Defining a subset of corporate LDAP roles to be returned.
Article ID: KB0094206
Updated On:
| Products | Versions |
|---|---|
| TIBCO Administrator | - |
| Not Applicable | - |
Description
Resolution:
Description:
============
How can we prevent getting all of the corporate LDAP roles from being returned; is there a configuration we can modify?
Is there a way to return a subset of defined users instead of returning all users?
Environment:
===========
TIBCO Runtime Agent(TRA) 5.6.x ,TIBCO Administrator 5.6.x .
Details:
========
How can we prevent getting all of the corporate LDAP roles from being returned; is there a configuration we can modify? Is there a switch that we can use to return a local set of defined users instead of returning all users? We would like
Administrator to return only a small subset of users or groups which we would consider local users of Tibco instead of returning the whole corporate directory (there are thousands of users and groups).
Resolution:
===========
You will have to do following for
- Users: Narrow Down Search Condition: Avoid large user searches in TIBCO Administrator. You must narrow the search criteria when you see the error warning you of the 10000 limit.
- Users: Break Down the Search filter: You can break down the user search filter (under Domain Utility) to multiple filters, where each filter retrieves less than 10,000 users.
1). Start TIBCO Domain Utility.
2). Click Server Setting and click LDAP Configuration.
3). Click "Next" and in the screen that appears, select the administration domain to change.
4). In the next screen provide the administrator credentials for the administration domain.
5). Click "Next" and in the Search Parameters and Attributes section, click "Edit" and change the group filter. You can break down the filter by providing a different base DN for each filter, or break out lexicographically into smaller sets or a combination. (Refer to RFC 2254 “The String Representation of LDAP Search Filters” for this purpose.)
Different base DN Example:
Base DN: ou=Partners,dc=acme,dc=com
User Search Filter: objectclass=people
Base DN: ou=vendors,dc=acme,dc=com
User Search Filter: objectclass=people
Breaking Out Lexicographically into Smaller Sets Example:
Base DN: dc=acme,dc=com
User Search Filter:
(&(objectclass=people)(|(cn=Zone1*)(cn=Zone2*)(cn=Zone3*)))
Base DN: dc=acme,dc=com
User Search Filter: (&(objectclass=people)(|(cn=Zone4*)(cn=Zone5*)))
Or:
Base DN: dc=acme,dc=com
User Search Filter: (&(objectclass=people)(|(cn=a*)(cn=b*)(cn=c*)))
Base DN: dc=acme,dc=com
User Search Filter: (&(objectclass=people)(|(cn=d*)(cn=e*)))
Similarly try for groups search filters.
Description:
============
How can we prevent getting all of the corporate LDAP roles from being returned; is there a configuration we can modify?
Is there a way to return a subset of defined users instead of returning all users?
Environment:
===========
TIBCO Runtime Agent(TRA) 5.6.x ,TIBCO Administrator 5.6.x .
Details:
========
How can we prevent getting all of the corporate LDAP roles from being returned; is there a configuration we can modify? Is there a switch that we can use to return a local set of defined users instead of returning all users? We would like
Administrator to return only a small subset of users or groups which we would consider local users of Tibco instead of returning the whole corporate directory (there are thousands of users and groups).
Resolution:
===========
You will have to do following for
- Users: Narrow Down Search Condition: Avoid large user searches in TIBCO Administrator. You must narrow the search criteria when you see the error warning you of the 10000 limit.
- Users: Break Down the Search filter: You can break down the user search filter (under Domain Utility) to multiple filters, where each filter retrieves less than 10,000 users.
1). Start TIBCO Domain Utility.
2). Click Server Setting and click LDAP Configuration.
3). Click "Next" and in the screen that appears, select the administration domain to change.
4). In the next screen provide the administrator credentials for the administration domain.
5). Click "Next" and in the Search Parameters and Attributes section, click "Edit" and change the group filter. You can break down the filter by providing a different base DN for each filter, or break out lexicographically into smaller sets or a combination. (Refer to RFC 2254 “The String Representation of LDAP Search Filters” for this purpose.)
Different base DN Example:
Base DN: ou=Partners,dc=acme,dc=com
User Search Filter: objectclass=people
Base DN: ou=vendors,dc=acme,dc=com
User Search Filter: objectclass=people
Breaking Out Lexicographically into Smaller Sets Example:
Base DN: dc=acme,dc=com
User Search Filter:
(&(objectclass=people)(|(cn=Zone1*)(cn=Zone2*)(cn=Zone3*)))
Base DN: dc=acme,dc=com
User Search Filter: (&(objectclass=people)(|(cn=Zone4*)(cn=Zone5*)))
Or:
Base DN: dc=acme,dc=com
User Search Filter: (&(objectclass=people)(|(cn=a*)(cn=b*)(cn=c*)))
Base DN: dc=acme,dc=com
User Search Filter: (&(objectclass=people)(|(cn=d*)(cn=e*)))
Similarly try for groups search filters.
Issue/Introduction
Defining a subset of corporate LDAP roles to be returned.
Feedback
Yes
No
Powered by
