User Authentication with External Directory Services
To authenticate a user, Jedox can use external directory services such as Microsoft Active Directory Services or other LDAP directory services. To use these external directory services, Jedox OLAP must be set up properly with Jedox Supervision Server, which is used to monitor actions in the Jedox OLAP Server. If an action (such as user login) is controlled, a PHP script can start further actions.
As User Authentication and User Authorization happen upon user login, you need to make the following changes.
User Authenticate
To activate user authentication, you need to add/activate these lines in the palo.ini file in the olap folder:
worker "path to supervisionserver executable"
workerlogin authentication
If this event is intercepted, the user/password combination transmitted from the client is not authenticated by Jedox itself. The Supervision Server transmits the user/password combination to the established directory service. This service authenticates the user and, if successful, the user can work with Jedox.
The permissions (authorizations) are still administrated in Jedox. The user must be administrated both in the Directory Service as well as in Jedox. The users are administrated in Jedox.
User Authorize
To activate user authorization, you need to add/activate these lines in the palo.ini file in the olap folder:
worker "path to supervisionserver executable"
workerlogin authorization
In addition to user authentication, directory service returns all groups in which the user is a member. The advantage here is that the user does not have to be created in Jedox. The authorization takes place only according to the group level. In Jedox itself, only the groups and their assignments to roles must be administered, and if a user is deleted or assigned to other groups in the directory service, no further action is required. New users can also be added easily and centrally. However, note that groups that are deleted or renamed in the directory must be adjusted in Jedox.
Sample scripts
You can find example scripts in the sample folder of the SVS installation. Note that scripts that are kept in sample_scripts will be overwritten during a Jedox update. Scripts that are intended to be used for a longer period of time should be copied to custom_scripts.
Using ./sample_scripts/sep.inc.adldap_sample.php as a reference script:
1: Copy the file sep.inc.adldap_sample.php, and the folder adLDAP from ...\Jedox\Jedox Suite\svs\sample_scripts and paste them in ..\Jedox\Jedox Suite\svs\custom_scripts
2: Open <svs_dirctory>/sep.inc.php
3: Change
<?php
include './custom_scripts/sep.inc.default.php';
?/
to
<?php
include './custom_scripts/sep.inc.adldap_sample.php';
?>
4: Save and go to the custom_scripts folder.
5: Open sep.inc.adldap_sample.php and change
function AuthHelper($username, $password, array& $groups)
{
// change the following lines to your needs
$server = array('example.com');
$account_suffix = '@myad.local';
...
to
function AuthHelper($username, $password, array& $groups)
{
// change the following lines to your needs
$server = array('myldapserver.com');
$account_suffix = '@mycompany.com';
...
Notes:
-
Name or address of your LDAP server can also be an array of several servers.
-
In most cases these are the only parameters that need to be adjusted.
6: In the [PHP] section of the php.ini in <Jedox>/svs/php.ini add:
extension=php_ldap.dll
7: Save and restart OLAP.
Updated September 27, 2022