The LDAP user can login to AMS, but cannot perform the expected AMS tasks

The LDAP user can login to AMS, but cannot perform the expected AMS tasks

book

Article ID: KB0072975

calendar_today

Updated On:

Products Versions
TIBCO Streaming 10.6 and later

Description

We have configured LDAP authentication for the TIBCO Artifact Management Server. We've found that LDAP users can login to AMS, but they cannot perform the expected AMS tasks (such as deploying/reading/writing artifacts).
 

Issue/Introduction

Provides guidance in the case where the AMS LDAP user can be authenticated, but not authorized.

Resolution

First, enable DEBUG level logging in the AMS server, as discussed in KB article 000045262. Then consider the following possible causes and related AMS log entries that identify each cause.

In this case, you will typically see a log message like the following:
2021-10-01 08:56:34.819 DEBUG (qtp1571125860-53) com.tibco.ep.ams.auth.AMSActiveDirectoryRealm:252 - 
Roles for user 'user1@example.com' from group entries: []
You can see that the role list for the user is empty [], which means the user's AMS roles could not be mapped to any LDAP groups. This is a symptom of one of the following causes:
  • The group name(s) specified in the RoleToPrivilegeMappings do not exist in the LDAP system
  • The selected principalRoot attribute is incorrect.
  • The selected principalSearch attribute is incorrect.
  • The selected roleRoot attribute is incorrect.
  • The selected roleAttribute attribute is incorrect.
  • The roleAttribute value has a typo.
Consult with your LDAP administrator to obtain the appropriate group names and values for these AMS configuration options. Also, refer to Knowledge article 000045254 for guidance on running LDAP searches from the command line, which can help identify the correct values for the above configuration options.