How to configure ldap_group_search_filter for HawkConsole

How to configure ldap_group_search_filter for HawkConsole

book

Article ID: KB0074471

calendar_today

Updated On:

Products Versions
TIBCO Hawk 6.2.1

Description

In hawk v6.2.1, there's a new property introduced in hawkconsole.cfg:
LINE 122 # -ldap_group_search_filter <query attribute to search in group> # default is 'memberOf'
Any other value can be set to this property?
 

In LDAP, if the user belongs to a group, then it has an attribute defined as memberOf. The value of this attribute is a list of all groups that the user belongs to. 

For example: If a user named ‘hawkuser’ is member of  two groups named ‘admin-group’ and ‘operator-group’, then when we search the user we get the below details

accountExpires: 9223372036854775807 (never); 
badPasswordTime: 9/25/2020 7:13:12 AM Pacific Daylight Time; 
badPwdCount: 0; 
cn: bwftluser; 
codePage: 0; 
countryCode: 0; 
displayName: bwftluser; 
distinguishedName: CN=hawkuser,CN=Users,DC=tibco,DC=com; 
dSCorePropagationData: 0x0 = (  ); 
givenName: bwftluser; 
instanceType: 0x4 = ( WRITE ); l
astLogoff: 0 (never); 
lastLogon: 9/25/2020 7:13:14 AM Pacific Daylight Time; 
lastLogonTimestamp: 9/27/2020 11:45:26 PM Pacific Daylight Time; 
logonCount: 0; 
memberOf (2): CN=admin-group,CN=Users,DC=tibco,DC=com; CN=operator-group,CN=Users,DC=tibco,DC=com; 
name: hawkuser; 
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tibco,DC=com; 
objectClass (4): top; 
person; organizationalPerson; 
user; objectGUID: 0cf747cb-8f47-42b0-b0cd-cc259414c6ef; 
objectSid: S-1-5-21-3925272033-3769415035-2624007152-1123; 
primaryGroupID: 513 = ( GROUP_RID_USERS ); 
pwdLastSet: 9/15/2020 11:07:33 PM Pacific Daylight Time; sAMAccountName: hawkuser; sAMAccountType: 805306368 = ( NORMAL_USER_ACCOUNT ); userAccountControl: 0x200 = ( NORMAL_ACCOUNT ); userPrincipalName: hawkuser@tibco.com; uSNChanged: 249968; uSNCreated: 184409; whenChanged: 9/27/2020 11:45:26 PM Pacific Daylight Time; whenCreated: 9/15/2020 11:07:33 PM Pacific Daylight Time
 

In the above log, we can the user has an attribute memberOf

The ldap_group_search_filter parameter in hawkconsole.cfg is used to define this relationship of a LDAP user with a LDAP group. The default value for this parameter is memberOf. This parameter works in conjunction with ldap_group_dn, which is used to define all the groups that a user can belong to.

In some implementations of Active Directory, the attribute memberOf could be named as isMemberOf , so we can update the value of ldap_group_search_filter accordingly.

 

Issue/Introduction

How to configure ldap_group_search_filter for HawkConsole

Resolution

So basically, ldap_group_search_filter is only related to the LDAP server auth type. It is not applicable for database or file.
No values can be set to ldap_group_search_filter other than memberOf and isMemberOf

Additional Information

HK-8234
Powered by Wolken Software