Use this procedure to synchronize your ThoughtSpot system with an LDAP server through Active Directory or OpenLDAP.

ThoughtSpot provides a script that allows you to sync your Active Directory or OpenLDAP users and groups within ThoughtSpot so you can assign the proper privileges. You can sync new users who are assigned to existing ThoughtSpot groups within Active Directory or OpenLDAP, programmatically assigning them the privileges of those groups. When you sync new groups, you must manually assign them privileges in the ThoughtSpot group administration interface.

This Active Directory or OpenLDAP sync script is not the same as LDAP authentication. However, if your SAML SSO is properly set up, and your IdP is synced with your LDAP, new AD or OpenLDAP users that you add using this script can authenticate using SAML SSO.

Prerequisites

Before synchronizing users and groups, collect the following information and materials:

  • Download the LDAP sync script from ThoughtSpot’s community tools Github repository. Modify it or create your own as necessary.

  • A computer with access to the ThoughtSpot APIs, as well as your Active Directory or OpenLDAP environment.

  • Domain or IP address and port of the server where your ThoughtSpot instance is running.

    The location of the ThoughtSpot instance must be in the following format: http(s)://<IP-address>:<port> or http(s)://<domain>.

  • Credentials (username and password) for a user with administrator privileges in the front-end for your ThoughtSpot instance.

  • URL of the LDAP server, or hostport.

    For example, ldap://<IP-address>:<port>

  • Login username and password for the LDAP system.

    An example username would be moo_100@ldap.thoughtspot.com

  • Distinguished Name (DN) for the base to start searching for users in the LDAP system.

    For example, DC=ldap,DC=thoughtspot,DC=com

  • LDAP filter string, if you would like to limit the script’s search for new or modified users and groups to a specific set. For example, (|(CN=TestGroupAlpha)(CN=TestGroupBeta))

Fetch users and groups from LDAP

There are two ways for you to fetch users and groups from LDAP and populate them into your ThoughtSpot system:

  • Run the synchronization script in interactive mode, which walks you through the process
  • Run the synchronization script in script mode, which allows you to input your own shorthand script commands

Run in interactive mode

To run the LDAP sync script in interactive mode:

  1. Run the command to start the script. You must run this command from a machine that you downloaded the script onto. The machine must also have access to your Active Directory or OpenLDAP environment.

     python3 syncUsersAndGroups.py interactive
    
  2. Answer the prompts using the information you collected above. Specify 2 for the scope if you would like to sync all groups, including subgroups. For example:

     Complete URL of TS server in format "http(s)://<domain>": http://<my_company.thoughtspot.com>
     Disable SSL authentication to TS server (y/n): y
     Login username for ThoughtSpot system: <admin_username>
     Login password for ThoughtSpot system: <admin_password>
     Complete URL of server where LDAP server is running in format ldap(s)://<host>:<port>: ldap://192.168.2.48:389
     Login username for LDAP system: moo_100@ldap.thoughtspot.com
     Login password for LDAP system: 12345
     Syncs user and groups between LDAP and TS systems (y/n): y
     Delete entries in ThoughtSpot system that are not currently in LDAP tree being synced (y/n): n
     Distinguished name for the base to start searching groups in LDAP System: DC=ldap,DC=thoughtspot,DC=com
     Scope to limit the search to (choice number)
     0:base Searching only the entry at the base DN
     1:one Searching all entries on level under the base DN - but not including the base DN
     2:tree Searching of all entries at all levels under and including the specified base DN: 2
    
     Filter string to apply the search to: (|(CN=TestGroupAlpha)(CN=TestGroupBeta))
    

    Answering this prompt is optional. If left blank, the script uses the default value of '(CN=*)'.

     Apply sync recursively, i.e. Iterates through group members and creates member groups, users and relationships in a recursive way. (y/n): n
    

    This prompt is asking if you would like to include group members even if they do not belong to the current sub tree that is being synced.

  3. To check that the sync was successful, navigate to the Admin Console in your ThoughtSpot application by selecting Admin from the top navigation bar. Select either Users or Groups. Your new users or groups should be the latest items in the list of users or groups. To view the most recently added or updated users or groups, sort by Created.

Run in script mode

To input your own shorthand script commands:

Issue the Python script commands, supplying all this information, following this format example. Refer to the syncUsersAndGroups.py command-line switches for information on each parameter.

python3 syncUsersAndGroups.py script \
–-ts_hostport <ts_hostport> \
--disable_ssl \
--ts_uname <ts_username> \
--ts_pass <ts_password> \
--ldap_hostport '<ldap_hostport>' \
--ldap_uname '<ldap_username>' \
--ldap_pass '<ldap_password>' \
--sync \
--basedn 'DC=ldap,DC=thoughtspot,DC=com' \
--filter_str '(|(CN=TestGroupAlpha)(CN=TestGroupBeta))' \
--include_nontree_members \
--user_identifier <user_identifier> \
--authdomain_identifier <authdomain_identifier> \
--email_identifier <email_identifier>

The flags from --basedn to --email_identifier target sub trees under the DC called TestGroupAlpha and TestGroupBeta, and iterate through them recursively to create/sync users, groups, and their relationships in the ThoughtSpot system.

To check that the sync was successful, navigate to the Admin Console in your ThoughtSpot application by selecting Admin from the top navigation bar. Select either Users or Groups. Your new users or groups should be the latest items in the list of users or groups. To view the most recently added or updated users or groups, sort by Created.

syncUsersAndGroups.py command-line switches

The following table provides a description of each command-line switch available for the syncUsersAndGroups python script.

Switch Description
--ts_hostport <ts_hostport> ThoughtSpot cluster host port.
--disable_ssl Controls the communication between the sync script and the ThoughtSpot cluster. It disables SSL communications between the script and the cluster ONLY, and prevents the need to provide SSL certs during the script execution in order to create users and groups.
--ts_uname ThoughtSpot admin username. Can be any front-end user with administrator privileges.
--ts_pass ThoughtSpot admin password. Must be the corresponding password for the --ts_uname, which can be any front-end user with administrator privileges.
--ldap_hostport AD/LDAP/OpenLDAP server port that is queried. Default is 389.
--ldap_uname Username for the LDAP/AD/OpenLDAP server.
--ldap_pass <ldap_password> Password for the LDAP/AD/OpenLDAP server.
--sync Syncs users and groups which match the basedn and filter_str queries to your ThoughtSpot cluster.
--purge Purges any users that exist in ThoughtSpot, but not in AD or OpenLDAP.
--basedn Place in the directory that will be searched for users.
--filter_str Further filters results from your base DN.
--include_nontree_members Includes group members from LDAP/AD/OpenLDAP even if they do not belong to the current subtree that is being synced.
--user_identifier <user_identifier> User name identifier key for user creation or sync.
--authdomain_identifier <authdomain_identifier> Override domain name to be appended to user identifier in user name.
--email_identifier <email_identifier> Email identifier key for user creation or sync.
--debug Provides additional logs in case of failure or other errors.