How to expand the LDAP group context search for Active Directory in TIBCO Data Virtualization?
Article ID: KB0073354
Updated On:
| Products | Versions |
|---|---|
| TIBCO Data Virtualization | 7.0.x and higher |
Description
How to expand the LDAP group context search in TIBCO Data Virtualization
Issue/Introduction
How to expand the LDAP group context search for Active Directory in TIBCO Data Virtualization
Resolution
The group search context is set by the following lines in the file <TDV_INSTALL_DIRECTORY>/conf/server.ldap.properties:
----------------
activedirectory.all.groups.search.context=cn=users
activedirectory.user.groups.search.context=cn=users
----------------
Sometimes, the LDAP administrator will create group contexts other than the default "cn=users". Below are some examples.
ERROR [jetty thread pool-60] 2021-05-05 15:49:27.097 -0400 AuthenticationFilter - [1293583666] Authorization failed: The user "chris" in domain "ldapdomain1" does not belong to any valid external LDAP groups.
To resolve the error, edit the two group search context lines in the ldap.properties file to include the required groups separated by the "|" symbol (which represents the OR operator) as shown below.
----------------
activedirectory.all.groups.search.context=cn=users | OU=QA Testing | OU=Domain Users | OU=Groups
activedirectory.user.groups.search.context=cn=users | OU=QA Testing | OU=Domain Users | OU=Groups
----------------
The "|" expands the search from looking for groups under "cn=Users" to also looking for groups under "OU=QA Testing", "OU=Domain Users", and "OU=Groups".
For troubleshooting purposes, it is is O.K. to add redundant or incorrect filter values separated by "|" as the values will simply be ignored. For example, if "SomeNonExistentFilter=helloworld" is added as shown below, it will be ignored (i.e. the search result will be the same as it would have been had the filter not been added).
----------------
activedirectory.all.groups.search.context=cn=users | OU=IT Testing | OU=Domain Users | OU=Groups | SomeNonExistentFilter=helloworld
activedirectory.user.groups.search.context=cn=users | OU=QA Testing | OU=Domain Users | OU=Groups | SomeNonExistentFilter=helloworld
----------------
----------------
activedirectory.all.groups.search.context=cn=users
activedirectory.user.groups.search.context=cn=users
----------------
Sometimes, the LDAP administrator will create group contexts other than the default "cn=users". Below are some examples.
- OU=QA Testing
- OU=Domain Users
- OU=Groups
ERROR [jetty thread pool-60] 2021-05-05 15:49:27.097 -0400 AuthenticationFilter - [1293583666] Authorization failed: The user "chris" in domain "ldapdomain1" does not belong to any valid external LDAP groups.
To resolve the error, edit the two group search context lines in the ldap.properties file to include the required groups separated by the "|" symbol (which represents the OR operator) as shown below.
----------------
activedirectory.all.groups.search.context=cn=users | OU=QA Testing | OU=Domain Users | OU=Groups
activedirectory.user.groups.search.context=cn=users | OU=QA Testing | OU=Domain Users | OU=Groups
----------------
The "|" expands the search from looking for groups under "cn=Users" to also looking for groups under "OU=QA Testing", "OU=Domain Users", and "OU=Groups".
For troubleshooting purposes, it is is O.K. to add redundant or incorrect filter values separated by "|" as the values will simply be ignored. For example, if "SomeNonExistentFilter=helloworld" is added as shown below, it will be ignored (i.e. the search result will be the same as it would have been had the filter not been added).
----------------
activedirectory.all.groups.search.context=cn=users | OU=IT Testing | OU=Domain Users | OU=Groups | SomeNonExistentFilter=helloworld
activedirectory.user.groups.search.context=cn=users | OU=QA Testing | OU=Domain Users | OU=Groups | SomeNonExistentFilter=helloworld
----------------
Feedback
Yes
No
Powered by
