Mapping Roles to System Roles

When the organization mapping is complete, synchronization invokes mtExternalUserSetupProcessor to create the external user and roles in that organization. JasperReports Server includes an additional mapping of roles to system roles so that you can grant administrator privileges to your external users. Using this feature, LDAP entries belonging to custom groups can be granted system or organization admin roles in JasperReports Server.

There are two different ways of doing this:

The mtExternalUserSetupProcessor bean can be configured with organizationRoleMap to map between external and internal roles. The processor checks if the user has an external role as a map entry key. If the user has the role, the processor assigns the user the internal role in the map entry value instead of the external role in the key.
If LDAP is not the sole means of authentication, a site superuser or a organization administrator (jasperadmin) can log in to JasperReports Server via the login screen (<host:port>/jasperserver-pro/login.html) in order to assign internal JasperReports Server administrator roles to external users manually. This is possible because ldapAuthenticationManager has an internal daoAuthenticationProvider in the list of providers. When ldapAuthenticationProvider fails, daoAuthenticationProvider tries to authenticate the user against the internal JasperReports Server database.

One practical consequence of external administrator role mapping, is that LDAP authentication can be used exclusively. When properly set up, you can have external users who are system or organization administrators. Then, you do not need to have the superuser and jasperadmin users. However, you must ensure that every organization has an LDAP user mapped to the organization with the correct attributes to have organization admin privileges.

Administrators of your LDAP server cannot log into JasperReports Server using their LDAP administrator credentials.

In most LDAP servers, users and administrators are stored in different base DNs. For example, you might store user entries in dc=example,dc=com, but administrators are stored under cn=Administrators,cn=config or ou=system. The mechanism for locating users during authentication can only search in a single base DN, and therefore administrators in a different one cannot be found.