Description:
After specifying the LDAP URL and binding information, the second step is to specify Group Information. The "Group Search Expression" needs to contain "{0}" (quotation marks not included). In this string, the {0} represents the name of the group. The code substitutes the group name for this variable and passes the resulting boolean expression to the LDAP server. The LDAP server matches that search expression against groups to find all groups containing the attribute. For example, if the groupSearchExpression is "cn={0}", and the user tries to search for group with the name "tibco_admin", the code tries to search for all groups that have attribute cn with value tibco_admin.

The 3rd step during LDAP realm configuration is to specify User Information. The "User Search Base Expression" need to contain "{0}" (quotation marks not included) which will be populated by the actual user identifier. It can be used together with other filters. The "User ID Attribute" should be the LDAP user identifier. 

For instance, 
the group information below works for a Microsoft Active Directory server:
Group ID Attribute:               cn
Group User Attribute:             member
Sub-Group Attribute:              member
Group Search Base DN:             cn=users,dc=test,dc=tibco
Group Search Expression:         (&(cn={0})(cn=tibco_*)(objectclass=group))
(This will get all groups whose CN start with "tibco_". )

the user information below works for a Microsoft Active Directory server:
User ID Attribute:             sAMAccountName
User Search Base DN:           cn=users,dc=test,dc=tibco
User Search Base Expression:   (&(sAMAccountName={0})(cn=admin*)(objectclass=person))
User Password Attribute:       userPassword
(Please note the "User Password Attribute" is optional for Microsoft Active Directory.
And this query will get all users whose CN start with "admin". )

Please contact TIBCO support if you still have questions.