Shulou(Shulou.com)06/03 Report--

How to use LDAP in Yonghong BI? I believe that most people have not yet learned this skill, in order to let you learn, to give you a summary of the following content, do not say much, let's move on.

Application scenario

The company has many IT systems, such as: corporate mailbox, github, jenkins, grafna, zabbix, HR system, Yuyou, Kingdee, file system, aws, aliyun, cmdb, jira, confluence.

Here are some things to do when a new employee enters the workforce:

According to the employee's position, confirm the permission to activate the IT system.

Add accounts and set passwords in the corresponding IT system

Notify new employees, IT system permissions and IT system access addresses through various channels.

When the old employee leaves, the above thing has to be done again.

During normal work, many employees forget their passwords for various strange reasons and come to you to reset and modify them. When employees are promoted and changed, they are revised and deleted all at once.

Are you freaking out? This is not enough, an employee needs to operate manually N times, every day there will be 0 Murray N employees, if there is a misoperation, resulting in data leakage. The pot is picked up directly. There is no feeling that I will not love again.

In fact, the solution is very simple, there is a certification management center can be solved, that is LDAP. What is LDAP? What's it for?

LDAP is the abbreviation of Lightweight Directory Access Protocol, which means the protocol of directory service in Chinese and stores data in a tree structure.

Mainly used to store enterprise personnel information and organizational structure, and its unified authentication management. At the same time, it can be integrated with third-party applications to achieve access management for people or departments within the enterprise.

Example explanation

Let's take a look at the use of LDAP in Yonghong BI and how to synchronize Yonghong users easily and quickly. The LDAP connection information in the following example takes ldapadmin connecting to LDAP server as an example.

1. Permission setting

Go to * * Management system * *-> * * system Settings * *-> * * permission Management system configuration * * to set it. Modify the rights management system to LDAP synchronization-file rights management system. As shown in the following figure:

When the user chooses the LDAP synchronization-file rights management system, the user's LDAP server can be docked by configuring the corresponding relationship between the LDAP server and the rights system. Users in LDAP can be synchronized into the system through this type, and permissions for resources and operations can be granted, as shown in the following figure:

2. LDAP configuration

The following properties need to be configured on the LDAP configuration page, as described below.

Server configuration

The url of the URL:LDAP server is generally the url:port of the server, but you usually need to carry the ldap protocol header, such as ldap://192.168.0.181:389

Entries per page: the number of entries that can be imported per page. This value is set by the user according to the total number of users of LDAP, such as 500or 1000.

User name: the name of the user who logged in to LDAP

Password: password for logging in to LDAP

Domain name: the domain name of the LDAP server, such as dc=maxcrc,dc=com. The domain name can be queried on the connection page, as shown below:

The server configuration page is as follows:

Note: if you do not have a specific user name and password, you can not fill in these two items.

User attribute configuration

The ObjectClass:LDAP object class is LDAP's built-in data model, such as the inetOrgPerson object class. Each objectClass has its own data structure, such as "user" objectClass, which includes many attributes, such as name, password, mobile, etc. All data with this object class will be parsed as a user entry.

UID: the uid of the user corresponds to the mapping of the name of the file in item. For example, when the "name" attribute in the LDAP entry is used as a UID, after being synchronized into the system, the value of the "name" attribute will correspond to the user name of the user in the system

ObjectClass and UID can be seen in the following interface:

Property configuration: the corresponding relationship between the system property and the LDAP property, as shown in the following figure.

The group attributes and role attributes in the LDAP configuration are configured with the same user attributes.

Advanced Settin

Custom converters: interfaces reserved for custom converters

Custom Synchronizer: interface reserved for Custom Synchronizer

Custom authenticator: there are two ways: g5.secure.fs.LDAP.impl.LDAPAuthenor and g5.secure.fs.LDAP.impl.DefAuthenor

G5.secure.fs.LDAP.impl.LDAPAuthenor indicates that after synchronization, the product will use the password of the LDAP server for authentication and login.

G5.secure.fs.LDAP.impl.DefAuthenor indicates that after synchronization, the product will use the matching field of LDAP and the product as the password for authentication and login.

The default before V8.5.1 is: g5.secure.fs.LDAP.impl.DefAuthenorJournal V8.5.1. After V8.5.1, it defaults to: g5.secure.fs.LDAP.impl.LDAPAuthenor.

Note: this configuration reserves interfaces for specific authentication requirements. Generally, this configuration is not filled in in the basic configuration.

Timing synchronization settin

Click the input box of timing synchronization to select the time of timing synchronization in the drop-down list, after which the system will automatically synchronize with the LDAP server at this time every day.

Manual synchronization

After configuring the attributes, manually click the synchronization LDAP, and the system will synchronize according to the configured corresponding relationship. When synchronizing, the log of LDAP synchronization is automatically displayed below.

Result of an example

Custom attribute

If customers need to customize new attributes, such as administrator, user address, etc., they can customize them as follows:

Note: when customizing user attributes, the name of the new user attribute should be consistent with the parameter name. After adding custom attributes, you can view them in Section 2.2 property configuration-Local Properties.

► specifically states

Stock synchronization

If LDAP has already synchronized once, when it synchronizes again, it is called "stock synchronization".

When synchronizing inventory, if the matching property of the product and LDAP is configured, the property value in LDAP will override the corresponding property value in the product.

☞ for example:

1. The "mailbox" in the product is configured to match the attribute "email" in LDAP. When the inventory is synchronized, the email attribute value in LDAP will override the mailbox configuration in the product.

2. There is a user user1 in LDAP, which is a member of People group. When synchronizing for the first time, synchronize user1 into the product, whose parent group is People. In the product, adjust the parent group of user1 to group1, and then synchronize the stock, and the parent group of user1 becomes People.

Matters needing attention

When LDAP synchronizes, it does not verify the validity of the mailbox and password, that is, it can be synchronized successfully even if the mailbox and password are not filled in or illegal.

The name of the LDAP user cannot be modified. For example: change the name of the LDAP user "user1" to "user2", and click Save, it will prompt: LDAP users cannot change the user name.

After reading this article, have you learned how to use LDAP in Yonghong BI? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel. Thank you for reading.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.