How to use user and group details from Active Directory to configure the ldap.properties file for TIBCO Data Virtualization?
Article ID: KB0070510
Updated On:
| Products | Versions |
|---|---|
| TIBCO Data Virtualization | All Supported versions |
Description
How to use user and group details from Active Directory to configure the ldap.properties file for TIBCO Data Virtualization
Issue/Introduction
How to use user and group details from Active Directory to configure the ldap.properties file for TIBCO Data Virtualization?
Resolution
There are three types of configuration settings in the ldap.properties file that need to be tuned. They are:
1. Context
The Active Directory folder hierarchy that TDV (TIBCO Data Virtualization) searches in to find:
- the user
- the group that the user belongs to
2. Attribute
Any attribute whose value is specifically set to the name of the user (or group)
3. Filter
Additional filter criteria (e.g. objectCategory and objectclass)
For purposes of illustration, let us say that we want to configure ldap.properties to allow an Active Directory user svcdvtstuser1 belonging to a group dvg1 to log in to TDV.
For the sake of simplicity, assume that both the user and the group reside under the same folder hierarchy, which is Global Catalog >> OU=Products >> OU=DV >> OU=Test >> OU=Simple
1. Context
TDV needs to know which Active Directory folder hierarchy to search under to locate the user and the group. TDV uses the context filter for this purpose.
The easiest way to set the value of the context filter is to extract details from:
In this example, the user's distinguishedName attribute is:
CN=svcdvtstuser1, OU=Simple,OU=Test,OU=DV,OU=Products,DC=dev,DC=com
and the group's distinguishedName is:
CN=dvg1, OU=Simple,OU=Test,OU=DV,OU=Products,DC=dev,DC=com
To use this information:
1. Remove the string ' CN=dvg1' as it does not represent a folder (it represents an object residing under a folder).
2. If the DC component is already included in the LDAP url, as shown below:
remove the DC component (i.e. DC=dev,DC=com), as TDV uses the LDAP url in conjunction with the context filter(s) to construct an LDAP search query. This could result in the DC components appearing twice in the search query, causing the query to fail.
user search context:
-------------------------------
activedirectory.all.users.search.context = OU=Simple,OU=Test,OU=DV,OU=Products
activedirectory.user.search.context = OU=Simple,OU=Test,OU=DV,OU=Products
-------------------------------
group search context:
-------------------------------
activedirectory.all.groups.search.context = OU=Simple,OU=Test,OU=DV,OU=Products
activedirectory.user.groups.search.context = OU=Simple,OU=Test,OU=DV,OU=Products
-------------------------------
2. Attribute
user atttibute:
-------------------------------
activedirectory.all.users.username.attribute = samaccountname
activedirectory.user.username.attribute = samaccountname
-------------------------------
group attribute:
-------------------------------
activedirectory.all.groups.groupname.attribute = cn
activedirectory.user.groups.groupname.attribute = cn
-------------------------------
3. Filter
The following settings are based on objectCategory and objectclass and will typically work as-is, because:
-------------------------------
activedirectory.all.users.filter = (&(objectCategory=person)(objectclass=user))
activedirectory.user.filter = (&(samaccountname=USERNAME)(objectclass=user)(objectCategory=person))
activedirectory.all.groups.filter = (&(objectclass=group)(objectCategory=group))
activedirectory.user.groups.filter = (&(member=USERDN)(objectclass=group)(objectCategory=group))
-------------------------------
Note: USERNAME and USERDN are TDV-specific variable names and may be left as-is.
Below is the completed ldap.properties file.
-------------------------------
activedirectory.all.users.search.context = OU=Simple,OU=Test,OU=DV,OU=Products
activedirectory.all.users.username.attribute = samaccountname
activedirectory.all.users.filter = (&(objectCategory=person)(objectclass=user))
activedirectory.all.users.search.timeout=0
activedirectory.all.groups.search.context = OU=Simple,OU=Test,OU=DV,OU=Products
activedirectory.all.groups.groupname.attribute = cn
activedirectory.all.groups.filter=(&(objectclass=group)(objectCategory=group))
activedirectory.all.groups.search.timeout=0
activedirectory.user.search.context = OU=Simple,OU=Test,OU=DV,OU=Products
activedirectory.user.username.attribute = samaccountname
activedirectory.user.filter = (&(samaccountname=USERNAME)(objectclass=user)(objectCategory=person))
activedirectory.user.search.timeout=1000
activedirectory.user.username.comparison.is.case.sensitive=true
activedirectory.user.groups.search.context = OU=Simple,OU=Test,OU=DV,OU=Products
activedirectory.user.groups.groupname.attribute = cn
activedirectory.user.groups.filter = (&(member=USERDN)(objectclass=group)(objectCategory=group))
activedirectory.user.groups.search.timeout=1000
-------------------------------
The user svcdvtstuser1 should now be able to log in to TDV Studio:
1. Context
The Active Directory folder hierarchy that TDV (TIBCO Data Virtualization) searches in to find:
- the user
- the group that the user belongs to
2. Attribute
Any attribute whose value is specifically set to the name of the user (or group)
3. Filter
Additional filter criteria (e.g. objectCategory and objectclass)
For purposes of illustration, let us say that we want to configure ldap.properties to allow an Active Directory user svcdvtstuser1 belonging to a group dvg1 to log in to TDV.
For the sake of simplicity, assume that both the user and the group reside under the same folder hierarchy, which is Global Catalog >> OU=Products >> OU=DV >> OU=Test >> OU=Simple
1. Context
TDV needs to know which Active Directory folder hierarchy to search under to locate the user and the group. TDV uses the context filter for this purpose.
The easiest way to set the value of the context filter is to extract details from:
- the user's distinguishedName attribute in Active Directory
- the group's distinguishedName attribute in Active Directory
In this example, the user's distinguishedName attribute is:
CN=svcdvtstuser1, OU=Simple,OU=Test,OU=DV,OU=Products,DC=dev,DC=com
and the group's distinguishedName is:
CN=dvg1, OU=Simple,OU=Test,OU=DV,OU=Products,DC=dev,DC=com
To use this information:
1. Remove the string ' CN=dvg1' as it does not represent a folder (it represents an object residing under a folder).
2. If the DC component is already included in the LDAP url, as shown below:
remove the DC component (i.e. DC=dev,DC=com), as TDV uses the LDAP url in conjunction with the context filter(s) to construct an LDAP search query. This could result in the DC components appearing twice in the search query, causing the query to fail.
user search context:
-------------------------------
activedirectory.all.users.search.context = OU=Simple,OU=Test,OU=DV,OU=Products
activedirectory.user.search.context = OU=Simple,OU=Test,OU=DV,OU=Products
-------------------------------
group search context:
-------------------------------
activedirectory.all.groups.search.context = OU=Simple,OU=Test,OU=DV,OU=Products
activedirectory.user.groups.search.context = OU=Simple,OU=Test,OU=DV,OU=Products
-------------------------------
2. Attribute
- The user attribute may be any attribute whose whose value is the user name.
- samaccountname may be used as it contains the user name (i.e. svcdvtstuser1).
user atttibute:
-------------------------------
activedirectory.all.users.username.attribute = samaccountname
activedirectory.user.username.attribute = samaccountname
-------------------------------
- The group attribute may be any attribute whose whose value is the group name.
- cn may be used as it contains the group name (i.e. dvg1).
group attribute:
-------------------------------
activedirectory.all.groups.groupname.attribute = cn
activedirectory.user.groups.groupname.attribute = cn
-------------------------------
3. Filter
The following settings are based on objectCategory and objectclass and will typically work as-is, because:
- objectCategory and objectclass are standard attributes.
- They have standard values, that an LDAP administrator normally does not alter or remove.
-------------------------------
activedirectory.all.users.filter = (&(objectCategory=person)(objectclass=user))
activedirectory.user.filter = (&(samaccountname=USERNAME)(objectclass=user)(objectCategory=person))
activedirectory.all.groups.filter = (&(objectclass=group)(objectCategory=group))
activedirectory.user.groups.filter = (&(member=USERDN)(objectclass=group)(objectCategory=group))
-------------------------------
Note: USERNAME and USERDN are TDV-specific variable names and may be left as-is.
Below is the completed ldap.properties file.
-------------------------------
activedirectory.all.users.search.context = OU=Simple,OU=Test,OU=DV,OU=Products
activedirectory.all.users.username.attribute = samaccountname
activedirectory.all.users.filter = (&(objectCategory=person)(objectclass=user))
activedirectory.all.users.search.timeout=0
activedirectory.all.groups.search.context = OU=Simple,OU=Test,OU=DV,OU=Products
activedirectory.all.groups.groupname.attribute = cn
activedirectory.all.groups.filter=(&(objectclass=group)(objectCategory=group))
activedirectory.all.groups.search.timeout=0
activedirectory.user.search.context = OU=Simple,OU=Test,OU=DV,OU=Products
activedirectory.user.username.attribute = samaccountname
activedirectory.user.filter = (&(samaccountname=USERNAME)(objectclass=user)(objectCategory=person))
activedirectory.user.search.timeout=1000
activedirectory.user.username.comparison.is.case.sensitive=true
activedirectory.user.groups.search.context = OU=Simple,OU=Test,OU=DV,OU=Products
activedirectory.user.groups.groupname.attribute = cn
activedirectory.user.groups.filter = (&(member=USERDN)(objectclass=group)(objectCategory=group))
activedirectory.user.groups.search.timeout=1000
-------------------------------
The user svcdvtstuser1 should now be able to log in to TDV Studio:
Feedback
Yes
No
Powered by
