What are some of the guidelines for LDAP Authentication within Yellowfin?

Yellowfin can be connected to an LDAP source for authentication and group management purposes.

This allows Yellowfin access to be controlled externally and organization wide simply and quickly. Yellowfin has the option to reference an external directory (LDAP/Active Directory) or database to perform authentication of an entered user id. 

LDAP Authentication is merely a "wrapper" for a Yellowfin user. So when a LDAP user first attempts to logon a user will be created in Yellowfin, to match the LDAP user. So, before a user's initial logon, Yellowfin will not know about the user.

Without LDAP Single-Sign-On , (link to SSO post) this means that a user will have the same user id and password across all participating applications that use the directory. In addition, removal / lockout of the user on the directory will automatically flow through to Yellowfin, hence minimizing the manual effort to manage users.

Users will also use their existing intranet password for Yellowfin authentication and reports can be given access restrictions which include or exclude users in specific LDAP groups.

Whenever the user attempts to login, it will always authenticate (bind) against the LDAP server before allowing access to Yellowfin. So no password is stored for a LDAP user in Yellowfin. Removing or suspending an LDAP account will stop the user from being able to login to Yellowfin, as a bind will fail.

When a user first logs in, group definitions will be flattened to see if that user is a member of any LDAP groups that are mapped to Yellowfin groups.

2 background tasks will poll the LDAP groups (by default - each night), to see if the LDAP group definitions have changed, and synchronizing the Yellowfin group definitions accordingly. Another background task will check to see if an LDAP user has been deleted, if they have, it will remove that user from Yellowfin.

When the user first logs into Yellowfin, they are give the default role (as they are newly created YF users).
You must then modify/update their Yellowfin user account to give them the permissions/access you want.
However you can also specify the users role within their profile , so they are assigned the relevant role upon initial login.

It is expected you have: 

  1. Created a Yellowfin User (or specify an existing user) within the LDAP to allow Yellowfin to connect and search for users and groups. 
  2. Ensured network connectivity between the Yellowfin server and the LDAP server

Please see the posts below for more information.

Related posts:

If you are receiving errors, or having issues setting this up, please email

support@yellowfin.com.au

Is article helpful?