Skip to main content
Skip table of contents

Version 4.9 and Above

With the LDAP authentication mechanism, users (and passwords) and roles (or groups) are loaded from an Active Directory or LDAP domain.

Encrypting Credentials in the Configuration

To encode credentials defined in dvserver-standalone.xml, do the following:

1. Encrypt the password via a CLI command:

SQL 
CALL SYSADMIN.executeCli(script => '/subsystem=elytron/expression=encryption:create-expression(resolver=dv-encryption-resolver, clear-text=Password123)', "maskInLogs" => true) ;;

The output will be like the following:

CODE 
{
	"outcome" => "success",
	"result" => {"expression" => "${ENC::dv-encryption-resolver:RUxZAUMQ42XclErCI4BDa6nzzp/r/aqx31Cu/aNwUjvCgr5Tofw=}"}
}

2. Copy the expression value to use in the configuration file like this:

CODE 
<dir-contexts>
	<dir-context name="ldap-connection" principal="CN=Administrator,CN=Users,DC=mydomain,DC=local" url="ldap://192.168.222.102/">
		<credential-reference clear-text="${ENC::dv-encryption-resolver:RUxZAUMQ42XclErCI4BDa6nzzp/r/aqx31Cu/aNwUjvCgr5Tofw=}"/>
	</dir-context>
</dir-contexts>

Configuration

To configure LDAP authentication, please modify dvserver-standalone.xml as follows:

1. Configure authentication realm. Replace the following code:

CODE 
<custom-realm class-name="com.datavirtuality.dv.core.teiid.users.DVLoginModule" module="com.datavirtuality.dv" name="DataVirtualityRealm"/>

To search for this line, use "custom-realm" as your search term as the actual order of elements may differ.

with a snippet like this:

CODE 
<ldap-realm dir-context="ldap-connection" direct-verification="true" name="DataVirtualityRealm">
	<identity-mapping rdn-identifier="cn" search-base-dn="DC=mydomain,DC=local" use-recursive-search="true">
		<attribute-mapping>
			<attribute filter="(member={1})" filter-base-dn="OU=Users,DC=mydomain,DC=local" from="cn" to="Roles"/>
 		</attribute-mapping>
	</identity-mapping>
</ldap-realm>

Filter-based authentication can be set up as follows

CODE 
<ldap-realm dir-context="ldap-connection" direct-verification="true" name="DataVirtualityRealm">
	<identity-mapping filter-name="(userPrincipalName={0}@mydomain.local)" rdn-identifier="userPrincipalName" use-recursive-search="true" search-base-dn="DC=mydomain,DC=local">
		<attribute-mapping>
			<attribute filter="(member={1})" filter-base-dn="OU=Users,DC=mydomain,DC=local" from="cn" to="Roles"/>
		</attribute-mapping>
	</identity-mapping>
</ldap-realm>

Adapt the values in the above fragment to the settings of your environment.

2. Find the </expression-resolver> closing tag and paste the following code after it, first replacing the required parts with your values:

CODE 
<dir-contexts>
	<dir-context name="ldap-connection" principal="CN=Administrator,CN=Users,DC=mydomain,DC=local" url="ldap://192.168.0.68/">
		<credential-reference clear-text="Password123"/>
	</dir-context>
</dir-contexts>

3. Find the </policy-decider-module> closing tag and insert the following code after it:

CODE 
<ldap>
	<property name="defaultAdminGroup" value="super-group"/>
	<property name="displayUserName" value="cn"/>
	<property name="roleRecursion" value="5"/>	
</ldap>

Other properties supported by DVLdapExtContext and DVLdapContext can be added in this section.

For example, to set a conditional rule for displaying user names in the system, you can configure the following property:

CODE 
<property name="displayUserName" value="has('userPrincipalName') ? stripDomain(userPrincipalName) : distinguishedName"/>

Version 4.11 and Above: Authorization and Authentication Realms Stacking

Authentication and authorization realms can be combined to authenticate and authorize users, and to load users and roles. For example, you can use LDAP authentication while managing roles and permissions internally. Follow these steps:

  1. Start the server as usual and log in with admin/admin.

  2. Create internal user accounts matching the usernames of LDAP users. Assign them roles and permissions, but use placeholder passwords. 

    SQL 
    -- Create a user with admin role 
call SYSADMIN.addUser("name" => 'ad_user1', "pwd" => '123', "role_name" => 'admin-role') ;; 
-- Create a user wiht connect role 
call SYSADMIN.addUser("name" => 'ad_user2', "pwd" => '123', "role_name" => 'connect-dv-role') ;;

  3. Stop the server and update the configuration as above except for the authentication realm. For the authentication realm, please configure as follows. In the example below, the authentication is performed via DataVirtualityRealmLDAP while DataVirtualityRealmCustom is used for authorization:

    CODE 
    <aggregate-realm name="DataVirtualityRealm" authentication-realm="DataVirtualityRealmLDAP" authorization-realm="DataVirtualityRealmCustom"/>
<custom-realm class-name="com.datavirtuality.dv.core.teiid.users.DVLoginModule" module="com.datavirtuality.dv" name="DataVirtualityRealmCustom"/>
<ldap-realm dir-context="ldap-connection" direct-verification="true" name="DataVirtualityRealmLDAP">
	<identity-mapping rdn-identifier="cn" search-base-dn="DC=mydomain,DC=local" use-recursive-search="true"/>
</ldap-realm>

  4. Restart the server.

  5. Log in using the usernames created in step 2 to access the system.

Authorization and authentication realms stacking available since v4.11

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close