[CLOSED] How can WF Integrate with ActiveDirectory,LDAP ?
I was trying to find some documentation regarding this.... can anyone help me outThis message has been edited. Last edited by: Kerry,
Webfocus 7702,Windows XP
May 26, 2011, 06:53 AM
I am interested in the answer. During the next summit (june 12- june 16) there are some classes (labs) that will explain how this could work. I am intended to follow those sessions. I hope they also will provide me with some interesting documentation.
prod: WF 7.6.10 platform Windows, databases: msSQL2000, msSQL2005, RMS, Oracle, Sybase,IE7 test: WF 7.6.10 on the same platform and databases,IE7
May 26, 2011, 08:09 AM
If you want to integrate MRE/Dashboard Authorisation and Authetifcation please look at following manual:
Before you start integrating AD with the WebFOCUS product, its good to have a high level understanding of the WebFOCUS security architecture.
A quick overview that can help with this is an article I wrote here:
Its about 6-8 pages of high level overview of the places in the WebFOCUS product where security is implemented.
With that in mind, there are a number of different ways to integrate with AD.
If you're looking for your user's to be prompted for credentials by WebFOCUS once, then I recommend: Managed Reporting Authentication -> WFRS Reporting Server Security -> LDAP (Against AD)
If you're looking for your user's to never be prompted for credentials besides the logon to their computer, I recommend: IWA enabled on IIS web server Managed Reporting Security -> TRUSTED (REMOTE_USER) Reporting Server Security -> LDAP (Against AD) with TRUST_EXT set to Y to allow a trusted connection (LDAP_AD_ONLY must also be set to N).
With the Reporting Server node within the WebFOCUS Admin Console configured for Trusted security passing the WebFOCUS Variable WF_REMOTE_USER.
If you plan on using database level security based on each user's userid using SQL Server, etc, and you don't want your users to be prompted for credentials at all, I recommend setting up Kerberos according to TM4647.
All of the options outlined above outline authentication options, and don't touch the topic of authorization.
Reporting Server authorization can be controlled by the LDAP group, or with group profiles.
Managed Reporting authorization can reside in AD, but I don't recommend it due to its complexity to maintain. Typically putting the authorization data in a DBMS is much easier to maintain and is the way to go.
WebFOCUS 8.0 is going to have quite a few changes that should allow for greater integration with AD.
Originally posted by FrankDutch: I am interested in the answer. During the next summit (june 12- june 16) there are some classes (labs) that will explain how this could work. I am intended to follow those sessions. I hope they also will provide me with some interesting documentation.
Frank, I think those sessions you are referencing are the ones I'm teaching.
I've got a lab on using Tomcat Security with Active Directory (Sunday at 2pm).
A presentation on LDAP, AD & The WebFOCUS Product (Tuesday 1:30PM).
And a lab on using Web Services with the WebFOCUS product (Tuesday at 2:45pm) . In that lab I'll be pulling users and groups from AD, and inserting them into MR using a FEX, web services adapter, and the MR web services. A co-presenter, Gerry Snyder, will then be scheduling one of those FEXes in ReportCaster using web services.
If you're looking at using out-of-the-box functionality to go against AD, the presentation Tuesday at 1:30pm is probably what you most want to see. You might find the two labs interesting as well, but they're more side-topics for special situations.