TIBCO Runtime Agent 5.3.2: User and role synchronization fails when an administration domain is integrated with Active Directory 2003 with a large number of users and groups.
Article ID: KB0089648
Updated On:
| Products | Versions |
|---|---|
| TIBCO Runtime Agent (TRA) | - |
| Not Applicable | - |
Description
Description:
Abstract
======
User and role synchronization fails when an administration domain is integrated with Active Directory 2003, which has a large number of users and groups.
Symptoms
========
The following error appears in the TIBCO Administrator User's panel when retrieving a large number of users from Active Directory. This normally happens when the number of users retrieved is more than 10,000.
"Corporate LDAP server is throwing Critical Extension Unavailable exception. Narrowing down on the search criteria to return a smaller dataset will help. Otherwise additional indexes created on LDAP server may help avoid this situation."
Role synchronization fails if there are a large number of groups that need to be queried from Active Directory. This normally happens when there are more than 10,000 groups. The same error message (as above) appears, but in the Administrator log file.
Impact
======
* Not all Active Directory users and roles that are configured to be retrieved for an administration domain are imported into TIBCO Administrator when a sync operation occurs.
* End-users will not be able to search for all users in the User’s panel in TIBCO Administrator.
* The CorpUserSynchronizer and CorpRoleSynchronizer utilities will fail.
* Not all groups from Active Directory will be imported as group synchronized roles in TIBCO Administrator.
Workaround
==========
There are few things you will need to check and setup to avoid these problems. Note that after applying one or more of the items listed in this section, you must restart your TIBCO Administrator administration server.
* Compare and Set Page Size
Check the Active Directory parameter settings. Use the "ntdsutil" utility that is available on the Active Directory Server to view the LDAP policy settings.
If the Active Directory MaxPageSize parameter is set to a value other than 1000, you must add the CorpLdapMaxPageSize parameter to the TIBCO Administrator AuthorizationDomain.properties file for your domain (located in <install-path>\tibco\tra\domain\<domain-name>). For example, if MaxPageSize is set to 500, you must add the following parameter to the file:
CorpLdapMaxPageSize = 500
* Compare and Set Value Range
In addition it is also recommended to set the following. This setting fixes any problem in retrieving the complete membership of a group synchronized role that has more than 1000 members.
Check the Active Directory parameter settings. Use the "ntdsutil" utility that is available on the Active Directory Server to view the LDAP policy settings.
If the Active Directory MaxValRange parameter is set to a value other than 1000, you must add the CorpLdapMaxValRange parameter to the TIBCO Administrator AuthorizationDomain.properties file. For example, if MaxValRange is set to 500, you must add the following parameter to the file:
CorpLdapMaxValRange = 500
* Set User and Group Search Filter with objectcategory
In TIBCO Domain Utility under LDAP Configuration, it is recommended to use the “objectcategory” instead of “objectclass” for specifying the search filter for users and for groups. The objectcategory field is indexed in Active Directory and provides better results, thus avoiding the above problem. To access the search filter in Domain Utility, see the steps in the "Groups: Break Down the Search Filter" section below.
For example, for user search filter:
objectcategory=user
(&(objectcategory=user)(zipcode=12345))
For example, for group search filter:
objectcategory=group
(&(objectcategory=group)(portalFlag=Y))
* Users: Narrow Down Search Condition
Avoid large user searches in TIBCO Administrator. You must narrow the search criteria when you see the error warning you of the 10000 limit.
* Users: Break Down the Search filter
CorpUserSynchronizer will still fail if total number of valid users is above 10,000. This script is optional and only required if you have a large user base and it is expected that a large number of new users will start using an application at approximately the same time. If it is essential to run this script, then you can break down the user search filter (under Domain Utility) to multiple filters, where each filter retrieves less than 10,000 users. This configuration will be similar to what is described below for Groups.
* Groups: Break Down the Search Filter
If the valid number of groups is more than 10,000, you must break down the group search filter (under Domain Utility) to multiple filters, where each filter retrieves less than 10,000 groups. To do so, use the following steps to reconfigure your administration domain LDAP search parameters:
1) Start TIBCO Domain Utility.
2) Click Server Setting and click LDAP Configuration.
3) Click Next and in the screen that appears, select the administration domain to change.
4) In the next screen provide the administrator credentials for the administration domain.
5) Click Next and in the Search Parameters and Attributes section, click Edit and change the group filter. You can break down the filter by providing a different base DN for each filter, or break out lexicographically into smaller sets, or a combination. (Refer to RFC 2254 “The String Representation of LDAP Search Filters” for this purpose.)
Different base DN Example:
Base DN: ou=Partners,dc=acme,dc=com
Group Search Filter: objectcategory=group
Base DN: ou=vendors,dc=acme,dc=com
Group Search Filter: objectcategory=group
Breaking Out Lexicographically into Smaller Sets Example:
Base DN: dc=acme,dc=com
Group Search Filter:
(&(objectcategory=group)(|(cn=Zone1*)(cn=Zone2*)(cn=Zone3*)))
Base DN: dc=acme,dc=com
Group Search Filter: (&(objectcategory=group)(|(cn=Zone4*)(cn=Zone5*)))
Or:
Base DN: dc=acme,dc=com
Group Search Filter: (&(objectcategory=group)(|(cn=a*)(cn=b*)(cn=c*)))
Base DN: dc=acme,dc=com
Group Search Filter: (&(objectcategory=group)(|(cn=d*)(cn=e*)))
6) Click Next to display a summary page where you can verify your changes.
7) Click Next to apply the changes to the domain.
8) Click Finish to end the session.
Cause
=====
* The Active Directory settings for the MaxPageSize and MaxValRange are set to a non default value.
* In order to cross the pagesize limit set by Active Directory (usually 1000), we do paged query using an LDAP control called “Virtual List View” (VLV, in short). Active Directory further limits the query results for VLV based queries to 10,000.
Additional Information
==========
You must have configured your administration domain to use Active Directory Server 2003 with Service Pack 1 for Windows Server 2003. Refer to the following link that provides details on this defect:
http://support.microsoft.com/default.aspx?scid=kb;en-us;886683
If you have configured your administration domain to use Active Directory 2000, this fix will not work. In that case, only a maximum of 1000 users and 1000 groups will be retrieved from Active Directory.
Symptoms:
Cause:
Abstract
======
User and role synchronization fails when an administration domain is integrated with Active Directory 2003, which has a large number of users and groups.
Symptoms
========
The following error appears in the TIBCO Administrator User's panel when retrieving a large number of users from Active Directory. This normally happens when the number of users retrieved is more than 10,000.
"Corporate LDAP server is throwing Critical Extension Unavailable exception. Narrowing down on the search criteria to return a smaller dataset will help. Otherwise additional indexes created on LDAP server may help avoid this situation."
Role synchronization fails if there are a large number of groups that need to be queried from Active Directory. This normally happens when there are more than 10,000 groups. The same error message (as above) appears, but in the Administrator log file.
Impact
======
* Not all Active Directory users and roles that are configured to be retrieved for an administration domain are imported into TIBCO Administrator when a sync operation occurs.
* End-users will not be able to search for all users in the User’s panel in TIBCO Administrator.
* The CorpUserSynchronizer and CorpRoleSynchronizer utilities will fail.
* Not all groups from Active Directory will be imported as group synchronized roles in TIBCO Administrator.
Workaround
==========
There are few things you will need to check and setup to avoid these problems. Note that after applying one or more of the items listed in this section, you must restart your TIBCO Administrator administration server.
* Compare and Set Page Size
Check the Active Directory parameter settings. Use the "ntdsutil" utility that is available on the Active Directory Server to view the LDAP policy settings.
If the Active Directory MaxPageSize parameter is set to a value other than 1000, you must add the CorpLdapMaxPageSize parameter to the TIBCO Administrator AuthorizationDomain.properties file for your domain (located in <install-path>\tibco\tra\domain\<domain-name>). For example, if MaxPageSize is set to 500, you must add the following parameter to the file:
CorpLdapMaxPageSize = 500
* Compare and Set Value Range
In addition it is also recommended to set the following. This setting fixes any problem in retrieving the complete membership of a group synchronized role that has more than 1000 members.
Check the Active Directory parameter settings. Use the "ntdsutil" utility that is available on the Active Directory Server to view the LDAP policy settings.
If the Active Directory MaxValRange parameter is set to a value other than 1000, you must add the CorpLdapMaxValRange parameter to the TIBCO Administrator AuthorizationDomain.properties file. For example, if MaxValRange is set to 500, you must add the following parameter to the file:
CorpLdapMaxValRange = 500
* Set User and Group Search Filter with objectcategory
In TIBCO Domain Utility under LDAP Configuration, it is recommended to use the “objectcategory” instead of “objectclass” for specifying the search filter for users and for groups. The objectcategory field is indexed in Active Directory and provides better results, thus avoiding the above problem. To access the search filter in Domain Utility, see the steps in the "Groups: Break Down the Search Filter" section below.
For example, for user search filter:
objectcategory=user
(&(objectcategory=user)(zipcode=12345))
For example, for group search filter:
objectcategory=group
(&(objectcategory=group)(portalFlag=Y))
* Users: Narrow Down Search Condition
Avoid large user searches in TIBCO Administrator. You must narrow the search criteria when you see the error warning you of the 10000 limit.
* Users: Break Down the Search filter
CorpUserSynchronizer will still fail if total number of valid users is above 10,000. This script is optional and only required if you have a large user base and it is expected that a large number of new users will start using an application at approximately the same time. If it is essential to run this script, then you can break down the user search filter (under Domain Utility) to multiple filters, where each filter retrieves less than 10,000 users. This configuration will be similar to what is described below for Groups.
* Groups: Break Down the Search Filter
If the valid number of groups is more than 10,000, you must break down the group search filter (under Domain Utility) to multiple filters, where each filter retrieves less than 10,000 groups. To do so, use the following steps to reconfigure your administration domain LDAP search parameters:
1) Start TIBCO Domain Utility.
2) Click Server Setting and click LDAP Configuration.
3) Click Next and in the screen that appears, select the administration domain to change.
4) In the next screen provide the administrator credentials for the administration domain.
5) Click Next and in the Search Parameters and Attributes section, click Edit and change the group filter. You can break down the filter by providing a different base DN for each filter, or break out lexicographically into smaller sets, or a combination. (Refer to RFC 2254 “The String Representation of LDAP Search Filters” for this purpose.)
Different base DN Example:
Base DN: ou=Partners,dc=acme,dc=com
Group Search Filter: objectcategory=group
Base DN: ou=vendors,dc=acme,dc=com
Group Search Filter: objectcategory=group
Breaking Out Lexicographically into Smaller Sets Example:
Base DN: dc=acme,dc=com
Group Search Filter:
(&(objectcategory=group)(|(cn=Zone1*)(cn=Zone2*)(cn=Zone3*)))
Base DN: dc=acme,dc=com
Group Search Filter: (&(objectcategory=group)(|(cn=Zone4*)(cn=Zone5*)))
Or:
Base DN: dc=acme,dc=com
Group Search Filter: (&(objectcategory=group)(|(cn=a*)(cn=b*)(cn=c*)))
Base DN: dc=acme,dc=com
Group Search Filter: (&(objectcategory=group)(|(cn=d*)(cn=e*)))
6) Click Next to display a summary page where you can verify your changes.
7) Click Next to apply the changes to the domain.
8) Click Finish to end the session.
Cause
=====
* The Active Directory settings for the MaxPageSize and MaxValRange are set to a non default value.
* In order to cross the pagesize limit set by Active Directory (usually 1000), we do paged query using an LDAP control called “Virtual List View” (VLV, in short). Active Directory further limits the query results for VLV based queries to 10,000.
Additional Information
==========
You must have configured your administration domain to use Active Directory Server 2003 with Service Pack 1 for Windows Server 2003. Refer to the following link that provides details on this defect:
http://support.microsoft.com/default.aspx?scid=kb;en-us;886683
If you have configured your administration domain to use Active Directory 2000, this fix will not work. In that case, only a maximum of 1000 users and 1000 groups will be retrieved from Active Directory.
Symptoms:
Cause:
Issue/Introduction
TIBCO Runtime Agent 5.3.2: User and role synchronization fails when an administration domain is integrated with Active Directory 2003 with a large number of users and groups.
Feedback
Yes
No
Powered by
