identityStore Entity

Tableau Server requires an identity store to store user and group information. Review Authentication and Identity Store topics before configuring the identity store for the first time. After you have installed the identity store on Tableau Server, you cannot change it without reinstalling the server.

All entity options are case sensitive.

Before you begin

Review the following information:

  • If you plan to enable OpenID Connect then you must configure the local identity store.

  • If you will not be using the local identity store, then you will be using some version of LDAP. In this case, work with your directory/LDAP administrator to configure Tableau Server for your LDAP schema and bind requirements.

  • Tableau Server configuration is optimized for Active Directory. If you are installing into Active Directory, we recommend configuring the identity store with Configure Initial Node Settings. Alternatively, if you are configuring with TSM CLI, use the LDAP - Active Directory template in this topic to configure identity store. For a full accounting of LDAP configuration options, see LDAP Configuration Reference

  • LDAP bind is independent of user authentication. For example, you can configure Tableau Server to use simple bind to authenticate to the LDAP directory and then configure Tableau Server to authenticate users with Kerberos after installation.

  • Do not connect to LDAP with simple bind over a unsecured connection. We recommend LDAPS for simple bind. See LDAP over SSL.

  • To use Kerberos authentication for the Tableau Server service, then you'll need a keytab file for GSSAPI bind, as described in the sections below. See also, Understanding Keytab Requirements. In the context of Kerberos, GSSAPI bind is all you need during the base installation of Tableau Server. After you install the server, you can then configure Kerberos for user authentication and Kerberos delegation to data sources.

  • In this topic, we make the distinction between LDAP (the protocol for connecting to directory services) and an LDAP server (an implementation of a directory service). For example, slapd is an LDAP server that is part of the OpenLDAP project.

  • We recommend validating the LDAP configuration before initializing the server, see Configure Initial Node Settings.

Use one of the configuration file templates below to create a json file. After you have filled in the options with the appropriate values, pass the json file and apply settings with the following commands:

tsm settings import -f path-to-file.json

tsm pending-changes apply

The pending-changes apply command displays a prompt to let you know this will restart Tableau Server if the server is running. The prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. For more information, see tsm pending-changes apply.

Configuration templates

Select an identity store configuration template to edit:

  • Local
  • LDAP - Active Directory
  • OpenLDAP - GSSAPI Bind
  • OpenLDAP - Simple Bind

For more explanation about configuration files, entities, and keys see Configuration File Example.

Consider using the Tableau Identity Store Configuration Tool to generate your LDAP json configuration file. The tool itself is not supported by Tableau. However, using a JSON file created by the tool instead of creating a file manually does not change the supported status of your server.

Local

Configure local as the identity store type if your organization does not already have an Active Directory or LDAP server for user authentication. When you select local as the identity store type, you use Tableau Server to create and manage users.

{
  "configEntities": {
    "identityStore": {
       "_type": "identityStoreType",
       "type": "local"
     }
   }
}			
		

Important

The LDAP configuration templates below are examples. The templates, as presented, will not configure LDAP connectivity in your organization. You must work with your directory administrator to edit the LDAP template values for a successful deployment.

Additionally, all files that are referenced in configEntities must be located on the local computer. Do not specify UNC paths.

LDAP - Active Directory

Configure this option to connect to Active Directory with GSSAPI (Kerberos) bind. Tableau Server uses the LDAP protocol to connect to Active Directory. GSSAPI (Kerberos) bind is used to authenticate Tableau Server service to Active Directory. Tableau Server includes support for Active Directory schema. Therefore, if you set the "directoryServiceType" option to "activedirectory" then you do not need to provide schema info in the "identityStoreSchemaType" option.

If you are installing Tableau Server for Linux into Active Directory, and the computer where you are installing Tableau Server is already joined to the domain, then the computer will already have a Kerberos configuration file and a keytab file. Strictly speaking, you can use these files for GSSAPI bind, but we don't recommend using them. Instead, contact your Active Directory administrator and request a keytab specifically for the Tableau Server service.

{
  "configEntities":{
    "identityStore": {
		"_type": "identityStoreType",
		"type": "activedirectory",
		"domain": "your-domain.lan",
		"nickname": "YOUR-DOMAIN-NICKNAME",
		"directoryServiceType": "activedirectory",
		"bind": "gssapi",
		"kerberosKeytab": "<path to local key tab file>",
		"kerberosConfig": "/etc/krb5.conf",
		"kerberosPrincipal": "your-principal@YOUR.DOMAIN"
		}
	}
}			

We recommend binding to Active Directory with GSSAPI. However, you can connect with simple bind and LDAPS. To connect with simple bind, change bind to simple, remove the three Kerberos entities, and add the port/sslPort, username, and password options. The following example shows Active Directory with simple bind json.

{
  "configEntities":{
	"identityStore": {
		"_type": "identityStoreType",
		"type": "activedirectory",
		"domain": "your-domain.lan",
		"nickname": "YOUR-DOMAIN-NICKNAME",
		"directoryServiceType": "activedirectory",
		"hostname": "optional-ldap-server", 
		"sslPort": "636",
		"bind": "simple",
		"username": "username",
		"password": "password"	
		}
	}
}			
		

OpenLDAP - GSSAPI bind

Use the template below to configure OpenLDAP with GSSAPI bind. Do not use this template if your organization is running Active Directory. If you are installing into Active Directory, use the template above, LDAP - Active Directory.

In most cases, organizations that use OpenLDAP with GSSAPI (Kerberos) will use a keytab file to store credentials. In the following example, a keytab file is used for authentication credentials.

However, you can provide credentials through the username and password entities.

You can also specify both a keytab and a username and password pair. In this case, Tableau Server will attempt to use the keytab, but if authentication fails for any reason it will fallback and use the username and password credentials.

{
  "configEntities":{
		"identityStore": {
			"_type": "identityStoreType",
			"type": "activedirectory",
			"domain": "your-domain.lan",
			"nickname": "YOUR-DOMAIN-NICKNAME",
			"directoryServiceType": "openldap",
			"bind": "gssapi",
			"kerberosKeytab": "<path to local key tab file>",
			"kerberosConfig": "/etc/krb5.conf",
			"kerberosPrincipal": "your-principal@YOUR.DOMAIN",
			"identityStoreSchemaType": {
			   "userBaseFilter": "(objectClass=inetOrgPerson)",
			   "userUsername": "user",
			   "userDisplayName": "displayname",
			   "userEmail": "email",
			   "userCertificate": "certificate",
			   "userThumbnail": "thumbnail",
			   "userJpegPhoto": "photo",
			   "groupBaseFilter": "(objectClass=groupofNames)",
			   "groupName": "groupname",
			   "groupEmail": "groupemail",
			   "groupDescription": "groupdescription",
			   "member": "member",
			   "distinguishedNameAttribute": "",
			   "serverSideSorting": "",
			   "rangeRetrieval": "",
			   "userClassNames": ["inetOrgPerson","someClass2"],
			   "groupClassNames": ["groupOfUniqueNames1","groupOfUniqueNames2"]
			   }
		   }			
	  }			
}
		

OpenLDAP - Simple bind

{
  "configEntities":{
		"identityStore": {
			"_type": "identityStoreType",
			"type": "activedirectory",
			"domain": "my.root",
			"nickname": "",
			"hostname": "optional-ldap-server",
			"port": "389",
			"directoryServiceType": "openldap",
			"bind": "simple",
			"username": "cn=username,dc=your,dc=domain",
			"password": "password",
			"identityStoreSchemaType": {
			   "userBaseFilter": "(objectClass=inetOrgPerson)",
			   "userUsername": "user",
			   "userDisplayName": "displayname",
			   "userEmail": "email",
			   "userCertificate": "certificate",
			   "userThumbnail": "thumbnail",
			   "userJpegPhoto": "photo",
			   "groupBaseFilter": "(objectClass=groupofNames)",
			   "groupName": "groupname",
			   "groupEmail": "groupemail",
			   "groupDescription": "groupdescription",
			   "member": "member",
			   "distinguishedNameAttribute": "",
			   "serverSideSorting": "",
			   "rangeRetrieval": "",
			   "userClassNames": ["inetOrgPerson","someClass2"],
			   "groupClassNames": ["groupOfUniqueNames1","groupOfUniqueNames2"]
			   }
		 }
  }
}			
		

Configuration template reference

Shared identity store options

type
Where you want to store user identity information. Either local or activedirectory. (If you want to connect to any LDAP server, select activedirectory.)
domain
The domain of the computer where you installed Tableau Server.
nickname
The nickname of the domain. This is also referred to as the NetBIOS name in Windows environments.
The nickname option is required for all LDAP entities. If your organization does not require a nickname/NetBIOS, then pass a blank key, for example: "nickname": "".

LDAP GSSAPI bind options

directoryservicetype
The type of directory service that you want to connect to. Either activedirectory or openldap.
kerberosConfig
The path to the Kerberos configuration file on the local computer. If you are installing into Active Directory, we don't recommend using the existing Kerberos configuration file or keytab file that may already be on the domain-joined computer. See Identity Store.
kerberosKeytab
The path to the Kerberos keytab file on the local computer. It is recommended that you create a keytab file with keys specifically for Tableau Server service and that you do not share the keytab file with other applications on the computer. For example, on Linux, you might place the keytab file in the /var/opt/tableau/keytab directory.
kerberosPrincipal
The service principal name for Tableau Server on the host machine. The keytab must have permission for this principal. Do not use the existing system keytab at /etc/krb5.keytab. Rather, we recommend that you register a new service principal name. To see principals in a given keytab, run the klist -k command. See Understanding Keytab Requirements.

LDAP simple bind options

directoryservicetype
The type of directory service that you want to connect to. Either activedirectory or openldap.
hostname
The hostname of the LDAP server. You can enter a hostname or an IP address for this value.
port
Use this option to specify the non-secure port of the LDAP server. Plaintext is usually 389.
sslPort
Use this option to specify the secure port of the LDAP server. We recommend secure LDAP for simple bind. LDAPS is usually port 636.
username
The user name that you want to use to connect to the directory service. The account that you specify must have permission to query the directory service. For Active Directory, enter the username, for example, jsmith. For LDAP servers, enter the distinguished name (DN) of the user that you want to use to connect. For example, you might enter cn=username,dc=your-local-domain,dc=lan.
password
The password of the user that you want to use to connect to the LDAP server.

Shared LDAP options

The following options can be set for generic LDAP, OpenLDAP, or Active Directory implementations.

bind
The way that you want to authentication communication from the Tableau Server service to the LDAP directory service. Enter gssapi for GSSAPI (Kerberos).
domain
In Windows Active Directory environments, specify the domain where Tableau Server is installed, for example, "example.lan". In LDAP directories, specify the root domain name in the same format. For example, if your root is "dc=my,dc=root", specify "my.root".

root

LDAP only. Do not specify for Active Directory.
If you do not use a dc component in the LDAP root or you want to specify a more complex root you need to set the LDAP root. Use the "o=my,u=root" format. For example, for the domain, example.lan, the root would be "o=example,u=lan".
membersRetrievalPageSize
This option determines the maximum number of results returned by an LDAP query.
For example, consider a scenario where Tableau Server is importing an LDAP group that contains 50,000 users. Attempting to import such a large number of users in a single operation is not a best practice. When this option is set to 1500, Tableau Server imports the first 1500 users in the first response. After those users are processed, Tableau Server requests the next 1500 users from the LDAP server, and so forth.
We recommend that you modify this option only to accommodate the requirements of your LDAP server.

identityStoreSchemaType options

If you configure an LDAP connection to an LDAP server, you can enter schema information specific to your LDAP server in the identityStoreSchemaType object. If you are connecting to Active Directory ("directoryServiceType": "activedirectory"), then do not configure these options.

userBaseFilter
The filter that you want to use for users of Tableau Server. For example, you might specify an object class attribute and an organization unit attribute.
userUsername
The attribute that corresponds to user names on your LDAP server.
userDisplayName
The attribute that corresponds to user display names on your LDAP server.
userEmail
The attribute that corresponds to user email addresses on your LDAP server.
userCertificate
The attribute that corresponds to user certificates on your LDAP server.
userThumbnail
The attribute that corresponds to user thumbnail images on your LDAP server.
userJpegPhoto
The attribute that corresponds to user profile images on your LDAP server.
groupBaseFilter
The filter that you want to use for groups of users of Tableau Server. For example, you might specify an object class attribute and an organization unit attribute.
groupName
The attribute that corresponds to group names on your LDAP server.
groupEmail
The attribute that corresponds to group email addresses on your LDAP server.
groupDescription
The attribute that corresponds to group descriptions on your LDAP server.
member
The attribute that describes the list of users in a group.
distinguishedNameAttribute
The attribute that stores the distinguished names of users. This attribute is optional, but it greatly improves the performance of LDAP queries.
serverSideSorting
Whether the LDAP server is configured for server-side sorting of query results. If your LDAP server supports server-side sorting, set this option to true. If you are unsure whether your LDAP server supports this, enter false, as misconfiguration may cause errors.
rangeRetrieval
Whether the LDAP server is configured to return a range of query results for a request. This means that groups with many users will be requested in small sets instead of all at once. LDAP servers that support range retrieval will perform better for large queries. If your LDAP server supports range retrieval, set this option to true. If you are unsure whether your LDAP server supports range retrieval, enter false, as misconfiguration may cause errors.
groupClassNames
By default Tableau Server looks for LDAP group object classes containing the string “group”. If your LDAP group objects do not fit the default class name, override the default by setting this value. You can provide multiple classnames separated by commas. This option takes a list of strings, which requires passing each class in quotes, separated by a comma (no space) and within brackets. For example: ["basegroup","othergroup"].
userClassNames
By default Tableau Server looks for LDAP user object classes containing the string “user” and “inetOrgPerson”. If your LDAP user objects do not use these default class names, override the default by setting this value. You can provide multiple classnames separated by commas. This option takes a list of strings, which requires passing each class in quotes, separated by a comma (no space) and within brackets. For example: ["userclass1",userclass2”].
Thanks for your feedback! There was an error submitting your feedback. Try again or send us a message.