Querying Active Directory From SSRS To Customize The User Experience And Secure Reports
Introduction Wes Springob (No relation to Mr. Squarepants) BI Consultant at New York Life Originally from Pittsburgh, now New Port Richey Wife Ashley, Portrait Photographer http://SQLWes.com http://twitter.com/SQLWes http://LinkedIn.com/in/SQLWes Wes Springob, (No Relation To Mr. Squarepants) BI Consultant @NYL Originally from Pittsburgh, now New Port Richey Wife Ashley, Portrait Photographer Background Do you know why speakers poll their audiences at the beginning of a presentation? Stated purpose is to tailor the discussion to the audience level. Truth is to determine exactly how much we can BS our way through it. So who knows what? LDAP, SSRS, T-SQL, Linked Servers?
Disclosure: Extensive use of SSRS Proficient T-SQL Developer LDAP novice 0 AD administration experience Recently exploring reporting of data sources that aren’t SQL Server Have been wanting to work with AD Data in SSRS for years, but only recently have had the opportunity. The names have been changed to protect the innocent = No live demo of Active Directory
Use Case Why would you need to secure a report with AD? Doesn’t the Report Server do that for you? Short answer, yes it does: SSRS determines if you can run, subscribe to or edit a report. It does a great job and we don’t want to alter or circumvent that security in any way.
We can do more Find out additional information about a user for use within the report Securely extend additional data based on the user ID of the logged in user’s security group memberships. User Story
System of record Many database systems store a user’s Active Directory ID. But they also store a lot more, unfortunately, to “support” the application. Where in most cases, we should be going back to query AD to ensure we are using the most current values.
Tools A SQL Server with SSRS installed Management Studio Visual Studio, BIDS or Report Builder to create RDL’s Active Directory Explorer Aids in writing LDAP queries Free tool, downloadable from Technet Any domain account typically has sufficient, Read Only, rights to query AD
Approaches Linked Servers / T-SQL CLR / System.DirectoryServices Namespace Custom Code in the RDL / System.DirectoryServices Namespace Query AD Directly as a Data source From within the RDL / T-SQL Linked Server Most flexible, easiest solution for T-SQL developer Easily configured & maintained Through procs, functions & views you can quickly create a relational representation of you AD hierarchy CLR Difficult to set up, code and maintain Extends the greatest flexibility Must be registered on the SQL Server, strongly named… .Net code, feels more like filtering Custom Code in RDL Requires SSRS Server configuration to allow the System.DirectoryServices Namespace to be accessed, and a reference to be created within the RDL Similar to CLR in complexity and utility Query AD Directly as a Data Source from within an RDL Easily configured data source. No support from the development environment’s SQL parser. (if you write perfectly, it works. If not, good luck debugging in VS/BIDS/Report Builder) Better off editing with a linked server in MS and copying the query to your RDL The method I believe has the most utility to be used in the most environments, is to query directly from the RDL and will server as our example in a couple min.
What is LDAP? Lightweight Directory Access Protocol “is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.” -- Wikipedia Used to query or filter Active Directory from T-SQL or .Net code. Neither AD or LDAP are RDBMS AD is Optimized for fast reads AD is Optimized for fast reads, because it is queried at run time and only returns a limited number of results, typically.
Active Directory Explorer Definitions: dn = Distinguished Name dc = domain component ou = organizational unit cn = common name sn = surname (last name) givenName = (First Name)
Linked Servers From Management Studio, you will need to use the OLE DB Provider for Microsoft Directory Services Use the ADsDSOObject Provider string Ad the Data source, which is your AD server
OpenQuery From Management Studio, write a test query of Active Directory using OPENQUERY and the information we gathered in AD Explorer Error messages aren’t great, but far better than VS parser. All quotes are single quotes We could stop right here Create a series of Stored procedures, views and functions to create a relational set of data representing our Active Directory entries and use it in any system that can access this SQL server OR, your company might not like you to use linked servers In which case you will probably only be able to use linked servers for development purposes.
Creating the report
Creating the AD data source Using an existing report project, add a new shared datasource to your AD server Give it a meaningful name because it likely won’t be the only data source for your report Use the OLE DB option for your connection type The connection string is just that simple, provider = ADsDSOObject and Data Source = your AD server name
Creating the dataset Using the Data Source you just created, create an embedded dataset using the text query type. You will need to use the expression builder because the Parser does not interpret LDAP queries This means query designer is disabled You won’t be able to use parameters You will need to fill in your fields manually You need to be accurate in your typing, including case.
Creating the Query Expression Translate your OPENQUERY to the Query Expression dialog Don’t confuse single & double quotes Work in the Built-in Field “UserID”, stripping out your domain from the string
Preview Use the results of the embedded dataset within the body of the report to complete your “Hello, Wes!” example. Often, for development purposes, you will need to create a Parameter to simulate the value from the Built in Value from User!UserID (to simulate other users)
Solving the Use Case
Queries?
Additional LDAP Queries
Resources: Active Directory Explorer Download: http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx This Slide Deck: http://SQLWes.com