DE_LDAP_CONTEXT_ERROR when listing Resources/Candidates/Attributes
Article ID: KB0077305
Updated On:
| Products | Versions |
|---|---|
| TIBCO BPM Enterprise (formerly TIBCO ActiveMatrix BPM) | 3.x, 4.x |
Description
Paged LDAP queries fail in Directory Engine (DE) when:
- IgnoreCaseOnLogin=false in de.properties; and
- Admin username (DN) on LDAP Connection RT is case-sensitively incorrect
For example. if the RT has "uid=ADMIN,ou=system" but LDAP DN is "uid=admin,ou=system"
The error is only seen when the result set for the LDAP query exceeds the effective maximum (set in LDAP server or BPM configuration)
Any API relating to LDAP Containers can be affected, e.g. listAttributeNames, listCandidates
Openspace/Workspace clients, and BPM logs will show DE_LDAP_CONTEXT_ERROR.
BPM.log may also have an LDAP error code (probably 1, 2 or 4) -- this code may be different between first failure & subsequent failures.
- IgnoreCaseOnLogin=false in de.properties; and
- Admin username (DN) on LDAP Connection RT is case-sensitively incorrect
For example. if the RT has "uid=ADMIN,ou=system" but LDAP DN is "uid=admin,ou=system"
The error is only seen when the result set for the LDAP query exceeds the effective maximum (set in LDAP server or BPM configuration)
Any API relating to LDAP Containers can be affected, e.g. listAttributeNames, listCandidates
Openspace/Workspace clients, and BPM logs will show DE_LDAP_CONTEXT_ERROR.
BPM.log may also have an LDAP error code (probably 1, 2 or 4) -- this code may be different between first failure & subsequent failures.
Issue/Introduction
Directory Engine paged LDAP requests fail when Username (DN) on LDAP Connection RT is case-sensitively incorrect, and IgnoreCaseOnLogin=true
Environment
BPM 3.x, 4.x
Resolution
There are various ways to resolve this issue:
A: set IgnoreCaseOnLogin=true in {n2.config.location}/de.properties
B: Edit the relevant LDAP Connection RT(s), ensuring the Username case-sensitively matches the LDAP DN
Admin will automatically prompt to Reinstall the corresponding RIs,
C: increase the threshold at which result sets will be paged
set LdapSearchPageSize (in de.properties) sufficiently large;
AND
on LDAP Server, increase the maximum result set size.
Note: the default limit (and how to configure it) varies between different LDAP server implementations.
For any of these resolutions, it may be necessary to stop & restart BPM Node(s), to ensure DE internals forget the original configuration.
Additional Information
de.properties reference: https://docs.tibco.com/pub/amx-bpm/4.3.0/doc/html/bpmhelp/GUID-3DAD97FB-D8B1-4D27-B3E6-C04446A35782.html
LDAP Connection RT reference: https://docs.tibco.com/pub/amx-bpm/4.3.0/doc/html/bpmhelp/GUID-4694B891-DB25-4D88-A48B-C5759FBB80EB.html
LDAP Connection RT reference: https://docs.tibco.com/pub/amx-bpm/4.3.0/doc/html/bpmhelp/GUID-4694B891-DB25-4D88-A48B-C5759FBB80EB.html
Feedback
Yes
No
Powered by
