Clarity Service Management

Expand all | Collapse all

JasperServer AD group sync configuration

Jump to Best Answer
  • 1.  JasperServer AD group sync configuration

    Posted 03-05-2018 06:06 AM

    Hello everyone,

     

    I'm testing integration of JasperServer with AD. I've managed to configure JasperServer to authenticate users with AD,

    but having problems with AD group sync with JasperServer roles for one organization only.

    The testing version of JasperServer is 6.3. where I've followed this instructions from:

    JasperReports Server 6.0.1 Authentication with NTLM | Jaspersoft Community 

     

    Problem is that every user gets only the default role ROLE_USER when logging into JasperServer.

    Looks like it ignores the groupSearchFilter property "&(sAMAccountName={0})(objectclass=group)(cn=JASPER_*))" in ldapAuthenticationProvider bean.

     

     

    The scenario which I'm reproducing:

    - Two groups in AD: JASPER_GROUP1, JASPER_GROUP2

    - Two roles in JasperServer: ROLE_GROUP1, ROLE_GROUP2

     

    So if user is located in JASPER_GROUP1 by logging into JasperServer need to be assigned with ROLE_GROUP1 role.

    Reading the documentations this is possible and other were able to set up this kind of integration.

     

    I'm pasting the beans (applicationContext-externalAuth-LDAP-mt.xml) if somebody has idea what could be wrong.

     

    <bean id="ldapAuthenticationManager" class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.JSProviderManager">
            <property name="providers">
                <list>
                    <ref local="ldapAuthenticationProvider"/>
                    <ref bean="${bean.daoAuthenticationProvider}"/>
                </list>
            </property>
        </bean>

     

        <bean id="ldapAuthenticationProvider" class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSLdapAuthenticationProvider">
            <constructor-arg>
                <bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSBindAuthenticator">
                    <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
                    <property name="userSearch" ref="userSearch"/>
                </bean>
            </constructor-arg>
            <constructor-arg>
                <bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSDefaultLdapAuthoritiesPopulator">
                    <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
                    <constructor-arg index="1"><value>OU=REPORTING</value></constructor-arg>
                    <property name="groupRoleAttribute" value="CN"/>
                    <property name="rolePrefix" value="ROLE_"/>
                    <property name="convertToUpperCase" value="true"/>
                    <property name="groupSearchFilter" value="(&amp;(sAMAccountName={0})(objectclass=group)(cn=JASPER_*))"/>
                    <property name="searchSubtree" value="true"/>
                </bean>
            </constructor-arg>
        </bean>

     

        <bean id="userSearch"
              class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSFilterBasedLdapUserSearch">
            <constructor-arg index="0">
                <value></value>
            </constructor-arg>
            <constructor-arg index="1">
               <value>(sAMAccountName={0})</value>
            </constructor-arg>
            <constructor-arg index="2">
                <ref local="ldapContextSource" />
            </constructor-arg>
            <property name="searchSubtree">
                <value>true</value>
            </property>
        </bean>

     

        <bean id="ldapContextSource" class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource">
            <constructor-arg value="ldap://hostname:389/dc=demo,dc=local"/>
            <!-- manager user name and password (may not be needed)  -->
            <property name="userDn" value="CN=jasperadmin,OU=REPORTING,DC=demo,DC=local"/>
            <property name="password" value="<password>"/>
            <property name="referral" value="follow"/>
        </bean>

     

     

    Also here is the role mapping i've set:

     

     <bean id="mtExternalUserSetupProcessor" class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.processors.MTExternalUserSetupProcessor" parent="abstractExternalProcessor">
            <!--Default permitted role characters; others are removed. Change regular expression to allow other chars. -->
                        <property name="permittedExternalRoleNameRegex" value="[A-Za-z0-9_]+"/>

     

            <property name="userAuthorityService">
                <ref bean="${bean.internalUserAuthorityService}"/>
            </property>
            <property name="defaultInternalRoles">
                <list>
                    <value>ROLE_USER</value>
                </list>
            </property>
            <property name="organizationRoleMap">
                <map>
                    <!-- Example of mapping customer roles to JRS roles -->
                    <entry>
                        <key>
                            <value>ROLE_JASPER_GROUP1</value>
                        </key>
                        <!-- JRS role that the <key> external role is mapped to-->
                        <value>ROLE_GROUP1</value>
                    </entry>
                </map>
            </property>

    </bean>

     

    Best Regards,

     

    Domagoj



  • 2.  Re: JasperServer AD group sync configuration

    Posted 04-23-2018 12:20 PM

    Hi Domagoj,

     

    Thank you for reaching out via Communities. I came across your post and took a look into some additional Tibco documentation that you might find useful regarding the groupRoleAttribute and groupSearchFilter properties, it's listed here:

     

    Mapping the User Roles | Jaspersoft Community 

     

    Hope this helps, please feel free to reach out with any additional questions!

     

    Eddie



  • 3.  Re: JasperServer AD group sync configuration

    Posted 04-25-2018 10:36 AM

    Domagoj..........

     

    Did the information provided by Eddie help with the JasperSoft AD sync?

     

    If so, please mark Eddie's answer as correct so that this thread can be closed.



  • 4.  Re: JasperServer AD group sync configuration
    Best Answer

    Posted 04-26-2018 03:14 AM

    Hi all,

     

    this is the solution, after a lot of testing:

     

        <bean id="ldapAuthenticationProvider" class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSLdapAuthenticationProvider">
            <constructor-arg>
                <bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSBindAuthenticator">
                    <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
                    <property name="userSearch" ref="userSearch"/>
                </bean>
            </constructor-arg>
            <constructor-arg>
                <bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSDefaultLdapAuthoritiesPopulator">
                    <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
                    <constructor-arg index="1"><value>OU=[replace this with you value - REPO]</value></constructor-arg>
                    <property name="groupRoleAttribute" value="CN"/>
                    <property name="rolePrefix" value="ROLE_"/>
                    <property name="convertToUpperCase" value="true"/>
                    <property name="groupSearchFilter" value="(&amp;((objectClass=group)&amp;(member:1.2.840.113556.1.4.1941:={0})(cn=[replace this with you value - JASPER_*])))"/>
                    <property name="searchSubtree" value="true"/>
                    <!-- Can setup additional external default roles here  <property name="defaultRole" value="LDAP"/> -->
                </bean>
            </constructor-arg>
        </bean>

     

     

    Kind Regards,

     

    Domagoj