Using LDAP Server's Security Information

Using by importing from the LDAP server

Importing LDAP users automatically

Importing LDAP users and groups manually

Synchronizing local security information with that of LDAP server

Defining role maps

Using by the LDAP implementation of the Security API

The JReport Server security system can run two modes in which you can use an LDAP server's security system: importing mode and non-importing mode. Below diagram illustrates these two working modes:

Working Mode

Importing mode: You can import LDAP server's security information into the JReport Server security system (red line) so as to use them in JReport Server.

Non-importing mode: JReport Server can access an LDAP server and obtain LDAP security information directly using the LDAP implementation of the Security API (blue line).

Using by importing from the LDAP server

LDAP server's security information can be imported into the JReport Server security system either automatically or manually. You can also schedule a task to synchronize the security information of JReport Server with that of the LDAP server so as to get the LDAP server's most current security information. By predefining role maps, you can make JReport Server automatically assign the imported LDAP users to specific JReport Server roles.

Importing LDAP users automatically

If the Enable Auto-Import of Users from LDAP Server option in the Configuration > LDAP > Server tab is checked while configuring the LDAP server, LDAP users will automatically be imported into JReport Server when they log in for the first time. The Enable LDAP and Enable Auto-Import of Users from LDAP Server options in the Configuration > LDAP > Server tab work together. The former determines whether an imported LDAP user can be used in JReport Server, and the latter determines whether LDAP users can be imported automatically, as shown in the following table:

Checked =Checked; =Unchecked

	Enable LDAP	Enable Auto-Import of Users from LDAP Server	Can be used
Local User			YES
			YES
			YES
			YES
Imported LDAP User			YES
			YES
			NO
			NO
Non-Imported LDAP User			YES
			NO
			NO
			NO

Importing LDAP users and groups manually

You can also import LDAP users and groups into JReport Server's security system manually.

In the JReport Server console, point to Administration on the system toolbar, and then click Security > LDAP from the drop-down menu to open the LDAP page. Click the Import tab.
Specify whether LDAP users will overwrite local users or be replaced by local users after LDAP users are imported into JReport Server.
If you have imported users/groups from the LDAP server to JReport Server before and you want to import them again, in order to prevent the information of the users/groups on JReport Server from being overwritten by the newly imported users/groups, you should check Local users overwrite LDAP users and then import the users/groups.
To view the LDAP users and groups that have the same names as the users and groups in JReport Server, click the List Users and List Groups buttons.
Import the LDAP users and groups to JReport Server.
- To import LDAP users click Import Users, the users on the LDAP server are then listed. To import some of them, select them and then click Import; to import all of them, click Import All.
- To import LDAP groups click Import Groups, the groups on the LDAP server are then listed. To import some of them, select them and then click Import; to import all of them, click Import All.
- To import all LDAP users and groups, click the Import All button.
The selected or all LDAP users/groups will then be imported based on the specified overwriting rule. Any LDAP group that has the same name as a group on JReport Server will be merged into the local group.

Notes:

There is an admin group named Administrators on the LDAP Server. If you perform an import operation, all groups will then be imported except for the Administrators group.
In the case of a non-admin group on the LDAP Server having the same name as a non-admin group on JReport Server, if you perform an import operation, all users from the non-admin group on the LDAP Server will be merged into the non-admin group of JReport Server.
When the system built-in admin user logs in JReport Server, JReport always tries the system built-in password first (admin by default). This is to provide a backdoor password for admin user in case the LDAP server is down.

Synchronizing local security information with that of LDAP server

In order to have the most current security information, you can schedule a task to synchronize the security information of JReport Server with that of the LDAP server. The synchronization process first compares the security information on both JReport Server and the LDAP server. Then if necessary, it updates the information on JReport Server so that both sides are consistent. However, for security reasons this process does not automatically import the newly-added users or groups from the LDAP server.

To schedule a synchronization task:

In the Administration > Security > LDAP page, go to the Synchronize tab.
Click the Edit link in the LDAP Synchronization Schedule Settings table.
From the Select time type to synchronize drop-down list, specify the time for when the task is to be performed.
- To run the task at a specified time, select Run this task at, then define the date and time according to your requirement.
- If you want to run the task repeatedly, select Run this task periodically, then specify the duration, date and time accordingly.
Click Save to apply the schedule settings.

Information about the synchronization task is then displayed in LDAP Synchronization Schedule Settings table and the synchronization task is enabled by default. You can perform the following operations on the task:

To edit the task, click the Edit link and then modify the schedule settings.
To disable the task, click Disable; to enable the task again, click Enable.
To view information about the last run of the synchronization task, click the Detail link.

You can also manually start the synchronization by clicking the Synchronize Now button. Then when the synchronization is completed, the Synchronization Information table will be displayed showing which users and roles/groups have been modified and removed. Click Back to return to the Synchronize tab.

Defining role maps

You can predefine role maps for the imported LDAP users, then when an LDAP user account is imported, JReport Server can automatically assign it to specific roles created on the server according to the map. A role map consists of two parts: Search Filter String and Corresponding Role Name. When an imported LDAP user account matches the filter condition, it will automatically be added to a specific role.

To create a role map:

In the Administration > Security > LDAP page, go to the Role Map tab.
Click the Create New Role Map link.
In the Search Filter String text box, input the search filter criteria.
From the Corresponding Role drop-down list, select a role to which you want to assign the matching users.
Click Test to test the contents of the filter. The result of the test does not affect the creation of the new role map.
Click Save to create the role map.

You can create as many role maps as you need and they are listed in the role map table. For any role map you can edit it as follows:

To edit a role map, click the Edit link in the role map row and then modify the settings.
To test the contents of the filter of a role map, click Test in the role map row.
To remove unwanted role maps, select the checkboxes ahead of them and click Delete.

Using by the LDAP implementation of the Security API

JReport Server can access an LDAP server directly to look for LDAP users via LDAP Security API implementation, which could be your own LDAP implementation or be implemented using JReport's Security API (for details about the Security API, see the jet.server.api.custom.security package in the JReport Javadoc in <install_root>\help\api).

To use LDAP Security API implementation, you will need to turn on the LDAP security providers. There are three approaches to achieve this:

Via the server UI
In the Administration > Security > LDAP > Server tab, check Enable Direct Authentication to LDAP Server.
Via the LDAP configuration file
Specify the following property in the LDAPProperties.xml configuration file located in <install_root>\properties:
<env-enableNoneImportedLDAPSupport>true</env-enableNoneImportedLDAPSupport>.

If the value is true, JReport Server security system will then use the LDAP providers. The default value of this property is false.

Via API
Invoke the following two methods in the interface ConfigurationLDAPServer:

/** 
* Specifies whether or not the Server security system uses the LDAP providers.
* @return Returns true if using none imported LDAP support, otherwise returns false.
*/
public boolean isEnableNoneImportedLDAPSupport();
/**
* Specifies whether or not the Server security system uses none imported LDAP support.
* @param isEnableNoneImportedLDAPSupport Set this parameter to true if the Server 
security system uses none imported LDAP support, otherwise set it to false.
*/
public void setEnableNoneImportedLDAPSupport (boolean isEnableNoneImportedLDAPSupport);

In order to use LDAP security providers, a valid admin user is required to access the JReport Server console in order to manage JReport Server. A user that meets one of the following two rules is regarded as an admin user:

The user is a member of the LDAP admin group. The LDAP admin group is a configuration option in the LDAP configuration XML file.
The user is a member of the administrators role. The user can be granted the role by a role map.

Previous Page Next Page