I. Overview
1. Version
| Report Server Version | Feature Changes |
|---|---|
| 10.0 | - |
| 10.0.18 | Section II.1, LDAP authentication adds a "Test Connection" button Section III.3, supports custom configuration of LDAP authentication username login search field. |
2. Application scenarios
The user stores relatively complete employee information in the LDAP authentication server, and has used it to authenticate multiple online systems.
Users need to use the same authentication method in the decision-making platform. You can turn on LDAP authentication at Manage> User > Global Settings in the decision-making platform.
3. Function introduction
The platform provides LDAP authentication, and users can set LDAP authentication in the decision-making platform according to the method in this paper.
LDAP authentication, when a user logs in, the platform will authenticate the entered username information to the set LDAP system.
If the LDAP system authentication fails, the platform judges that the authentication fails;
If the LDAP system authentication is successful, but the corresponding user does not exist in the platform users, the platform determines that the authentication fails;
If the LDAP system authentication is successful, and the corresponding user exists in the platform user, the platform determines that the authentication is successful, and the user can enter the platform and perform corresponding operations according to the user's authority in the platform.
Note: Super administrators are not affected by LDAP authentication and still use the platform's built-in authentication.
2. Example
1. Configuring LDAP Authentication
1) Enter the decision-making platform as an administrator, click Manage> User > Global Settings to select the authentication method for Sync User and Imported/Added User respectively. As shown below:
2) Select LDAP Authentication as the authentication method, enter various parameters, click the Save button, exit the decision-making paltform, and need to log in again. As shown below:
The description of each parameter item during LDAP authentication is shown in the following table:
| Parameter item | Description |
|---|---|
| URL | The URL is the entry for logging into the LDAP server. The URL consists of a domain name or IP and a port number. Generally, the default port number is 389. The URL format is: LDAP://domain name or IP+port number |
| Retrieve Location | LDAP is a server that stores data in a tree structure. Enter the server through a URL, and retrieve the relevant login information after passing the user and password authentication. The "retrieval location" is the location where the login information is stored.
|
| AUTH Method | Specify the authentication type used by the LDAP directory server, according to the configuration of the LDAP server, select "simple" for the general authentication method
|
| Context | The class name of the initial context factory Normally choose "com.sun.jndi.ldap.LdapCtxFactory" - for LDAP server based directory service |
| Referral | According to the configuration selection of the LDAP server, generally select "ignore". |
| Username Suffix | Username suffix can be added or not added, if added, the corresponding domain name will be added automatically when logging in. For example, there is a user named Alice@fanruan.com in the LDAP server, and the username suffix is set to @fanruan.com. Then the user name in the decision-making platform is Alice, and the user name when logging in to the decision-making platform is also Alice |
| Administrator name/password | The administrator name here does not refer to the administrator name of the LDAP server, but refers to the user who has the right to retrieve the LDAP server. Authentication is achieved by the user entering the LDAP server and retrieving login information from the retrieval location. Usually, the method of "domain name/username" is used for identification. Either "uid" or "cn" can be used, but generally do not use the writing method of DN domain name
|
3) After filling in the parameters, click Test Connection. After the connection is successful, click Save, that is, the authentication method is successfully configured.
Note: If the connection fails, a prompt will pop up: Failed to connect to LDAP authentication, please confirm the relevant configuration is accurate and then save it again. As shown below:
2. Add users
The LDAP server generally stores the user's employee list. If you want a user to log in using LDAP authentication on the platform, the platform also needs to add a user with the same name, because the platform operations such as binding mailboxes and assigning permissions are all based on platform users. object.
When the corresponding user in the platform exists, it can be considered that enabling LDAP authentication just changes the password authentication of the platform user from the default platform built-in authentication to the LDAP server authentication.
Click Manage > User > Add User to add user "test001", as shown in the following figure:
Note 1: When configuring "Add User" for LDAP authentication, there is no need to configure a password. FanRuan uses the default password of 123456 to store, and the actual authentication goes through LDAP password authentication.
Note 2: Synchronized users and imported/added users can choose different authentication methods respectively.
3. Effect View
The user enters the username stored in the LDAP server and the password in the LDAP server. If the LDAP system authentication is successful, and the corresponding user exists in the platform user, the platform judges that the authentication is successful, and can enter the decision-making platform. According to the user in the platform permissions to operate accordingly. As shown below:
Note 1: If the entered username does not exist in the platform, or the corresponding user in the platform is disabled, or the platform user restriction is enabled and the user is not included, it will not communicate with the LDAP server, and directly prompt "username or password" error" or "user unavailable".
Note 2: The username stored in the LDAP server cannot use double-byte Japanese, traditional Chinese or Korean characters. Otherwise, "username or password error" will be prompted when logging in to the platform.
The password stored in the LDAP server cannot use double-byte Japanese, Traditional Chinese, Simplified Chinese, or Korean characters. Otherwise, "username or password error" will be prompted when logging in to the platform.
III. Attention items
1. Test the LDAP connection is successful
For report projects before 10.0.18, after configuring LDAP authentication in the decision-making platform, it is not possible to determine whether the LDAP connection is successful. When executing Section II.3 of this document, users may not be able to log in normally or log in slowly. Use the methods in this chapter to locate the problem. .
Note: Make sure you have a local Java environment.
1) Download the compressed package below and unzip it:
2) Open the "LDAPDemo.java" file and modify the configuration items of the platform's LDAP configuration page according to the actual situation, as shown in the following figure:
Note: If the administrator name contains the following characters: '"', '+', ',', ';', '<', '>', '\', it needs to be escaped in LDAPDemo.
Example: The user name is fanruan\admin, and you need to enter fanruan\\admin in LDAPDemo. The input of the decision platform does not need to be escaped, just input fanruan\admin directly.
3) Switch to the LDAP file directory and execute: javac -encoding utf-8 LDAPDemo.java to generate an LDAPDemo.class;
Then execute: java LDAPDemo, if it returns the end of test, it means that the LDAP authentication is normal, otherwise, follow the prompts to further locate the problem. As shown below:
2. LDAP authentication fails after 9.0 upgrade to 10.0
Problem Description:
After FineReport is upgraded from 9.0 to 10.0, the user fails to log in using LDAP authentication, and the login page displays the error message username does not exist.
Cause Analysis:
The LDAP login authentication logic has changed since 9.0 was upgraded to 10.0.
Take the username User and the LDAP authentication suffix fr.com as an example to analyze the authentication logic:
FineReport 9.0: First add the username "User" with the suffix "fr.com" to retrieve whether the user exists on the platform, and then go through the LDAP authentication process.
FineReport 10.0: First, retrieve whether the user exists according to the username "User", and then add the suffix "fr.com" to perform the LDAP authentication process.
Solution:
Solution 1: Remove the username suffix from the LDAP configuration page under user management, and the user can log in normally by using the user name@suffix name.
Solution 2: Remove the user suffix name of each user, and the user can log in normally with the user name.
3. Configuring the LDAP Authentication Username Login Search Field
Super administrators can customize the LDAP authentication user name login search field through the "fine_conf_entity Visual Configuration Plugin". The settings take effect after restarting the server.
Note: Please refer to FineDB Common Table Field Modification for the method of modifying FineDB database table field values.
| Configuration item | Modification rules |
|---|---|
| FSConfig.loginConfig.fWords | The parameter value format is: ["value1", "value2"] The parameter value is not allowed to be empty, and the parameter length is not allowed to be 0 The default value of the parameter is ["sAMAccountName","cn","userPrincipalName","uid","displayName","name","sn"] |
