How to limit users in LDAP User Directory synchronization to only those within particular groups.

How to limit users in LDAP User Directory synchronization to only those within particular groups.

book

Article ID: KB0079920

calendar_today

Updated On:

Products Versions
Spotfire Server All Versions

Description

In TIBCO Spotfire Server 6.0 and later, there is a feature in the LDAP user directory and group synchronization to only import users into Spotfire if they are present in the groups that are being synchronized. This can be accomplished with the following setting in your LDAP configuration:
  • 'Group Synchronization' > 'Filter users by groups': Yes

This exact feature is not present in Spotfire 5.5 and lower but the same behavior can be accomplished by updating the 'user search filter' as described in this article.

The LDAP configuration is defined with the 'context name's (i.e., the containers where Spotfire will look for users) and the user search filter (i.e., an LDAP query which are the criteria Spotfire uses to determine if the objects found within the 'context names' should be imported as users). For example:

  • Context Name: OU=myUsers,DC=myDomain,DC=com
  • User Search Filter: objectClass=user

This means Spotfire will search all objects in the container 'OU=myUsers,DC=myDomain,DC=com' and will import all objects who have an 'objectClass' attribute equal to 'user'.  Instead of importing ALL users found in the container, you may want to only import a subset of users who will have access to Spotfire and who are also a member of a particular group or groups.

Issue/Introduction

How to limit users in LDAP User Directory synchronization to only those within particular groups.

Resolution

In TIBCO Spotfire Server 6.0 and later, set the 'Filter users by groups' option to 'Yes' in your LDAP configuration:
  • 'Group Synchronization' > 'Filter users by groups': Yes
For earlier versions or to manually replicate that behavior, you can explicitly filter on groups as well. This method requires that your Directory Server uses a 'memberOf' or other similar attribute which means that each user object has an attribute which lists the groups they belong to.
  1. Open Spotfire configuration tool: Start > Programs > TIBCO Spotfire Server X.X > Configure TIBCO Spotfire Server.
  2. Enter the configuration tool password to unlock the configuration.
  3. On the 'Configuration' tab, click 'User Directory: LDAP'.
  4. Expand 'Advanced Settings'.
  5. Update the 'User search filter' by adding in the required limiting groups as described below:
For example, if the existing filter is:
  • objectClass=user
You can filter to only import users in a single group with the following 'User search filter':
  • (&(objectClass=user)(memberOf=CN=mySpotfireGroup,OU=myContainer,DC=myDomain,DC=com))
Comment: The '&' is an AND operator and means that both (objectClass=user) and (memberOf=CN=mySpotfireGroup,OU=myContainer,DC=myDomain,DC=com) need to be true.

You can filter to only import users in multiple groups with the following 'User search filter':
  • (&(objectClass=user)(|(memberOf=CN=mySpotfireGroup1,OU=myContainer,DC=myDomain,DC=com)(memberOf=CN=mySpotfireGroup2,OU=myContainer,DC=myDomain,DC=com)))
Comment: The '|' is an OR operator and means that either (memberOf=CN=mySpotfireGroup1,OU=myContainer,DC=myDomain,DC=com) OR (memberOf=CN=mySpotfireGroup2,OU=myContainer,DC=myDomain,DC=com) needs to be true.

Now only the users who belong to the groups specified in the 'User search filter' will be imported into Spotfire.

Additional Information

External: LDAP Query Examples