Strategy ONE
Universal Semantic Layer Environment Configurations
LDAP Authentication
If your Strategy environment is configured with LDAP and you need to allow LDAP authentication in Universal Semantic Layer (USL) clients such as DBeaver, use the following steps to enable LDAP for USL users:
Environment owners should define the context path for the Library application specifically used for LDAP authentication.
-
In the Universal semantic service, go to the
ldap-autehnticator.properties
file. The file should be in the following path:/opt/mstr/MicroStrategy/install/UniversalSemantic/etc/ldap-authenticator.properties
. -
Edit the
mstr.ldap.library.url
setting to use the Library application where LDAP authentication mode is enabled.For example, if the Library application URL is
https://tutorial.microstrategy.com/MicroStrategyLibraryInsights
, you should modify the settings to the following:Copy# MSTR Specific
header-authenticator.name=mstr-ldap
mstr.ldap.library.url=https://tutorial.microstrategy.com/MicroStrategyLibraryInsights
OAuth 2
Single Node Instance-based Environments
-
Edit the Library service
configOverride.properties
file and add the following property to enable the OAuth2 Authorization Server:Copyauth.oauth2.server.enabled = true
auth.oauth2.server.storage = inMemory -
In the Library Admin page, in Authentication Modes, select the check box next to Trusted and create a trust relationship.
If OIDC or SAML based authentication is already enabled in the environment, you can skip this step.
-
Restart the Library application.
Multi-node Instance-based Environments
For multi-node instance-based environments, you must configure Redis and OAuth2. In a virtual machine-based cluster environment, each virtual machine (VM) hosts its own Redis instance. Typically only one Redis server is accessible from all machines in the cluster. See below to identify the accessible Redis server and configure each Tomcat server accordingly:
-
Verify the machine the Redis server resides:
-
Open the following Redis configuration file:
/opt/mstr/MicroStrategy/install/Redis/redis.conf
. -
Ensure the
bind
directive includes the VM's internal IP address (for example,10.xx.xx.xx
) in addition to the loopback address. For example,bind 127.0.0.1 ::1 10.250.149.168
. -
Ensure
protected-mode
is set tono
. -
Add your authentication password to the
requirepass
directive. For example,requirepass [enter password here]
.
-
-
Configure Tomcat to Connect to Redis:
-
On each VM, open the
setenv.sh
file in the Tomcat installation. It is typically located in the following path:/opt/apache/tomcat/latest/bin/setenv.sh
. -
Add the following environment variables:
Copyexport REDIS_HOST="10.xx.xx.xx" # Replace with the Redis server’s internal IP address
export REDIS_PASSWORD="your_redis_password" # Replace with the actual password from redis.conf
-
-
Configure OAuth2 authorization for Library:
-
Open the configuration file in the following location:
<webapps>/MicroStrategyLibrary/WEB-INF/classes/config/configOverride.properties
. -
Add or edit the following properties:
Copyauth.oauth2.server.enabled=true
auth.oauth2.server.storage=redis
-
-
Restart the Tomcat server on each VM.
-
In the Library Admin page, in Authentication Modes, select the check box next to Trusted and create a trust relationship.
If OIDC or SAML based authentication is already enabled in the environment, you can skip this step.
-
Restart the Library application.
Container-based Environment
In the Library Admin page, in Authentication Modes, select the check box next to Trusted and create a trust relationship.
If OIDC or SAML based authentication is already enabled in the environment, you can skip this step.