Sync users and groups from LDAP

Use this procedure to synchronize your ThoughtSpot system with an LDAP server through Active Directory.

You must add any new email domains to a list of allowed domains. If you do not add the new domains, the sync script cannot process the new users and groups.

Prerequisites

Before synchronizing users and groups, set up integration with LDAP using Active Directory. Then, collect the following information:

IP address, port

IP address and port of the server where your ThoughtSpot instance is running.

This hostport must be in the following format:

http(s)://<host>:<port> or http(s)://<domain>

Administrator

Administrator login username and password for your ThoughtSpot instance.

URL

URL of the LDAP server, or hostport.

For example, ldap://192.168.2.48:389

Username/password

Login username and password for the LDAP system.

An example username would be moo_100@ldap.thoughtspot.com.

DN

Distinguished Name (DN) for the base to start searching for users in the LDAP system. For example,

DC=ldap,DC=thoughtspot,DC=com

Synchronization script

The Python synchronization script, in case you want to modify it or create your own, is in the following directory:

/usr/local/scaligent/release/callosum/utilities/ldap_sync_python_api/syncUsersAndGroups.py

Fetch users and groups from LDAP with Active Directory

There are two ways for you to fetch users and groups from LDAP and populate them into your ThoughtSpot system:

  • Run the synchronization script in interactive mode, which walks you through the process (shown here).

  • Create your own Python script by using the ThoughtSpot Python APIs.

    If you need details on the Python APIs, contact ThoughtSpot Support.

    If you choose this method, you can run the script periodically using a cron job.

    When you run the synchronization script, you perform a one-time sync. You must schedule a recurring sync using a cron job or your own scheduling tool to keep your ThoughtSpot users consistent with users in LDAP.

Run the sync script

To run the LDAP sync script in interactive mode, follow these steps:

  1. Log in to the Linux shell using SSH.

  2. Run the command to start the script:

     python3 syncUsersAndGroups.py interactive
  3. Answer the prompts using the information you collected above. Specify 2 for the scope if you would like to sync all groups, including subgroups.

    For example:

     Complete URL of TS server in format "http(s)://<host>:<port>": http://10.77.145.24:8088
     Disable SSL authentication to TS server (y/n): y
     Login username for ThoughtSpot system: admin
     Login password for ThoughtSpot system: 12345
     Complete URL of server where LDAP server is running in format ldap(s)://<host>:<port>: ldap://192.168.2.48:389
     Login username for LDAP system: moo_100@ldap.thoughtspot.com
     Login password for LDAP system: 12345
     Syncs user and groups between LDAP and TS systems (y/n): y
     Delete entries in ThoughtSpot system that are not currently in LDAP tree being synced (y/n): n
     Distinguished name for the base to start searching groups in LDAP System: DC=ldap,DC=thoughtspot,DC=com
     Scope to limit the search to (choice number)
     0:base Searching only the entry at the base DN
     1:one Searching all entries on level under the base DN - but not including the base DN
     2:tree Searching of all entries at all levels under and including the specified base DN: 2

    Answering this prompt is optional. If left blank, the system uses the default value '(CN=*)':

    Filter string to apply to the search: `(|(CN=TestGroupAlpha)(CN=TestGroupBeta))`

    The following prompt asks if you would like to include group members even if they do not belong to the current sub tree that is being synced:

    Apply sync recursively, i.e. Iterates through group members and creates member groups, users and relationships in a recursive way. (y/n): n
  4. Alternatively, you can add your own shorthand script commands:

    Issue the Python script commands, supplying all this information, following this format example:

     python3 syncUsersAndGroups.py script \
     –-ts_hostport <ts_hostport> \
     --disable_ssl \
     --ts_uname <ts_username> \
     --ts_pass <ts_password> \
     --ldap_hostport '<ldap_hostport>' \
     --ldap_uname '<ldap_username>' \
     --ldap_pass '<ldap_password>' \
     --sync \
     --purge \
     --basedn 'DC=ldap,DC=thoughtspot,DC=com' \
     --filter_str '(|(CN=TestGroupAlpha)(CN=TestGroupBeta))' \
     --include_nontree_members \
     --user_identifier <user_identifier> \
     --authdomain_identifier <authdomain_identifier> \
     --email_identifier <email_identifier>

    The bottom half of the preceding command targets subtrees under the DC called TestGroupAlpha and TestGroupBeta, and iterates through them recursively to create/sync users, groups, and their relationships in the ThoughtSpot system.

    It also deletes any other entities created in the ThoughtSpot system from this LDAP system that are not currently being synced.

  5. When the ThoughtSpot search engine finishes indexing, your new users should appear in the ThoughtSpot application. To check if the ThoughtSpot search engine is indexing, run the following command:

    tscli cluster status

Command-line switches for syncUsersAndGroups.py

Note the command-line switches available to use with the syncUsersAndGroups python script.

--ts_hostport <ts_hostport>

ThoughtSpot cluster host port. Default port is 8088.

--disable_ssl

Controls the communication between the sync script and the ThoughtSpot cluster. It disables SSL communications between the script and the cluster ONLY. The purpose of this is to create users and groups without the necessity of SSL certs during the execution of the script.

--ts_uname

ThoughtSpot cluster username. The admin username is common.

--ts_pass

ThoughtSpot cluster password.

--ldap_hostport

AD/LDAP server port that is queried. Default is 389.

--ldap_type

Specifies if you are using Active Directory (AD) or OpenLdap.

The default is AD.

--ldap_uname

Username for the LDAP/AD server.

--ldap_pass <ldap_password>

Password for the LDAP/AD server.

--sync

Syncs users and groups that match the basedn and filter_str queries to the ThoughtSpot cluster.

--purge

Purges any users or groups that exist in ThoughtSpot, but not in AD or OpenLdap.

--purge_users

Purges any users that exist in ThoughtSpot, but not in AD or OpenLdap.

--purge_groups

Purges any groups that exist in ThoughtSpot, but not in AD or OpenLdap.

--basedn

Place in the directory that is searched for users.

--filter_str

Further filter results from the base DN.

--include_nontree_members

Includes group members from LDAP/AD, even if they do not belong to the current subtree, which is being synced.

--user_identifier <user_identifier>

User name identifier key for creating users or sync.

--authdomain_identifier <authdomain_identifier>

Override domain name to append to the user identifier in the user name.

--email_identifier <email_identifier>

Email identifier key for creating users or sync.

--debug

Provides additional logs in case of failure or other errors.

--member_str

Provide the member string for AD or OpenLdap.

Thd default is member.

--upsert_group

Upserts groups during sync. By default, this script only inserts, but does not update.

--upsert_user

Upserts users during sync. By default, this script only inserts, but does not update.