Strategy ONE

Universal Semantic Layer Environment Configurations

LDAP Authentication

If your Strategy environment is configured with LDAP and you need to allow LDAP authentication in Universal Semantic Layer (USL) clients such as DBeaver, use the following steps to enable LDAP for USL users:

Environment owners should define the context path for the Library application specifically used for LDAP authentication.

  1. In the Universal semantic service, go to the ldap-autehnticator.properties file. The file should be in the following path: /opt/mstr/MicroStrategy/install/UniversalSemantic/etc/ldap-authenticator.properties.

  2. Edit the mstr.ldap.library.url setting to use the Library application where LDAP authentication mode is enabled.

    For example, if the Library application URL is https://tutorial.microstrategy.com/MicroStrategyLibraryInsights, you should modify the settings to the following:

    Copy 
    # MSTR Specific
    header-authenticator.name=mstr-ldap
    mstr.ldap.library.url=https://tutorial.microstrategy.com/MicroStrategyLibraryInsights

OAuth 2

Single Node Instance-based Environments

  1. Edit the Library service configOverride.properties file and add the following property to enable the OAuth2 Authorization Server:

    Copy 
    auth.oauth2.server.enabled = true
    auth.oauth2.server.storage = inMemory

  2. In the Library Admin page, in Authentication Modes, select the check box next to Trusted and create a trust relationship.

    If OIDC or SAML based authentication is already enabled in the environment, you can skip this step.

  3. Restart the Library application.

Multi-node Instance-based Environments

For multi-node instance-based environments, you must configure Redis and OAuth2. In a virtual machine-based cluster environment, each virtual machine (VM) hosts its own Redis instance. Typically only one Redis server is accessible from all machines in the cluster. See below to identify the accessible Redis server and configure each Tomcat server accordingly:

  1. Verify the machine the Redis server resides:

    1. Open the following Redis configuration file: /opt/mstr/MicroStrategy/install/Redis/redis.conf.

    2. Ensure the bind directive includes the VM's internal IP address (for example, 10.xx.xx.xx) in addition to the loopback address. For example, bind 127.0.0.1 ::1 10.250.149.168.

    3. Ensure protected-mode is set to no.

    4. Add your authentication password to the requirepass directive. For example, requirepass [enter password here].

  2. Configure Tomcat to Connect to Redis:

    1. On each VM, open the setenv.sh file in the Tomcat installation. It is typically located in the following path: /opt/apache/tomcat/latest/bin/setenv.sh.

    2. Add the following environment variables:

      Copy 
      export REDIS_HOST="10.xx.xx.xx"           # Replace with the Redis server’s internal IP address
      export REDIS_PASSWORD="your_redis_password"  # Replace with the actual password from redis.conf

  3. Configure OAuth2 authorization for Library:

    1. Open the configuration file in the following location: <webapps>/MicroStrategyLibrary/WEB-INF/classes/config/configOverride.properties.

    2. Add or edit the following properties:

      Copy 
      auth.oauth2.server.enabled=true
      auth.oauth2.server.storage=redis

  4. Restart the Tomcat server on each VM.

  5. In the Library Admin page, in Authentication Modes, select the check box next to Trusted and create a trust relationship.

    If OIDC or SAML based authentication is already enabled in the environment, you can skip this step.

  6. Restart the Library application.

Container-based Environment

In the Library Admin page, in Authentication Modes, select the check box next to Trusted and create a trust relationship.

If OIDC or SAML based authentication is already enabled in the environment, you can skip this step.