Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Per Dig Eons Ldap Final

    Hochgeladen von

    b4u24x7
    14 Ansichten36 Seiten
    LDAP is a centralized security repository that can be used by a variety of applications. In this session, you'll hear the benefits of an LDAP deployment, and get an introduction to the new LDAP support within BusinessObjects Enterprise 6. A live demonstration will highlight several key workflows, and you'll also hear how to migrate production users to an existing LDAP directory.

    Originalbeschreibung:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    PPT, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    LDAP is a centralized security repository that can be used by a variety of applications. In this session, you'll hear the benefits of an LDAP deployment, and get an introduction to the new LDAP support within BusinessObjects Enterprise 6. A live demonstration will highlight several key workflows, and you'll also hear how to migrate production users to an existing LDAP directory.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PPT, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    14 Ansichten36 Seiten

    Per Dig Eons Ldap Final

    Hochgeladen von

    b4u24x7
    LDAP is a centralized security repository that can be used by a variety of applications. In this session, you'll hear the benefits of an LDAP deployment, and get an introduction to the new LDAP support within BusinessObjects Enterprise 6. A live demonstration will highlight several key workflows, and you'll also hear how to migrate production users to an existing LDAP directory.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PPT, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 36

    How to Integrate LDAP within

    Your Business Objects


    Deployment
    Isabelle Nuage, Stephane Perdigeon
    Business Objects November 2003
    Presentation Information
     Author: Isabelle Nuage, Stephane Perdigeon
     Company: Business Objects
     Track session title
     How to Integrate LDAP within Your Business Objects Deployment
     Track session description
     More and more companies are implementing an LDAP solution in order to
    maintain a centralized security repository that can be used by a variety of
    applications. In this session, you’ll hear the benefits of an LDAP
    deployment, and get an introduction to the new LDAP support within
    BusinessObjects Enterprise 6. Learn which specific configurations are
    supported, and benefit from best practices for deploying LDAP with
    Business Objects products and architecture. A live demonstration will
    highlight several key workflows, and you’ll also hear how to migrate
    production Business Objects users to an existing LDAP directory.
    Copyright © 2003 Business Objects SA - All Rights Reserved

    2
    Agenda
     Introduction
     Glossary
     LDAP Overview
     Business Objects LDAP strategy
     Scope details
     Authentication/authorization
     Installation/configuration
     Modified workflows
     Benefits and limitations
     Roadmap
    Copyright © 2003 Business Objects SA - All Rights Reserved

    3
    Glossary

     Authentication
     Validate user identity by checking username and password
     Authorization
     Provide access to products
     Provide access to resources (web pages, documents,
    universes, RDBMS)
     LDAP
     Lightweight Directory Access Protocol
     LSI file
     Security cache with user attributes calculated at login
    (valid during one user session)
    Copyright © 2003 Business Objects SA - All Rights Reserved

    4
    LDAP Overview 1/2

     What is LDAP?
     Directory of user information
     Optimized for fast read (slower for write operations)

     What is stored in LDAP?


     Any information can be stored in LDAP, but it usually stores
     User ID/Password
     Information found in a rolodex : Name, Title, Address, Phone, Email…
     Groups
     Profiles

    Copyright © 2003 Business Objects SA - All Rights Reserved

    5
    LDAP Overview 2/2

     How does LDAP make your life easier?


     Single point for user administration
     No need to update passwords across applications
     No need to synchronize users lists across applications
     Answers queries quickly
     Consistent security
     Using the same authentication source and profile-based authorization scheme as
    the other enterprise applications
     Integration to corporate IT infrastructure
     Multiple applications can authenticate against the same LDAP system

    Copyright © 2003 Business Objects SA - All Rights Reserved

    6
    Business Objects LDAP Strategy

     Leverage LDAP to provide


     Single point of user administration
     Decreased administration costs
     Simplified repository
     Ability to support more users within one deployment

     LDAP directories supported


     Microsoft Active Directory 2000
     Sun ONE Directory Server 5.1

    Copyright © 2003 Business Objects SA - All Rights Reserved

    7
    Agenda
     Introduction
     Scope details
     Architecture
     Mapping options
     Handling exception
     Authentication/authorization
     Installation/configuration
     Modified workflows
     Benefits and limitations
     Roadmap
    Copyright © 2003 Business Objects SA - All Rights Reserved

    8
    Scope Details in 6.1

     Users are stored in LDAP


     Users no longer defined in the Business Objects repository

     Business Objects clients authenticate against LDAP

     LDAP users inherit security from repository groups


     LDAP group to repository group mapping
     LDAP attribute (could be "role" attribute) to repository group
    mapping

    Copyright © 2003 Business Objects SA - All Rights Reserved

    9
    LDAP Architecture
    How does it work? LDAP directory
    Contains :
    At login time : • Users
    • Authenticate • Mapping between user and
    BusObj Groups
    • Get BusObj Groups
    Business Objects

    Security Connector
    Security API

    Calculate at login :
    • List of user’s groups
    • Product Access & LSI file
    Functional Rights
    • Universes, Unv Overloads
    • Document List Stores :
    • Documents
    • Universes

    Group level:
    • Product Access
    • Functional Rights
    Repository • Document Access
    • Universe Access
    • Universe Overloads
    Copyright © 2003 Business Objects SA - All Rights Reserved

    10
    LDAP Mapping Option 1
    siness Objects repository groups attached to LDAP roles

    Users Permissions
    LDAP directory Repository

    Ou = Board Group 1
    Ou = America Group 11
    Permissions
    User = “John”
    Group 2
    · Cn = “John”
    · roles = Group 21
    Group 11,
    Group 2

    Ou = Marketing

    Copyright © 2003 Business Objects SA - All Rights Reserved

    11
    LDAP Mapping Option 1
    siness Objects repository groups attached to LDAP roles

     Business Objects LDAP users mapped to repository


    security profiles
     Implemented as repository groups or users
     LDAP attribute is used for the mapping
     Attribute lists the Business Objects group(s) the user belongs
    to

     Access rights attached to these repository profiles


    and to their parent groups

    Copyright © 2003 Business Objects SA - All Rights Reserved

    12
    LDAP Mapping Option 2
    siness Objects repository groups attached to LDAP group
    LDAP directory Repository

    Ou = Board
    Ou = America
    User= “John”
    · Cn = “John” Group 1

    Group = “Group 11” Group 11


    · Members=
    “John” Permissions
    “Scott”

    Ou = Marketing Group 2
    Group 21
    Group = “Group 2”
    · Members=
    “John”
    “Paul”

    Copyright © 2003 Business Objects SA - All Rights Reserved

    13
    LDAP Mapping Option 2
    siness Objects repository groups attached to LDAP group

     Business Objects LDAP users belong to group(s) that


    exist in the Business Objects repository

     Access rights are attached to these repository profiles


    and to their parent groups

    Copyright © 2003 Business Objects SA - All Rights Reserved

    14
    Handling Exceptions
    Users Application Permissions
    LDAP Business Objects Repository

    Users Group 1
    Permissions
    User 1 Group 11
    on resources
    User 2 User 1 and
    Profile 2 applications
    Users to security profiles association
     Specifics of Business Objects security model
     Some users will still need their rights mapped to security
    profiles
     Supervisor, Designer
     Need to be declared in both systems
     Authenticated via LDAP
     Authorized via the repository
    Copyright © 2003 Business Objects SA - All Rights Reserved

    15
    Agenda

     Introduction
     Scope details
     Authentication/authorization
     Installation/configuration
     Modified workflows
     Benefits and limitations
     Roadmap
     Q&A

    Copyright © 2003 Business Objects SA - All Rights Reserved

    16
    Authentication

     A user can exists


     In the repository
     In LDAP
     Or in both
     LDAP is the corporate authentication source
     Authentication is done
     Through LDAP if the user exists in LDAP
     Through the repository if the user does not exists in LDAP
     If repository authentication is authorized by the LDAP configuration

    Copyright © 2003 Business Objects SA - All Rights Reserved

    17
    Authorization
     If users only exist in LDAP, authorization is made in
    two phases
     At login, the system retrieves the list of security profiles
    associated to the user, by querying the LDAP corporate
    directory
     Then the system computes the user access rights by
    combining the access rights associated to user security
    profiles in the repository
     If users are declared in both or only exist in repository
     Authorization is calculated as in Enterprise 6.0 from the user
    security attributes and its parent groups’ security attributes

    Copyright © 2003 Business Objects SA - All Rights Reserved

    18
    SDEP LDAP Authorization Algorithm
    Start Authentication &
    Authorization

    YES NO
    Does User
    exist in
    Authenticate user using LDAP? User has not been
    its corporate definition migrated yet
    Authenticate user Authenticate and
    through LDAP Authorize user
    in the repository
    YES NO as it was done in V5
    Does User exist
    in the
    repository?
    User is an SDEP user
    User is a specific user Read user security profiles in
    Calculate the LSI file LDAP
    from repository user
    rights, as it was done in V5 Calculate the LSI file by combining
    the rights, defined in the repository
    for each security profile
    Copyright © 2003 Business Objects SA - All Rights Reserved

    19
    Agenda

     Introduction
     Scope details
     Authentication/authorization
     Installation/configuration
     Modified workflows
     Benefits and limitations
     Roadmap
     Q&A

    Copyright © 2003 Business Objects SA - All Rights Reserved

    20
    Installation

     LDAP connector available


    in the regular Setup
     Available with
    Supervisor license

    Copyright © 2003 Business Objects SA - All Rights Reserved

    21
    Configuration
    1/4
    Configure authentication mode
     Standard
     Delegated
     No authentication

    Copyright © 2003 Business Objects SA - All Rights Reserved

    22
    Configuration
    2/4

     Authenticationand
    authorization source
     Repository
     LDAP then
    repository
     LDAP
     Server host

    Copyright © 2003 Business Objects SA - All Rights Reserved

    23
    Configuration
    3/4

    LDAP configuration
     LDAP naming
     LDAP connection

    Copyright © 2003 Business Objects SA - All Rights Reserved

    24
    Configuration
    4/4

    Mapping definition
     LDAP user to
    Business Objects
    group
     LDAP user to
    Business Objects
    user

    Copyright © 2003 Business Objects SA - All Rights Reserved

    25
    Agenda
     Introduction
     Scope details
     Authentication/authorization
     Installation/configuration
     Modified workflows
     Login
     Refresh list
     Send to
     Benefits and limitations
     Roadmap
    Copyright © 2003 Business Objects SA - All Rights Reserved

    26
    Modified Workflows 1/3
    Authentication/login

     Main differences between E6 standard login and LDAP


    login
     The authentication and the authorization algorithm
     The LSI file content
     The « fake » user mechanism to give user an ID
     Any Business Objects client
     InfoView
     WebIntelligence
     BusinessObjects 2 tier, 3-tier

    Copyright © 2003 Business Objects SA - All Rights Reserved

    27
    Modified Workflows 2/3
    Authorization

     Refresh list mechanism


     Group hierarchy are stored in the LSI file
     Refresh list mechanism directly queries the database for
    getting the list of universe or documents, accessible to these
    groups in one single request

     Query is much simpler and faster compared to E6.0


     Query does not need to recursively rebuild the group hierarchy
     If the user is added to a new group, then this user needs to log
    in again to retrieve the list of document attached to this group

    Copyright © 2003 Business Objects SA - All Rights Reserved

    28
    Modified Workflows 3/3
    Send to user/group

     2 panes in the “Send to” workflow


     One for setting the document name and properties
     The other for selecting the user and groups recipient
     New search option to facilitate user listing
     Avoid displaying thousands of users in a single list
     If a document is sent to users and groups
     Groups are expanded
     Groups members are searched through LDAP and the
    repository
     Document is sent to all group direct members

    Copyright © 2003 Business Objects SA - All Rights Reserved

    29
    Send To Interface

    Copyright © 2003 Business Objects SA - All Rights Reserved

    30
    Agenda

     Introduction
     Scope details
     Authentication/authorization
     Installation/configuration
     Modified workflows
     Benefits and limitations
     Roadmap
     Q&A

    Copyright © 2003 Business Objects SA - All Rights Reserved

    31
    Benefits and Limitations
    1/2

     Streamlined user management


     Will benefit new projects now
     Migration tool planned for E6.5 to benefit existing projects

     Auditor
     Will loose some granularity for audit based on user/group
    hierarchy
     BCA Publisher
     Requires users to be stored in the repository
     Uses user and group hierarchy

    Copyright © 2003 Business Objects SA - All Rights Reserved

    32
    Benefits and Limitations
    2/2
     User granular-level security
     LDAP users will inherit security from repository groups
     Security is set on groups
     The following overload can only be done at the group level
     Connection
     Object level restrictions
     Row level restriction

    Copyright © 2003 Business Objects SA - All Rights Reserved

    33
    Agenda

     Introduction
     Scope details
     Authentication/authorization
     Installation/configuration
     Modified workflows
     Benefits and limitations
     Roadmap
     Q&A

    Copyright © 2003 Business Objects SA - All Rights Reserved

    34
    Roadmap

     Support of variable
     Expose an LDAP attribute as a Business Objects variable
     Migration
     Migrate users from the repository to the LDAP system
     Synchronize users between the LDAP system and the
    repository
     Define Business Objects group in LDAP
     Externalize Business Objects users
     Support of SSO combined with LDAP
     SSO can store users in LDAP system

    Copyright © 2003 Business Objects SA - All Rights Reserved

    35
    Q&A

     Contact information
     Isabelle Nuage
    Sr Product Marketing Manager
    Isabelle.Nuage@businessobjects.com

     Stephane Perdigeon
    Senior Program Manager, Deployment
    Stephane.Perdigeon@businessobjects.com

    Copyright © 2003 Business Objects SA - All Rights Reserved

    36

    Das könnte Ihnen auch gefallen