Yellowfin can be connected to an LDAP source for user authentication and group management purposes. This allows Yellowfin access to be controlled externally and organisation-wide simply and quickly. Users can use their existing intranet password for Yellowfin authentication, and reports can be given access restrictions which include or exclude users in specific LDAP groups.
Yellowfin has the option to reference an external directory (LDAP) or database to perform authentication or an entered User ID without Single Sign On. This means that a user will have the same User ID and Password across all participating applications that use the directory. In addition, removal/lockout of the user on the directory will automatically flow through to Yellowfin, minimising the manual effort of managing users.
Prior to setting up the LDAP parameters in Yellowfin, the following will have to be completed:
For Yellowfin to provision users automatically it has to assign a role to them. This role is defined as a Yellowfin 'Default' Role. In the ロール page, define one Role as the Default.
Note: if no role is set as default the users will not be provisioned correctly into Yellowfin and the process will fail.
To provision users from the LDAP directory and to use LDAP Authentication the required attributes must be defined on the システム構成 page. The attributes required by Yellowfin include:
Property |
Description |
---|---|
LDAP Host |
LDAP server hostname or IP address |
LDAP Port |
TCP/IP port that the LDAP server is listening on |
LDAP Base Distinguishing Name |
Base DN under which all Yellowfin Users and Groups are connected |
LDAP Yellowfin User Group |
LDAP Group Name that identifies which users can log into Yellowfin. This group exists in the LDAP directory, not Yellowfin. |
LDAP Binding User |
This is an LDAP User that the Yellowfin application uses to connect to the LDAP directory for search access |
LDAP Binding User Password |
The LDAP Password required for the Yellowfin application to connect to the LDAP directory |
LDAP Search Attribute |
This is a unique User Name field that LDAP users will login to Yellowfin with |
LDAP First Name Attribute |
This maps to the First Name attribute of the user within the LDAP directory. This is so Yellowfin can match the user to a name and create an internal user account. |
LDAP Surname Attribute |
This maps to the surname attribute of the user within the LDAP directory. This is so that Yellowfin can match the user to a name and create an internal user account. |
LDAP Email Attribute |
This maps to the email address attribute of the user within the LDAP directory. This is so that Yellowfin can match the user to an email address for broadcast reports. |
LDAP Role Attribute |
This maps to a Yellowfin Role to be assigned to the user instead of the Default Role. |
Once defined, Yellowfin will automatically provision users as they attempt to login to Yellowfin for the first time.
Note: if the users in LDAP exceed the number of licences purchased, any new users will not be provisioned into the system.
This is an example taken from the システム構成 page of Yellowfin
The configuration above will:
192.168.4.241
on port 389
cn=Users,dc=i4,dc=local
cn=Yellowfin Users,cn=Users,dc=i4,dc=local
cn=Administrator,cn=Users,dc=i4,dc=local
bound to the LDAP server with password password
employeeID
as their login ID and Yellowfin will load their given name, surname, and email from the LDAP directory attributes givenName
, LastName
, and userPrincipalName
respectivelyNote: if a user is not found in the LDAP directory, it will look for the username as a standard Yellowfin user.
Once LDAP Authentication is enabled, the Group Management screens will include a new group option called LDAP. This will source groups from the LDAP directory for use as normal Yellowfin Groups. Yellowfin Groups can also be created based on a variety of sources including mixtures of LDAP and Yellowfin groups, where LDAP groups can be either included or excluded in the new group.