AnsweredAssumed Answered

JasperServer AD group sync configuration

Question asked by dhrzic on Mar 5, 2018
Latest reply on Apr 26, 2018 by dhrzic

Hello everyone,

 

I'm testing integration of JasperServer with AD. I've managed to configure JasperServer to authenticate users with AD,

but having problems with AD group sync with JasperServer roles for one organization only.

The testing version of JasperServer is 6.3. where I've followed this instructions from:

JasperReports Server 6.0.1 Authentication with NTLM | Jaspersoft Community 

 

Problem is that every user gets only the default role ROLE_USER when logging into JasperServer.

Looks like it ignores the groupSearchFilter property "&(sAMAccountName={0})(objectclass=group)(cn=JASPER_*))" in ldapAuthenticationProvider bean.

 

 

The scenario which I'm reproducing:

- Two groups in AD: JASPER_GROUP1, JASPER_GROUP2

- Two roles in JasperServer: ROLE_GROUP1, ROLE_GROUP2

 

So if user is located in JASPER_GROUP1 by logging into JasperServer need to be assigned with ROLE_GROUP1 role.

Reading the documentations this is possible and other were able to set up this kind of integration.

 

I'm pasting the beans (applicationContext-externalAuth-LDAP-mt.xml) if somebody has idea what could be wrong.

 

<bean id="ldapAuthenticationManager" class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.JSProviderManager">
        <property name="providers">
            <list>
                <ref local="ldapAuthenticationProvider"/>
                <ref bean="${bean.daoAuthenticationProvider}"/>
            </list>
        </property>
    </bean>

 

    <bean id="ldapAuthenticationProvider" class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSLdapAuthenticationProvider">
        <constructor-arg>
            <bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSBindAuthenticator">
                <constructor-arg><ref local="ldapContextSource"/></constructor-arg>
                <property name="userSearch" ref="userSearch"/>
            </bean>
        </constructor-arg>
        <constructor-arg>
            <bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSDefaultLdapAuthoritiesPopulator">
                <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
                <constructor-arg index="1"><value>OU=REPORTING</value></constructor-arg>
                <property name="groupRoleAttribute" value="CN"/>
                <property name="rolePrefix" value="ROLE_"/>
                <property name="convertToUpperCase" value="true"/>
                <property name="groupSearchFilter" value="(&amp;(sAMAccountName={0})(objectclass=group)(cn=JASPER_*))"/>
                <property name="searchSubtree" value="true"/>
            </bean>
        </constructor-arg>
    </bean>

 

    <bean id="userSearch"
          class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.ldap.JSFilterBasedLdapUserSearch">
        <constructor-arg index="0">
            <value></value>
        </constructor-arg>
        <constructor-arg index="1">
           <value>(sAMAccountName={0})</value>
        </constructor-arg>
        <constructor-arg index="2">
            <ref local="ldapContextSource" />
        </constructor-arg>
        <property name="searchSubtree">
            <value>true</value>
        </property>
    </bean>

 

    <bean id="ldapContextSource" class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource">
        <constructor-arg value="ldap://hostname:389/dc=demo,dc=local"/>
        <!-- manager user name and password (may not be needed)  -->
        <property name="userDn" value="CN=jasperadmin,OU=REPORTING,DC=demo,DC=local"/>
        <property name="password" value="<password>"/>
        <property name="referral" value="follow"/>
    </bean>

 

 

Also here is the role mapping i've set:

 

 <bean id="mtExternalUserSetupProcessor" class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.processors.MTExternalUserSetupProcessor" parent="abstractExternalProcessor">
        <!--Default permitted role characters; others are removed. Change regular expression to allow other chars. -->
                    <property name="permittedExternalRoleNameRegex" value="[A-Za-z0-9_]+"/>

 

        <property name="userAuthorityService">
            <ref bean="${bean.internalUserAuthorityService}"/>
        </property>
        <property name="defaultInternalRoles">
            <list>
                <value>ROLE_USER</value>
            </list>
        </property>
        <property name="organizationRoleMap">
            <map>
                <!-- Example of mapping customer roles to JRS roles -->
                <entry>
                    <key>
                        <value>ROLE_JASPER_GROUP1</value>
                    </key>
                    <!-- JRS role that the <key> external role is mapped to-->
                    <value>ROLE_GROUP1</value>
                </entry>
            </map>
        </property>

</bean>

 

Best Regards,

 

Domagoj

Outcomes