MicroStrategy ONE
Configure Directory Service
You can set up LDAP authentication and configure an LDAP connection.
The ability to view or edit certain settings is determined by a user's privileges. All necessary privileges are included in the Administrator role by default. You must belong to the System Administrators group to use this feature.
- Open the Workstation window.
-
In the Navigation pane, click Environments.
- Right-click an environment and choose Directory Service > Configure Directory Service.
-
On the General tab, under Server Information, enter the following...
Host The machine name or IP address of the LDAP server.
Port The network port that the LDAP server uses. For clear text connections, the default value is 389. If you want Intelligence Server to access your LDAP over an encrypted SSL connection, the default value is 636.
Directory Server Type Select the name of the LDAP server software that the Intelligence Server is connecting to. Choose Microsoft Active Directory or OpenLDAP.
Use the toggle to enable SSL to allow the Intelligence Server to access LDAP over an encrypted SSL connection. You must obtain a valid certificate from your LDAP server.
- If your Intelligence Server is on Windows, install the certificate in the local certificate store. You do not need to upload the certificate from MicroStrategy Workstation.
-
If your Intelligence Server is on Linux, upload your .pem file in base64 encoded format. If a chain SSL certificate is used, concatenate all the end-user, intermediate and root certificates, into a single .pem file from top to bottom.
Base Distinguished Name (DN) Enter your LDAP base DN.
Bind Distinguished Name (DN) Enter the username for the LDAP Authentication user.
Password Enter the password for the LDAP Authentication user.
-
Under User Information, enter the following...
User Search Authentication Filter Enter a user search filter to search for lists of users in the LDAP directory.
User Login Enter the LDAP attribute used for logging in to MicroStrategy.
Username Enter the LDAP attribute used for display your username in MicroStrategy.
Unique ID Enter the LDAP attribute used for your unique ID. By default, the LDAP name attribute is userPrincipalName.
Email Enter the LDAP attribute used as the user's email in MicroStrategy. By default, the LDAP email attribute is mail.
-
Under Group Information, enter the following...
Group Search Authentication Filter Enter a group search filter to search for lists of LDAP groups that LDAP users belong to.
Group Depth Choose a value for your group depth.
Group Name Enter the LDAP attribute used for the user's group name in MicroStrategy.
- Under Test Connection, enter your username, without the Bind DN, and password to verify the connection to the LDAP server.
- Click Test Connection.
-
On the Advanced tab, set and enable LDAP settings...
Allow LDAP Referral Chasing in search Enable this setting for referral chase in LDAP search. This setting is enabled by default.
Allow linking LDAP users/groups to predefined MicroStrategy users/groups Enable this setting to allow linking of LDAP users/groups to predefined MSTR users/groups. This setting is enabled by default.
Allow NT login if LDAP user cannot be found Enable to allow NT login if an LDAP user is not found. This setting is disabled by default.
Import group at login Enable this setting to import LDAP groups into the MicroStrategy metadata at login.
Import User At login Enable this setting to import LDAP users into the MicroStrategy metadata as MicroStrategy users at login.
LDAP SDK Library Enter the value of your LDAP SDK Library. The default value is automatically populated when the directory server driver is selected. This value must match the value used by the Intelligence server.
Reuse Connection Enable this setting to use connection pooling with your LDAP server.
Search Group Import Filter Enter a group search filter to return a list of groups to import in batches.
A group search filter is generally of the following form:
&(objectclass=LDAP_GROUP_OBJECT_CLASS)(LDAP_GROUP_ATTR=SEARCH_STRING))
Search Limit during Batch Import This setting controls LDAP paging. The default value is 1000. Set this value to 0 for unlimited page length.
LDAP search paging requires support from both the LDAP client and server. In addition to the Intelligence server setting, the administrator must set the page limit on the LDAP server.
Search Timeout Enter a value (in minutes) when the search times out.
Search User Import Filter Enter a user search filter to return a list of users to import in batches.
A user search filter is generally of the following form:
(&(objectclass=LDAP_USER_OBJECT_CLASS)(LDAP_LOGIN_ATTR=SEARCH_STRING))
Synchronize group at login Enable this setting to synchronize MicroStrategy's group information with the LDAP group information at login.
Synchronize user at login Enable this setting to synchronize MicroStrategy's user information with the LDAP user information at login.
Synchronize user/group information with LDAP during Trusted authentication Enable this setting to synchronize MicroStrategy's user and group information with the LDAP user information during Trusted authentication.
Synchronize user/group information with LDAP during Windows authentication and import Windows link during Batch import Enable this setting to synchronize MicroStrategy's user and group information with the LDAP user information during Windows authentication. This setting also links a Windows user name to a MicroStrategy user account. The user can then log into a MicroStrategy project using the Windows log in credentials.
User login fails if LDAP attribute value is not read from the LDAP server Enable this setting to cause the user login to fail if the LDAP attribute value is not read from the LDAP server.
- Click Save.
Once you have configured your LDAP authentication, you can map attributes from your LDAP account in MicroStrategy. See Use Attribute Mapping to Restrict the Data Users Can View for more information.