Sync users and groups from LDAP
Use this procedure to synchronize your ThoughtSpot system with an LDAP server through Active Directory.
|You must add any new email domains to a list of allowed domains. If you do not add the new domains, the sync script cannot process the new users and groups.|
Before synchronizing users and groups, set up integration with LDAP using Active Directory. Then, collect the following information:
- IP address, port
IP address and port of the server where your ThoughtSpot instance is running.
This hostport must be in the following format:
Administrator login username and password for your ThoughtSpot instance.
URL of the LDAP server, or hostport.
Login username and password for the LDAP system.
Distinguished Name (DN) for the base to start searching for users in the LDAP system. For example,
- Synchronization script
The Python synchronization script, in case you want to modify it or create your own, is in the following directory:
Fetch users and groups from LDAP with Active Directory
There are two ways for you to fetch users and groups from LDAP and populate them into your ThoughtSpot system:
Run the synchronization script in interactive mode, which walks you through the process (shown here).
Create your own Python script by using the ThoughtSpot Python APIs.
If you need details on the Python APIs, contact ThoughtSpot Support.
If you choose this method, you can run the script periodically using a cron job.
When you run the synchronization script, you perform a one-time sync. You must schedule a recurring sync using a cron job or your own scheduling tool to keep your ThoughtSpot users consistent with users in LDAP.
Run the sync script
To run the LDAP sync script in interactive mode, follow these steps:
Log in to the Linux shell using SSH.
Run the command to start the script:
python3 syncUsersAndGroups.py interactive
Answer the prompts using the information you collected above. Specify
scopeif you would like to sync all groups, including subgroups.
Complete URL of TS server in format "http(s)://<host>:<port>": http://10.77.145.24:8088 Disable SSL authentication to TS server (y/n): y Login username for ThoughtSpot system: admin Login password for ThoughtSpot system: 12345 Complete URL of server where LDAP server is running in format ldap(s)://<host>:<port>: ldap://192.168.2.48:389 Login username for LDAP system: firstname.lastname@example.org Login password for LDAP system: 12345 Syncs user and groups between LDAP and TS systems (y/n): y Delete entries in ThoughtSpot system that are not currently in LDAP tree being synced (y/n): n Distinguished name for the base to start searching groups in LDAP System: DC=ldap,DC=thoughtspot,DC=com Scope to limit the search to (choice number) 0:base Searching only the entry at the base DN 1:one Searching all entries on level under the base DN - but not including the base DN 2:tree Searching of all entries at all levels under and including the specified base DN: 2
Answering this prompt is optional. If left blank, the system uses the default value
Filter string to apply to the search: `(|(CN=TestGroupAlpha)(CN=TestGroupBeta))`
The following prompt asks if you would like to include group members even if they do not belong to the current sub tree that is being synced:
Apply sync recursively, i.e. Iterates through group members and creates member groups, users and relationships in a recursive way. (y/n): n
Alternatively, you can add your own shorthand script commands:
Issue the Python script commands, supplying all this information, following this format example:
python3 syncUsersAndGroups.py script \ –-ts_hostport <ts_hostport> \ --disable_ssl \ --ts_uname <ts_username> \ --ts_pass <ts_password> \ --ldap_hostport '<ldap_hostport>' \ --ldap_uname '<ldap_username>' \ --ldap_pass '<ldap_password>' \ --sync \ --purge \ --basedn 'DC=ldap,DC=thoughtspot,DC=com' \ --filter_str '(|(CN=TestGroupAlpha)(CN=TestGroupBeta))' \ --include_nontree_members \ --user_identifier <user_identifier> \ --authdomain_identifier <authdomain_identifier> \ --email_identifier <email_identifier>
The bottom half of the preceding command targets subtrees under the DC called TestGroupAlpha and TestGroupBeta, and iterates through them recursively to create/sync users, groups, and their relationships in the ThoughtSpot system.
It also deletes any other entities created in the ThoughtSpot system from this LDAP system that are not currently being synced.
When the ThoughtSpot search engine finishes indexing, your new users should appear in the ThoughtSpot application. To check if the ThoughtSpot search engine is indexing, run the following command:
tscli cluster status
Command-line switches for
Note the command-line switches available to use with the
syncUsersAndGroups python script.
ThoughtSpot cluster host port. Default port is
Controls the communication between the sync script and the ThoughtSpot cluster. It disables SSL communications between the script and the cluster ONLY. The purpose of this is to create users and groups without the necessity of SSL certs during the execution of the script.
ThoughtSpot cluster username. The
adminusername is common.
ThoughtSpot cluster password.
AD/LDAP server port that is queried. Default is
Specifies if you are using Active Directory (AD) or OpenLdap.
The default is
Username for the LDAP/AD server.
Password for the LDAP/AD server.
Syncs users and groups that match the
filter_strqueries to the ThoughtSpot cluster.
Purges any users or groups that exist in ThoughtSpot, but not in AD or OpenLdap.
Purges any users that exist in ThoughtSpot, but not in AD or OpenLdap.
Purges any groups that exist in ThoughtSpot, but not in AD or OpenLdap.
Place in the directory that is searched for users.
Further filter results from the base DN.
Includes group members from LDAP/AD, even if they do not belong to the current subtree, which is being synced.
User name identifier key for creating users or sync.
Override domain name to append to the user identifier in the user name.
Email identifier key for creating users or sync.
Provides additional logs in case of failure or other errors.
Provide the member string for AD or OpenLdap.
Thd default is
Upserts groups during sync. By default, this script only inserts, but does not update.
Upserts users during sync. By default, this script only inserts, but does not update.