How to obtain permissions of LDAP users

Applies to: Denodo 8.0 , Denodo 7.0
Last modified on: 04 Mar 2021
Tags: Administration LDAP

Download document

You can translate the document:

Goal

Denodo Virtual DataPort can extract data from an LDAP server and delegate its authentication and authorization to an LDAP server. In this article we will explain how to obtain permissions of LDAP users over elements in a Virtual DataPort database.  This is useful for user and role management and for troubleshooting issues related to privileges in the Denodo Platform.

We will create views with the following structure to obtain required information.

Define an LDAP data source in VDP

To create an LDAP data source the Server URI and the credentials (Login and Password) to access the LDAP data source have to be provided.  

The URL and credentials for the LDAP data source are the same that can be used from any third party LDAP client and such clients can be used to test the connections to the LDAP server. The expected format of the connection URI is ldap://<host_name>:<port>/. Optionally, the base Distinguished Name (DN) can also be appended to the base URI.

In case the LDAP users are organized in Domains the domain name has to be provided as part of the login information using the syntax <domain>\<username>.

Import roles from the LDAP server

It is recommended to use the Import Roles tool. (see section “Creating Roles” of the Virtual DataPort Administration guide). Note that the ‘Role Search Pattern’ used to search the roles should be indicative of the distinguishing factor in terms of objectClass. For example, in this article using (objectClass=group) to search for the roles in all the groups and import all the roles.

Note:  If your LDAP elements (user / roles) have unicode characters, you will need to activate “Unicode - Case sensitive” as identifiers charset at global server level (Administration > Server configuration > Identifiers charset).

Assign the privileges to imported LDAP roles

After importing the roles from the LDAP server, we can select each role and assign privileges to the selected role or assign other predefined roles to this role. It is recommended to use several VDP admin tool sessions simultaneously to simplify the process:

  • A VDP Admin tool connected with an admin user that configures the privileges for the role.
  • A VDP Admin tool connected with a normal user that belongs to the role whose privileges are being assigned to check if it is working as expected. Any time the privileges of this normal user or its roles are changed the user will have to reconnect to the VDP admin tool so the changes in the configuration take effect.

Create base views to obtain the users and groups

Next we will create base views for users and groups from the LDAP server, to create a LDAP base view, open the data source and click Create base view. In the box located at the top of the dialog, we search for the user object class and its fields. Then, click Create selected, the tool will display the schema that the base view bv_user will have as below.

We will create a base view for the groups from an expression,  which is delegated to the LDAP server. To do this, click Create from LDAP expr. The Tool will show a form to enter the expression, e.g, (&(objectClass=group)) in this article, select the group attributes and we will obtain the below base view bv_group.

Create derived views to make transformation

As there is an array in the base view bv_user, we will create a new derived view to flatten the array field memberof, we will name the new derived view dv_user.

To extract the role information imported from the LDAP server, we need to filter the distinguishedname of the groups with the below condition and create a new view that we will call dv_role.

bv_group.distinguishedname is like “%OU=groups,DC=denodo,DC=loc%”

Create Join views to obtain role privileges of LDAP users

To know which role does an LDAP user belong to , we will create a join view (dv_user_role) between dv_user and dv_role with dv_user.memberof = dv_role.distinguishedname as join condition.

Finally, we will join the dv_user_role view with the predefined stored procedure catalog_permissions to obtain role privileges of LDAP users. This information could be stored as a view dv_user_role_privilege with the VQL:

CREATE OR REPLACE VIEW dv_user_role_privilege FOLDER = '/04 - integration views' AS SELECT * FROM dv_user_role AS a INNER JOIN catalog_permissions() AS b ON cn = rolename_in ;

References

Virtual DataPort Administration Guide: LDAP Sources

Virtual DataPort Administration Guide: Wizard “Import Roles from LDAP”

Virtual DataPort VQL Guide: Catalog_Permissions

LDAP Authentication at server level

Importing LDAP roles in Virtual DataPort

Questions

Ask a question
You must sign in to ask a question. If you do not have an account, you can register here

Featured content

DENODO TRAINING

Ready for more? Great! We offer a comprehensive set of training courses, taught by our technical instructors in small, private groups for getting a full, in-depth guided training in the usage of the Denodo Platform. Check out our training courses.

Training