Mapping the User Roles

The roles that an external user has in JasperReports Server are based on the static groups to which the user belongs in LDAP. The server performs a second search in the LDAP directory to determine any user roles. The mapping defines the location of the group definitions in LDAP, how to find the groups to which the user belongs, and any transformation of the group name for use in the server as a role name.

The mapping for user roles is configured in a bean of the class DefaultLdapAuthoritiesPopulator, itself part of the configuration of the ldapAuthenticationProvider bean.

Some LDAP servers support other user-grouping mechanisms, such as nsrole in the Sun Directory Server. These mechanisms can be mapped into JasperReports Server roles through the configuration parameters below, by extending the DefaultLdapAuthoritiesPopulator class, or a combination of both. Such configurations are beyond the scope of this guide.

To configure the mapping for user roles in sample-applicationContext-externalAuth-LDAP[-mt].xml, locate DefaultLdapAuthoritiesPopulator, the second constructor argument of ldapAuthenticationProvider, and specify the following information:

constructor-arg index="1" – An optional branch DN where group entries are located. If not specified, the search covers your entire LDAP directory starting from the base DN.
groupRoleAttribute property – The attribute whose value is mapped to the name of the JasperReports Server role. Often, this is the cn attribute that gives the name of the role in the RDN of the group entry. However, it could be any attribute, for example a custom attribute named Jaspersoft Role Name that is defined by a custom LDAP schema.
groupSearchFilter property – A group search filter that locates entries representing groups to which the user belongs. For static groups, this filter should detect entries with the groupofuniquename object class and with a uniqueMember value that matches the DN found by the user search. You can use the following parameters:
     {0} represents the full DN of the user entry.
     {1} represents the username.
searchSubtree property – Whether or not the search should extend to all subtrees beneath the branch DN, or beneath the base DN when no branch DN is specified.

Spring Security supports additional properties; see the Spring Security 2.0 documentation for more information.

All users, both internal and external users, are automatically assigned ROLE_USER by default. Therefore, you never need to create or map this role in your LDAP directory.

The following example shows the syntax of the constructor arguments and properties:

<bean id="ldapAuthenticationProvider"
  <constructor-arg> ...
    <bean class="
      <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
      <!-- optional branch DN for roles -->
      <constructor-arg index="1"><value></value></constructor-arg>
      <property name="groupRoleAttribute"><value>cn</value></property>
      <property name="groupSearchFilter"><value>
      <property name="searchSubtree"><value>true</value></property>

You must be careful when defining the properties for mapping user roles. The search for groups in the LDAP directory must not cause an error, otherwise the entire login will fail. For example, if you specify a branch DN that does not exist, the search will cause an error, and users will be unable to login. A successful search that returns no results will allow users to login, but without having the intended roles.

After the mapping has determined the role names given to the external user in JasperReports Server, there are two cases:

In the community edition that does not have the organization architecture, the roles are synchronized with existing roles and assigned to the user. Synchronization creates the roles internally if they don’t exist, as described in Synchronization of Roles.
In commercial editions, which have the organization architecture, the external user and roles are assigned to an organization that is either the default single organization or an organization that is mapped from the DN of the LDAP user. Organization mapping is described in the next section.

If you intend for one of the mapped roles to indicate administrator privileges, you must explicitly map it to the system roles, as described in Mapping Roles to System Roles. Otherwise, all mapped roles are created in the mapped organization.