User Authentication with External Directory Services

image_pdfimage_print

For the authentication of a user, Jedox can use external directory services such as Microsoft Active Directory Services or other LDAP directory services. Therefore, Jedox OLAP must be set up properly with Jedox Supervision Server, which is used to monitor actions in the Jedox OLAP Server. If an action (such as user login) is controlled, a PHP script can start further actions.

Upon user login, the following two Supervision actions are used:

User Authenticate

To activate this, you’ll need to add/activate these lines in the palo.ini file in the olap folder:

worker “path to supervisionserver executable”
workerlogin authentication

If this event is intercepted, then the user/password combination transmitted from the client is not authenticated by Jedox itself, but will be transmitted by the Supervision Server to the established directory service. This service authenticates the user and, if successful, the user can work with Jedox.

The permissions (authorizations) are still administrated in Jedox. The user must be administrated both in the Directory Service as well as in Jedox. The user’s are administrated in Jedox.

User Authorize

To activate this, you’ll need to add/activate these lines in the palo.ini file in the olap folder:

worker “path to supervisionserver executable”
workerlogin authorization

In addition to user authentication, directory service returns all groups in which the user is a member. The advantage here is that the user does not have to be created in Jedox. The authorization takes place only according to the group level. In Jedox itself, only the groups and their assignments to roles must be administered; if user is deleted or assigned to other groups in the directory service, no further action is required. New users can also be added easily and centrally. However, note that groups that are deleted or renamed in the directory must be adjusted in Jedox.

Sample scripts

You will find example scripts in the sample folder of the SVS installation. Note that scripts that are kept in sample_scripts will be overwritten during a Jedox update. Scripts that are intended to be used for a longer period of time should be copied to custom_scripts.

Using ./sample_scripts/sep.inc.adldap_sample.php as a reference script:

  1. Copy ./sample_scripts/sep.inc.adldap_sample.php and the folder ./sample_scripts/adLDAP to ./custom_scripts
  2. Open <svs_dirctory>/sep.inc.php
  3. Change

    <?php
    include './custom_scripts/sep.inc.default.php';
    ?/

    to

    <?php
    include './custom_scripts/sep.inc.adldap_sample.php';
    ?>

  4. Save and go to the sample_scripts folder.
  5. Open sep.inc.adldap_sample.php and change

    function AuthHelper($username, $password, array& $groups)
    {
        // change the following lines to your needs
        $server = array('example.com');
        $account_suffix = '@myad.local';
    ...

    to

    function AuthHelper($username, $password, array& $groups)
    {
        // change the following lines to your needs
        $server = array('myldapserver.com');
        $account_suffix = '@mycompany.com';
    ...

  6. Save and restart OLAP.
image_pdfimage_print