Overview   Package  Class  Tree  Deprecated  Index  Help 
 PREV PACKAGE   NEXT PACKAGE FRAMES    NO FRAMES    

Package com.crystaldecisions.sdk.plugin.authentication.ldap

This package allows you to map groups and their members from your LDAP user database to BusinessObjects Enterprise, verify all logon requests that specify LDAP and third-party single sign-on (SSO) authentication, and utilize the Secure Socket Layer (SSL) protocol to ensure that data transmitted across a network is not compromised.

See:
          Description

Interface Summary
IsecLDAP This interface provides the constants necessary to configure and manage LDAP authentication.
IsecLDAP.CeAuthType Specifies the types of authentication for Secure Socket Layer (SSL) server authentication.
IsecLDAP.CeServerSSLStrength Specifies the types of server-side Secure Socket Layer strength.
IsecLDAP.CeSSOAccessMode Specifies the single sign-on (SSO) access mode.
IsecLDAP.CeSSOVendor Specifies the single sign-on (SSO) vendor.
IsecLDAPBase This class provides properties and methods that map LDAP principals (users and groups) to BusinessObjects Enterprise, configure security options for network communication, and manage LDAP authentication.
 

Package com.crystaldecisions.sdk.plugin.authentication.ldap Description

This package allows you to map groups and their members from your LDAP user database to BusinessObjects Enterprise, verify all logon requests that specify LDAP and third-party single sign-on (SSO) authentication, and utilize the Secure Socket Layer (SSL) protocol to ensure that data transmitted across a network is not compromised.

Retrieving an authentication plugin

Unlike the desktop plugins, the authentication plugins are static, and objects cannot be created from them. It follows that since no instances of the plugin exist, you must retrieve the plugin itself. Each type of authentication plugin in BusinessObjects Enterprise is represented by an InfoObject. These objects are stored in the CI_SYSTEMOBJECTS category in the CMS InfoStore, and must be retrieved using the SI_NAME property.

Example

The following example retrieves the secLDAP authentication plugin:

IInfoObjects authObjs = iStore.query( "SELECT TOP 1 * FROM CI_SYSTEMOBJECTS WHERE SI_NAME='secLDAP'");

The query method returns a collection of InfoObjects, which in this case contains only one item--the secLDAP plugin object. Like other InfoObjects, this object is uniquely represented by its ID property. You can also access general InfoObject properties, such as the SI_NAME property, SI_DESCRIPTION property, and SI_ID property.

To access the IsecLDAP objects returned by the query, the resulting IInfoObjects need to be cast. This example demonstrates how to cast the returned IInfoObjects as IsecLDAP objects:

IInfoObject obj = (IInfoObject) authObjs.get(0);
IsecLDAP ldapAuth = (IsecLDAP) obj;

Mapping a third-party user group

A third-party group can be mapped over to BusinessObjects Enterprise in two ways. The third-party group alias name can be added to a new IUserGroup or it can be added to an existing group. Once the IUserGroupAlias for the third-party user group has been added to the IUserGroup, the collection must then be committed to the CMS. Before committing, ensure that the IUserGroupAlias's setDisabled method is set to false. Also be aware that adding an alias to an existing user group is not the same as re-assigning the third-party alias. Re-assignment is not handled by the CMS and must be done manually.

Once the appropriate third-party user group aliases have been created and added to an IUserGroup, the third-party user group is ready to be imported. In order to trigger the import of the third-party users, the third-party plugin InfoObject needs to be updated. It is important to note that merely adding the third-party group alias to a group does not trigger the import of the users.

To import LDAP users from a previously mapped third-party group:

  1. Query for the IUserGroup to which the third-party group alias to be mapped was added.
  2. Iterate through the returned group collection and construct a semi-colon separated string of LDAP aliasIDs. Use the IUserGroupAlias object's getAuthentication() and getID() methods to retrieve the required information.
  3. Query for the LDAP plugin InfoObject. See Retrieving an authentication plugin.
  4. Append the string of LDAP group aliasIDs to the authentication plugin's SI_MAPPED_GROUPS property.
  5. Modify the plugin's SI_ALIAS_AUTOADD and SI_MAPPED_GROUPS properties depending on the desired system behavior.
  6. Commit the plugin to the CMS.
    If the commit is successful, the third-party user group's users will be imported into BusinessObjects Enterprise.
Note: The third-party group aliasIDs in the semi-colon separated string will not have the authentication name prefix. For example, a sample LDAP SI_MAPPED_GROUPS string would look like the following: "cn=groupA,ou=groups,o=company;cn=groupB.ou=groups,o=company".

Change properties before committing

You must change at least one property of this plugin before you commit it to the CMS repository. Unchanged class instances result in a match between the information stored in the application memory and the information in the database memory. As a result, the CMS repository will not write anything to the database.

Even if you do not want to change the properties of a class instance, you can toggle one of its properties to let it commit to the CMS repository. In the example below, secADInterface has its AliasAutoAdd property initially set to false. If you want to commit secADInterface but not change any of its properties, you can set AliasAutoAdd to true and then back to false.

secADInterface.setAliasAutoAdd(true);
secADInterface.setAliasAutoAdd(false);
infoStore.commit(infoObjects);

Related Documentation

See Also:
CePropertyID.SI_MAPPED_GROUPS, CePropertyID.SI_ALIAS_AUTOADD, CePropertyID.SI_ALIAS_AUTOCREATE
Overview   Package  Class  Tree  Deprecated  Index  Help 
 PREV PACKAGE   NEXT PACKAGE FRAMES    NO FRAMES