You can translate the document:


Denodo Virtual DataPort can extract data from an LDAP server and delegate its authentication and authorization to an LDAP server. In this article we will explain how to obtain permissions of LDAP users over elements in a Virtual DataPort database.  This is useful for user and role management and for troubleshooting issues related to privileges in the Denodo Platform.

We will create views with the following structure to obtain required information.

Define an LDAP data source in VDP

To create an LDAP data source the Server URI and the credentials (Login and Password) to access the LDAP data source have to be provided.  

The URL and credentials for the LDAP data source are the same that can be used from any third party LDAP client and such clients can be used to test the connections to the LDAP server. The expected format of the connection URI is ldap://<host_name>:<port>/. Optionally, the base Distinguished Name (DN) can also be appended to the base URI.

In case the LDAP users are organized in Domains the domain name has to be provided as part of the login information using the syntax <domain>\<username>.

Import roles from the LDAP server

It is recommended to use the Import Roles tool. (see section “Creating Roles” of the Virtual DataPort Administration guide). Note that the ‘Role Search Pattern’ used to search the roles should be indicative of the distinguishing factor in terms of objectClass. For example, in this article using (objectClass=group) to search for the roles in all the groups and import all the roles.

Note:  If your LDAP elements (user / roles) have unicode characters, you will need to activate “Unicode - Case sensitive” as identifiers charset at global server level (Administration > Server configuration > Identifiers charset).

Assign the privileges to imported LDAP roles

After importing the roles from the LDAP server, we can select each role and assign privileges to the selected role or assign other predefined roles to this role. It is recommended to use several VDP admin tool sessions simultaneously to simplify the process:

  • A VDP Admin tool connected with an admin user that configures the privileges for the role.
  • A VDP Admin tool connected with a normal user that belongs to the role whose privileges are being assigned to check if it is working as expected. Any time the privileges of this normal user or its roles are changed the user will have to reconnect to the VDP admin tool so the changes in the configuration take effect.

Create base views to obtain the users and groups

Next we will create base views for users and groups from the LDAP server, to create a LDAP base view, open the data source and click Create base view. In the box located at the top of the dialog, we search for the user object class and its fields. Then, click Create selected, the tool will display the schema that the base view bv_user will have as below.

We will create a base view for the groups from an expression,  which is delegated to the LDAP server. To do this, click Create from LDAP expr. The Tool will show a form to enter the expression, e.g, (&(objectClass=group)) in this article, select the group attributes and we will obtain the below base view bv_group.

Create derived views to make transformation

As there is an array in the base view bv_user, we will create a new derived view to flatten the array field memberof, we will name the new derived view dv_user.

To extract the role information imported from the LDAP server, we need to filter the distinguishedname of the groups with the below condition and create a new view that we will call dv_role.

bv_group.distinguishedname is like “%OU=groups,DC=denodo,DC=loc%”

Create Join views to obtain role privileges of LDAP users

To know which role does an LDAP user belong to , we will create a join view (dv_user_role) between dv_user and dv_role with dv_user.memberof = dv_role.distinguishedname as join condition.

Finally, we will join the dv_user_role view with the predefined stored procedure catalog_permissions to obtain role privileges of LDAP users. This information could be stored as a view dv_user_role_privilege with the VQL:

CREATE OR REPLACE VIEW dv_user_role_privilege FOLDER = '/04 - integration views' AS SELECT * FROM dv_user_role AS a INNER JOIN catalog_permissions() AS b ON cn = rolename_in ;


Virtual DataPort Administration Guide: LDAP Sources

Virtual DataPort Administration Guide: Wizard “Import Roles from LDAP”

Virtual DataPort VQL Guide: Catalog_Permissions

LDAP Authentication at server level

Importing LDAP roles in Virtual DataPort

The information provided in the Denodo Knowledge Base is intended to assist our users in advanced uses of Denodo. Please note that the results from the application of processes and configurations detailed in these documents may vary depending on your specific environment. Use them at your own discretion.
For an official guide of supported features, please refer to the User Manuals. For questions on critical systems or complex environments we recommend you to contact your Denodo Customer Success Manager.


Ask a question

You must sign in to ask a question. If you do not have an account, you can register here