introduction

    Required or Optional

    ObjectClass

    Select an ObjectClass used to store the security group (department) attribute.

    After ObjectClass is selected, load all security groups based on ObjectClass (as options in the drop-down checkbox of Group Selection).

    Optional

    The configuration items here should be left empty/be entered for all.

    Group Name

    If the Group Name attribute is selected, value of the LDAP attribute corresponding to the Group Name field is taken as the display value in the drop-down option of Group Selection.

    Optional

    If this field is set to empty, the drop-down option of Group Selection reads CN by default.

    Group Selection

    Group Department Mapping

    After the security group is selected, the group department mapping is automatically loaded into the mapping table, and the Department Name column supports manual input.

    Optional

    The configuration items here should be left empty/be entered for all.

    iconNote:
    Security group names can be duplicated, but the departments mapped by security groups cannot be duplicated. In a single domain, multiple groups can be mapped to the same department, while in a multi-domain environment, security groups cannot be mapped to the same department in other domains. Under this condition, if there are security groups with the same name, the users in security groups can still be synchronized normally. If the names of users are also the same, but the configurations are different, the platform removes the duplicates and overwrites.

    Demonstration

    If the LDAP system authentication and the LDAP domain user synchronization are successful, you can click OK to start synchronization.

    The following figure shows that two LDAP URLs are enabled.

    Successful synchronization is shown in the following figure.

    After entering the username and password stored in the LDAP server, you can log in to the decision-making platform and perform corresponding operations according to the assigned permissions in the platform.

    iconNote:

    1. If the entered account does not exist in the platform, or the corresponding user in the platform is disabled, or user limitation is enabled in the platform and the user is not included, the platform does not connect with the LDAP server and the message Incorrect Username or Password or Username Unavailable is displayed on the login page.

    2. Username stored in the LDAP server cannot include double-byte Japanese, traditional Chinese, or Korean characters. Otherwise, the message Incorrect Username or Password is displayed if the user logs in to the platform.

    Password stored in the LDAP server cannot include double-byte Japanese, traditional Chinese, simplified Chinese, or Korean characters. Otherwise, the message Incorrect Username or Password is displayed if the user logs in to the platform.

    Notes

    Special Character Limitation

    1. Name of Security Group

    If a security group is created in AD, the following characters are disallowed: / \ [] : ; | = , + * ? < > "

    2. Name of User

    If a user is created in AD, the following characters are disallowed: / \ [] : ; | = , + * ? < > "

    In summary, the special characters supported during synchronization include bracket, underscore, and space.

    3. Name of Organizational Unit (OU)

    Supported characters include / \ () _ ; , + * < > and space.

    Plugin Deletion

    1. Plugin of V1.7.5 and later versions

    Configuration is retained if the plugin is deleted.

    2. Plugin of V1.7.4 and earlier versions

    The existing configuration is deleted if the plugin is deleted. Delete it carefully and backup the configuration information.

    The configuration-related information is stored in the FINE_CONF_ENTITY table in the FineDB database.

    Query statement:

    SELECT * FROM FINE_CONF_ENTITY WHERE ID LIKE '%FINE_MULTI_LDAP VALUES%'

    iconNote:
    To restore the original configuration after deleting or reinstalling the plugin, you need to manually modify FineDB and restart the platform. This operation is risky, so contact technical support for assistance and ensure a backup before proceeding the operation.

    Attachment List


    Theme: Decision-making Platform
    Already the First
    Already the Last
    • Helpful
    • Not helpful
    • Only read
    中文(简体) 中文(繁體) 日本語
    English

    Doc Feedback