Strategy One

Universal Semantic Layer Environment Configurations

LDAP Authentication

If your Strategy environment is configured with LDAP and you need to allow LDAP authentication in Universal Semantic Layer (USL) clients such as DBeaver, use the following steps to enable LDAP for USL users:

Environment owners should define the context path for the Library application specifically used for LDAP authentication.

  1. In the Universal semantic service, go to the ldap-autehnticator.properties file. The file should be in the following path: /opt/mstr/MicroStrategy/install/UniversalSemantic/etc/ldap-authenticator.properties.

  2. Edit the mstr.ldap.library.url setting to use the Library application where LDAP authentication mode is enabled.

    For example, if the Library application URL is https://tutorial.microstrategy.com/MicroStrategyLibraryInsights, you should modify the settings to the following:

    Copy 
    # MSTR Specific
    header-authenticator.name=mstr-ldap
    mstr.ldap.library.url=https://tutorial.microstrategy.com/MicroStrategyLibraryInsights

  3. Restart the Universal Semantic Layer service.

Basic Authentication

If you are using basic authentication, make the following update:

  1. Open the following file: /opt/mstr/MicroStrategy/install/UniversalSemantic/etc/basic-authenticator.properties

  2. Add the following setting:

    Copy 
    header-authenticator.name=mstr-basic
    mstr.basic.library.url=http://localhost:8080/MicroStrategyLibrarySTD

  3. Restart the Universal Semantic Layer service.

OAuth 2

Single Node Instance-based Environments

  1. Edit the Library service configOverride.properties file and add the following property to enable the OAuth2 Authorization Server:

    Copy 
    auth.oauth2.server.enabled = true
    auth.oauth2.server.storage = inMemory

  2. In the Library Admin page, in Authentication Modes, select the check box next to Trusted and create a trust relationship.

    If OIDC or SAML based authentication is already enabled in the environment, you can skip this step.

  3. Restart the Library application.

Multi-node Instance-based Environments

For multi-node instance-based environments, you must configure Redis and OAuth2. In a virtual machine-based cluster environment, each virtual machine (VM) hosts its own Redis instance. Typically only one Redis server is accessible from all machines in the cluster. See below to identify the accessible Redis server and configure each Tomcat server accordingly:

  1. Verify the machine the Redis server resides:

    1. Open the following Redis configuration file: /opt/mstr/MicroStrategy/install/Redis/redis.conf.

    2. Ensure the bind directive includes the VM's internal IP address (for example, 10.xx.xx.xx) in addition to the loopback address. For example, bind 127.0.0.1 ::1 10.250.149.168.

    3. Ensure protected-mode is set to no.

    4. Add your authentication password to the requirepass directive. For example, requirepass [enter password here].

  2. Configure Tomcat to Connect to Redis:

    1. On each VM, open the setenv.sh file in the Tomcat installation. It is typically located in the following path: /opt/apache/tomcat/latest/bin/setenv.sh.

    2. Add the following environment variables:

      Copy 
      export REDIS_HOST="10.xx.xx.xx"           # Replace with the Redis server’s internal IP address
      export REDIS_PASSWORD="your_redis_password"  # Replace with the actual password from redis.conf

  3. Configure OAuth2 authorization for Library:

    1. Open the configuration file in the following location: <webapps>/MicroStrategyLibrary/WEB-INF/classes/config/configOverride.properties.

    2. Add or edit the following properties:

      Copy 
      auth.oauth2.server.enabled=true
      auth.oauth2.server.storage=redis

  4. Restart the Tomcat server on each VM.

  5. In the Library Admin page, in Authentication Modes, select the check box next to Trusted and create a trust relationship.

    If OIDC or SAML based authentication is already enabled in the environment, you can skip this step.

  6. Restart the Library application.

Container-based Environment

In the Library Admin page, in Authentication Modes, select the check box next to Trusted and create a trust relationship.

If OIDC or SAML based authentication is already enabled in the environment, you can skip this step.

Column Naming Configuration

Starting in Strategy One (June 2026), you can set custom naming rules to control how Mosaic model columns appear to external BI tools via the Universal Semantic Layer.

Prior to Strategy One (June 2026), column names for attributes combine the attribute and form names across all model types. This is the default behavior after Strategy One (June 2026).

In the Column Naming setting you can choose Use Alias. The naming rules apply to attributes and metrics. By default, metric aliases are blank at the model layer and revert to the metric name. If aliases duplicate, the naming rule uses the object and form names for those columns.

In addition to configuring column naming behavior in the Mosaic model settings, you can define it at the Universal Semantic Layer setting:

If you define column naming in both the Mosaic model settings and in the Universal Semantic Layer settings, the model-level preference takes priority, which allows control over how each model's columns display to external BI tools.

  1. Open the following file: /opt/mstr/MicroStrategy/install/UniversalSemantic/etc/config.properties

  2. To use object column aliases as the column name behavior for all Mosaic models in external BI tools, add the following setting: use-column-alias-on-mosaic-model=true

  3. Restart the Universal Semantic Layer.