KB18562: Understanding LDAP integration with the MicroStrategy Intelligence Server

The Strategy Intelligence Server 2021 has the capability to authenticate and import users and groups from an existing LDAP Server into the Strategy Metadata. Before discussing the details of the LDAP integration the following commonly used terms are explored in some detail:
 
Directory:
A directory is a collection of objects that are arranged in a hierarchical structure called the Directory Information Tree. The information objects that would typically be of interest, such as users or groups are located in container objects that give the information tree a structure.
 
Directory System Agent (DSA)/ Directory Server:
The software application that provides access to the information stored in a directory, responds to requests from clients and performs directory operations such as searches for and updates to the information stored in the directory.
 
Lightweight Directory Access Protocol (LDAP):
The protocol is based on the X.500 Directory Access Protocol (DAP) and is efficient, open, extensible and a commonly used standard. The protocol uses a simplified set of encoding methods and is designed to run in top of the TCP/IP networking stack. The protocol is message based.
 
There are two significant versions of the LDAP protocol - versions 2 and 3. The Strategy Intelligence Server 2021 and newer is designed to work only with LDAP compliant services and libraries.
 
Directory Service Entry (DSE):
This is a collection of information about an object. A special entry called "RootDSE" is always present in LDAP v3 compliant directory servers and describes the server, its capabilities and configuration. Typically any DSE will represent a real world object such as a user, group, printer etc.
 
Attributes:
Each DSE in a directory has one or more pieces of data associated with it, which are called attributes. It is the set of attributes that completely describe the object. For example, for the entry in place of a person, one can think of that person's name, e-mail, address, position, location, telephone, etc. as attributes of that entry. Each attribute of an entry can have one or more data values.
 
Distinguished Name (DN):
The distinguished name of a directory entry is the unique name that identifies it. The Distinguished name is composed of attribute=value pairs separated by commas. The attribute and values in the distinguished name are progressively specific identifiers of the location of the entry in the directory tree from right to left.
 
Secure Socket Layer (SSL):
A generic transport layer security mechanism. It is based on public key encryption for communication - a technique that uses a pair of keys (a public and a private key) to encrypt communications. The public key (known by the data transmitter) is used to perform the encryption of the data to be transmitted, which can only be decrypted using the private key, known only to the recipient.
 
To distribute the public keys and for validation of the recipient, the SSL server must be configured with a valid certificate and the certificate for the server along with the public key to be used must be available to the client.
 
LDAP Integration with the Strategy Intelligence Server:
To integrate users and groups stored on an LDAP server within the Strategy Intelligence Server 9.x and newer, the following information is needed:
 

1. LDAP version 3 compatible Directory Server that supports Clear text or LDAPS (LDAP over SSL) communications.
2. An 'Authenticating User' credentials. This is the user credentials the Strategy Intelligence Server itself will use when querying the Directory Server.
3. The hostname / IP address and port number of the LDAP server.
4. LDAP Client libraries that are used by the Intelligence Server to connect to the LDAP server. The specific libraries to be used depend on the operating system platform for the Strategy Intelligence Server. For more details on the configuration of the Strategy Intelligence Server, see the following Strategy Knowledge Base technical notes:
    
   
• KB13041 : How to configure LDAP connectivity using SSL authentication with Strategy Intelligence Server and newer on Windows Operating Systems
• KB12067 : How to configure LDAP connectivity using Clear text (using OpenLDAP) or SSL (using OpenSSL) for Strategy Intelligence Server on Linux
• KB12045 :How to configure LDAP connectivity using Cleartext or SSL using the Tivoli Directory Client Libraries and GSKit 7 for Intelligence Server on AIX operating systems
• KB12920 : How to configure LDAP connectivity using Cleartext or SSL for Strategy Intelligence Server Universal and newer on HP-UX
5. If SSL is to be used, the appropriate Server Certificates should be available to configure the client for SSL communications.
6. Users may know the vendor/software version of the LDAP server. If this is not one of the predefined vendor products available, or if different search criteria must be used (explained below) - users would have to obtain this information prior to setting up the Strategy Intelligence Server.

General process flow for authenticating users:
Once the Strategy Intelligence Server has been configured for LDAP authentication the following actions take place on the Intelligence Server:
 

1. At startup, or at any time the Intelligence Server LDAP configuration is changed, the Strategy Intelligence Server opens a connection to the LDAP Server using the LDAP Server Host and Port information provided in the Strategy Intelligence Server configuration.
2. Once a session is initialized (Clear text or SSL), the Strategy Intelligence Server will issue the LDAP API call (LDAP_SIMPLE_BIND_S) to bind to the LDAP Server using the Authenticating user distinguished name (DN) and password provided in the Strategy Intelligence Server configuration.
3. Once bound to the LDAP Server, Strategy Intelligence Server will wait for a user to attempt to log in specifying their Directory Server credentials.
   NOTE: The LDAP Authentication User must have appropriate read and search access rights on the directory that is to be searched.
   
4. When a user attempts to login by presenting their Directory Server credentials, the Strategy Intelligence Server will issue the LDAP API call (LDAP_SEARCH_S) to search the directory for the given user. The search root used for the LDAP search command is the distinguished name provided in the LDAP configuration. The search filter used by the LDAP search for the user is the one entered in the User search filter box in the LDAP configuration. 
5. Once the user has been found in the directory the user's distinguished name (resulting from the user search) and password (entered at login) will be verified against the LDAP server with a bind operation / or a compare password operation (if supported).
6. If the user is authenticated successfully, using the logged in user's distinguished name property, the Strategy Intelligence Server will issue another LDAP API search call to find the groups on the LDAP server of which the user is a member. The group search filter will be the one entered in the Group search filter box in the configuration. Currently the Intelligence Server is only able to recognize static group membership returned from the LDAP Server for that user.
   
   From Strategy, the group search feature is also able to determine nested group membership for a user, and the number of levels for this search can be customized. Users should be aware that this search can significantly slow down login performance when users have multiple group memberships.
7. Having all of the necessary user and group information, Strategy Intelligence Server determines if it is needed to import the user and/or group information into the metadata. Details about user and group importing options are discussed in detail in the following Strategy Knowledge Base technical note:
    
   
8. KB18506 : Importing and linking users using LDAP integration with the Strategy Intelligence Server and newer

 
Anonymous LDAP Authentication:
When a user attempts to login using LDAP as the login method and provides a blank password, this user will be logged in as an anonymous LDAP user. Such users inherit the privileges of the "LDAP Public" group and may be able to access the project, browse objects, run and manipulate reports as they are not part of the Everyone group. However regardless of permissions these users will not able to create their own objects or schedule report executions. All Anonymous LDAP users share the same single History List.
 
Password Compare / Bind Operations:
When the Intelligence Server is configured to perform LDAP authentication, it attempts to initialize a connection with the LDAP server on startup. After authenticating itself as the user specified in the LDAP Configuration settings - Authentication User Distinguished Name - the Intelligence Server attempts to perform a password compare action against the LDAP Server. If this action is successful, the Intelligence Server will try to authenticate users using a password compare LDAP operation rather than using the bind command.
  
Chase Referrals:
The Intelligence Server can also be configured to disable chasing referrals. Referrals are responses returned from the LDAP server directing the client (in this case the Intelligence Server) to look additional authoritative answers from another LDAP Server. The Intelligence Server does not support chasing referrals, but depending on the LDAP client SDK in use an error may be returned if referrals are returned from the LDAP server for a search request.
 

• Once any import operation needed is completed, a user session is created on Strategy Intelligence Server with the access rights and privileges as determined by the imported or linked user privileges or permissions.
  

KB15655: How to configure MicroStrategy Intelligence Server 9.x and 10.X to ignore LDAP chase referrals