How to create LDIF File of a directory object for troubleshooting LDAP User Directory and Authentication issues

How to create LDIF File of a directory object for troubleshooting LDAP User Directory and Authentication issues

book

Article ID: KB0080175

calendar_today

Updated On:

Products Versions
Spotfire Server All Versions

Description

The LDAP Data Interchange Format (LDIF) is a standard plain text data interchange format for representing LDAP (Lightweight Directory Access Protocol) directory content. An LDIF file shows the exact properties of the directory object which are visible to the bind account used.

When troubleshooting user directory or authentication issues it can be useful to bind to the same LDAP server and port with the same account which the TIBCO Spotfire Server is using in the LDAP configuration in order to export an LDIF file of a problematic user (and a non-problematic user for comparison) since this will replicate what Spotfire is viewing when it is accessing the directory. This is helpful in identifying missing attributes (due to insufficient permissions) or misconfigurations (mismatching filters or contexts for example).  

Below is an example of how user account details are displayed in LDIF file:  
dn: CN=name,CN=Users,DC=boston,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: name
givenName: Name
displayName: Name
userAccountControl: 789656
codePage: 0
countryCode: 0
accountExpires: 92233789076545407
sAMAccountName: Name
userPrincipalName: Name@boston.local


 

Issue/Introduction

How to create LDIF File of a directory object for troubleshooting LDAP User Directory and Authentication issues

Environment

LDIF file shows the exact properties visible to the bind account used, which is same as how Spotfire will be accessing the directory.

Resolution

Steps to create LDIF file:
  
1. Download and install LDAP Browser from Softerra:

2. Start LDAP Browser

3. Create a new profile using the same server, port, security options (SSL) and credentials used in the TIBCO Spotfire Server configuration (the current Spotfire Server configuration can be exported with the export-config command for reference):

  • Go to File > New > Profile

  • Give Profile Name and click on Next

  • “Host” and “port” should be same as ‘LDAP Server URL’ present in TIBCO Spotfire Server UIConfig > Configuration > User Directory: LDAP (use “Lookup Servers button” to look up for LDAP domain)

  • Choose security options only if required.

  • Click on Next

  • Select the appropriate User Authentication Information. Most always this will be "Simple" and you will provide the "Principal" account name and "Password" for the account being used to connect to your LDAP server. The principal username and password must match exactly with the “LDAP Username” and “LDAP Password” present in the TIBCO Spotfire Server UIConfig > Configuration > User Directory:LDAP )

  • Click on Next

4. Click on Finish

5. In the Scope Pane on the left, open your new profile and browse to the Users/Groups/Objects not seen in Spotfire. Note: If the users or groups are also not seen here, then this explains why they are missing during Spotfire's LDAP synchronization. If this is the case, contact your directory administrator so that they can give the correct permissions for the given bind account to authenticate against the given LDAP server URL and read the objects and their attributes.

6. In the Scope Pane on the left, right click on the desired Users/Groups/Objects and select "Export data". Select LDIF as the file format and click "Finish".

Then please send the resulting .LDIF files to TIBCO Support for the investigation.

Additional Information

External: Softerra LDAP Browser
Powered by Wolken Software