Yellowfin can be connected to an LDAP source for authentication and group management purposes.
This allows Yellowfin access to be controlled externally and organization wide simply and quickly. Yellowfin has the option to reference an external directory (LDAP/Active Directory) or database to perform authentication of an entered user id.
LDAP Authentication is merely a "wrapper" for a Yellowfin user. So when a LDAP user first attempts to logon a user will be created in Yellowfin, to match the LDAP user. So, before a user's initial logon, Yellowfin will not know about the user.
Without LDAP Single-Sign-On , (link to SSO post) this means that a user will have the same user id and password across all participating applications that use the directory. In addition, removal / lockout of the user on the directory will automatically flow through to Yellowfin, hence minimizing the manual effort to manage users.
Users will also use their existing intranet password for Yellowfin authentication and reports can be given access restrictions which include or exclude users in specific LDAP groups.
Whenever the user attempts to login, it will always authenticate (bind) against the LDAP server before allowing access to Yellowfin. So no password is stored for a LDAP user in Yellowfin. Removing or suspending an LDAP account will stop the user from being able to login to Yellowfin, as a bind will fail.
When a user first logs in, group definitions will be flattened to see if that user is a member of any LDAP groups that are mapped to Yellowfin groups.
2 background tasks will poll the LDAP groups (by default - each night), to see if the LDAP group definitions have changed, and synchronizing the Yellowfin group definitions accordingly. Another background task will check to see if an LDAP user has been deleted, if they have, it will remove that user from Yellowfin.
When the user first logs into Yellowfin, they are give the default role (as they are newly created YF users).
You must then modify/update their Yellowfin user account to give them the permissions/access you want.
However you can also specify the users role within their profile , so they are assigned the relevant role upon initial login.
It is expected you have:
- Created a Yellowfin User (or specify an existing user) within the LDAP to allow Yellowfin to connect and search for users and groups.
- Ensured network connectivity between the Yellowfin server and the LDAP server
Please see the posts below for more information.
- LDAP connection settings & provisions
- Creating LDAP Users
- Creating LDAP Groups
- Assigning roles to LDAP users
- How to setup an LDAP connection over SSL
- Assigning source filters to LDAP users who don't yet exist in the Yellowfin Database
- Changing the default scheduled task to synchronize LDAP groups & Users
If you are receiving errors, or having issues setting this up, please email