Menu

LDAP Login

The content described in this document belongs to the advanced usage features of the Sensory Analytics product, involving many technical details, and is suitable for experienced users to refer to. If there are any doubts about the document content, please consult the on-duty colleagues of Sensory Analytics for one-on-one assistance.

Sensors Analytics integrated LDAP login authentication starting from version 1.13. The login process is roughly as follows:

  1. Users log in to the Sensory Analytics system using their username and password.
  2. The Sensors Analytics system uses the username and password entered by the user to perform LDAP login authentication in the background LDAP system configured. After successful login, users can use the Sensory Analytics system normally.
  3. To create a new user in the LDAP system, it needs to be logged in to Sensory Analytics. Sensory Analytics will automatically create the corresponding user.


The admin account is not controlled by LDAP.

When ldap_type configuration item is configured, it represents that LDAP is enabled. After that, except for the admin account, the account password system only uses LDAP for verification. Therefore, if the configuration is unsuccessful and quick restoration is needed, just delete the ldap_type configuration item.


Configuration Item Description

ParametersExampleRequiredParameter Description
ldap_typeOpenLDAP, AdLDAPYesSupported LDAP types
ldap_urlldap://10.XXX.XXX.XXX:389/YesLDAP service address
ldap_account_patternsAMAccountName=${username}Yes

The condition for searching LDAP accounts, ${username} is a placeholder for the username and cannot be changed.

The example implies that it searches for data with the attribute sAMAccountName as a certain account. Usually

For AdLDAP it is sAMAccountName=${username}

For OpenLDAP it is uid=${username}

ldap_base_dnou=Members,DC=sensorsdata,DC=cnYes

LDAP Base DN, the Base Dn used for LDAP username retrieval.

DC refers to domain name, the example implies the domain name is  sensorsdata.cn.

OU refers to organizational unit. LDAP structure is DN → RDN → CN → OU → O → DC.

bind_ldap_admintrue or falseNo

Whether to log in to the LDAP system using ldap_bind_user and ldap_bind_password below. The default is false.

anonymous access is forbidden in LDAP, set it to true and configure bind_ldap_admin and ldap_bind_password.

If set to false, use the account and password on the Sensors login page to directly log in to the LDAP system.

ldap_bind_usersensorsADNoWhen LDAP configures anonymous access denial, it is necessary to bind the administrator account, equivalent to Bind DN.
ldap_bind_password**********NoWhen LDAP configures anonymous access denial, it is necessary to bind the administrator password.
ldap_search_filter
NoWhether to filter when searching for users in LDAP according to the specified filter.
ldap_email_suffix@sensorsdata.cnNo

Add email suffix to the username after login.

The main use case is that before connecting to LDAP, the username was in email format, and after connecting to LDAP, the username is without the email suffix, but you still want to keep the same account after logging in.

ldap_default_projectproductionnoLDAP default login project, not set by default for test projects

Configuration Method

Modify Single Configuration

Execute the following shell commands under the sa_cluster account to modify a single configuration item:

sbp >= 1.3.0

sbpadmin business_config set -p sbp -k 参数名 -v 参数值

sbp >= 1.1.0

spadmin config set product_global -p sbp -n 参数名 -v 参数值

sca >= 0.4 or sbp 0.5+

spadmin config set server -p sbp -m web -n 参数名 -v 参数值

Sensors Analytics version >= 1.14

spadmin config set server -p sa -m web -n 参数名 -v 参数值

Sensors Analytics version < 1.14

monitor_tools set_config -t server -m web -n 参数名 -v 参数值

Delete Single Configuration

Execute the following shell commands under the sa_cluster account to delete a single configuration item. If you need to disable LDAP, you need to delete the configuration item. All parameters in the above table need to be executed.

sbp >= 1.1.0+

spadmin config delete product_global -p sbp -n 参数名

sca >= 0.4 or sbp 0.5+

spadmin config delete server -p sbp -m web -n 参数名

Sensors Analytics version >= 1.14

spadmin config delete server -p sa -m web -n 参数名

Sensors Analytics version < 1.14

monitor_tools del_config -t server -m web -n 参数名

View All Current Configuration Items

sbp >= 1.3.0

sbpadmin business_config getall -p sbp

sbp >= 1.1.0+

spadmin config get product_global -p sbp

sca >= 0.4 or sbp 0.5+

spadmin config get server -p sbp -m web

Sensors Analytics version >= 1.14

spadmin config get server -p sa -m web

Sensors Analytics version < 1.14

monitor_tools get_config -t server -m web

An example of a complete configuration

sbp >= 1.3.0

sbpadmin business_config set -p sbp -k ldap_type -v 'AdLDAP' sbpadmin business_config set -p sbp -k ldap_url -v 'ldap://10.XXX.XXX.XXX:389/' sbpadmin business_config set -p sbp -k ldap_account_pattern -v 'sAMAccountName=${username}' sbpadmin business_config set -p sbp -k ldap_base_dn -v 'ou=Members,DC=sensorsdata-inc,DC=cn' sbpadmin business_config set -p sbp -k bind_ldap_admin -v true sbpadmin business_config set -p sbp -k ldap_bind_user -v 'sensorsAD' sbpadmin business_config set -p sbp -k ldap_bind_password -v '**********' sbpadmin business_config set -p sbp -k ldap_search_filter -v 'memberOf=cn=xxx,ou=people,dc=example,dc=com' sbpadmin business_config set -p sbp -k ldap_email_suffix -v '@email.com'

sbp >= 1.1.0+

spadmin config set product_global -p sbp -n ldap_type -v 'AdLDAP' spadmin config set product_global -p sbp -n ldap_url -v 'ldap://10.XXX.XXX.XXX:389/' spadmin config set product_global -p sbp -n ldap_account_pattern -v 'sAMAccountName=${username}' spadmin config set product_global -p sbp -n ldap_base_dn -v 'ou=Members,DC=sensorsdata-inc,DC=cn' spadmin config set product_global -p sbp -n bind_ldap_admin -v true spadmin config set product_global -p sbp -n ldap_bind_user -v 'sensorsAD' spadmin config set product_global -p sbp -n ldap_bind_password -v '**********' spadmin config set product_global -p sbp -n ldap_search_filter -v 'memberOf=cn=xxx,ou=people,dc=example,dc=com' spadmin config set product_global -p sbp -n ldap_email_suffix -v '@email.com'

sca >= 0.4 or sbp 0.5+

spadmin config set server -p sbp -m web -n ldap_type -v 'AdLDAP' spadmin config set server -p sbp -m web -n ldap_url -v 'ldap://10.XXX.XXX.XXX:389/' spadmin config set server -p sbp -m web -n ldap_account_pattern -v 'sAMAccountName=${username}' spadmin config set server -p sbp -m web -n ldap_base_dn -v 'ou=Members,DC=sensorsdata-inc,DC=cn' spadmin config set server -p sbp -m web -n bind_ldap_admin -v true spadmin config set server -p sbp -m web -n ldap_bind_user -v 'sensorsAD' spadmin config set server -p sbp -m web -n ldap_bind_password -v '**********' spadmin config set server -p sbp -m web -n ldap_search_filter -v '(memberOf=cn=xxx,ou=people,dc=example,dc=com)' spadmin config set server -p sbp -m web -n ldap_email_suffix -v '@email.com'

Sensors Analytics version >= 1.14

spadmin config set server -p sa -m web -n ldap_type -v 'AdLDAP' spadmin config set server -p sa -m web -n ldap_url -v 'ldap://10.XXX.XXX.XXX:389/' spadmin config set server -p sa -m web -n ldap_account_pattern -v 'sAMAccountName=${username}' spadmin config set server -p sa -m web -n ldap_base_dn -v 'ou=Members,DC=sensorsdata-inc,DC=cn' spadmin config set server -p sa -m web -n bind_ldap_admin -v true spadmin config set server -p sa -m web -n ldap_bind_user -v 'sensorsAD' spadmin config set server -p sa -m web -n ldap_bind_password -v '**********' spadmin config set server -p sa -m web -n ldap_search_filter -v '(memberOf=cn=xxx,ou=people,dc=example,dc=com)' spadmin config set server -p sa -m web -n ldap_email_suffix -v '@email.com'

Sensors Analytics version < 1.14

monitor_tools set_config -t server -m web -n ldap_type -v 'AdLDAP' monitor_tools set_config -t server -m web -n ldap_url -v 'ldap://10.XXX.XXX.XXX:389/' monitor_tools set_config -t server -m web -n ldap_account_pattern -v 'sAMAccountName=${username}' monitor_tools set_config -t server -m web -n ldap_base_dn -v 'ou=Members,DC=sensorsdata-inc,DC=cn' monitor_tools set_config -t server -m web -n bind_ldap_admin -v true monitor_tools set_config -t server -m web -n ldap_bind_user -v 'sensorsAD' monitor_tools set_config -t server -m web -n ldap_bind_password -v '**********' monitor_tools set_config -t server -m web -n ldap_search_filter -v '(memberOf=cn=xxx,ou=people,dc=example,dc=com)' monitor_tools set_config -t server -m web -n ldap_email_suffix -v '@email.com'



Configuration validation method

1. Install ldapsearch

# 在 root 用户下执行 yum install openldap-clients

2. View configuration

sbp >= 1.3.0

sbpadmin business_config getall -p sbp

sbp >= 1.1.0+

spadmin config get product_global -p sbp

sca >= 0.4 or sbp 0.5+

spadmin config get server -p sbp -m web

Sensors Analytics version >= 1.14

spadmin config get server -p sa -m web

Sensors Analytics version < 1.14

monitor_tools get_config -t server -m web


3. Verify the configuration content through ldapsearch

# 格式:ldapsearch -p ${port} -h ${ip} -D '${ldap_bind_user}' -w '${ldap_bind_password}' -b '${ldap_base_dn}' ldapsearch -p 389 -h 10.XXX.XXX.XXX -D 'sensorsAD' -w '**********' -b 'ou=Members,DC=sensorsdata,DC=cn'


3.1 Ensure that the data can be returned normally


IP or port error, returning Can't contact LDAP server (-1)



Account password error, returning Invalid credentials (49)


ldap_base_dn DC error,return DSID-031007F9


Incorrect ou of ldap_base_dn, DSID-03100241 returned


4. Ensure the consistency of account search conditions

# 格式:ldapsearch -p ${port} -h ${ip} -D '${ldap_bind_user}' -w '${ldap_bind_password}' -b '${ldap_base_dn}' -x '${ldap_account_pattern}' ldapsearch -p 389 -h 10.XXX.XXX.XXX -D 'sensorsAD' -w '**********' -b 'ou=Members,DC=sensorsdata,DC=cn' -x 'sAMAccountName=myUsername'


Filter condition error, unable to search for data


5. Use Sensors command for login verification

# 此命令适用于 SBP 0.6+ 版本 sbpadmin debug ldap -u '用户名' -p '密码'


Restart Web

After a successful test, restart web to take effect:

sca >= 0.4 or sbp 0.5+

spadmin restart -m web -p sbp

Sensors Analytics version < 1.14

sa_admin restart -m web

Sensors Analytics version >= 1.14

spadmin restart -m web -p sa


Synchronize user information in LDAP domain to Sensory (SBP >= 1.1.0)

SBP > = 1.1.0: Users can obtain ldap domain information during login and synchronize it to the Oracle system

1. View customer attributes in the LDAP domain

# 此命令适用于 SBP 1.1.0+ 版本 sbpadmin debug ldap -u '用户名' -p '密码' -d

2. Configure mapping information based on customer attributes in the LDAP domain

Synchronize user information from the LDAP domain to the Sensory system during login. The supported information currently includes: user name, phone number, and email.

SBP &gt;= 1.4.0: Additionally supports account information (username field). Use case: If you want to associate LDAP login account attributes with existing Sensory accounts, you can complete this configuration.


sbp &gt;= 1.4.0

# 以k-v的形式配置,其中userCname、phone、email、username分别对应用户姓名、手机号、邮箱、账号名,不可修改。user_cname_field,phone_field,email_field为ldap域中的客户属性字段。本例表示通过ldap登陆创建出来的神策账号使用ldap属性中的邮箱当作账号名。 sbpadmin business_config set -p sbp -k ldap_user_mapping_map -v "{\"userCname\":\"user_cname_field\",\"phone\":\"phone_field\",\"email\":\"email_field\",\"username\":\"email_field\"}"

sbp &gt;= 1.3.0

sbpadmin business_config set -p sbp -k ldap_user_mapping_map -v "{\"userCname\":\"user_cname_field\",\"phone\":\"phone_field\",\"email\":\"email_field\"}"

sbp &gt;= 1.1.0

# 此命令适用于 SBP 1.1.0+ 版本, 配置示例: spadmin config set product_global -p sbp -n ldap_user_mapping_map -v "{\"userCname\":\"user_cname_field\",\"phone\":\"phone_field\",\"email\":\"email_field\"}"


Description: Configured in key-value format, where userCname, phone, and email correspond to the user's name, phone number, and email, respectively, and cannot be modified. The user_cname_field, phone_field, and email_field are the customer attribute fields in the LDAP domain.

Previous
OAuth2.0 login
Next
Data Archiving
Last modified: 2025-01-02