TIBCO ActiveSpaces integration with Windows Active Directory using the sAMAccountName attrribute.
Article ID: KB0093660
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveSpaces | - |
| Not Applicable | - |
Description
Description:
This article describes a known issue of using TIBCO ActiveSpaces with the attribute name sAMAccountName on Windows Active Directory
Symptoms:
When you setup the policy file to use name=sAMAccountName such as
authentication=userpwd;source=ldap;name=sAMAccountName;host=DXBEGDC03PV;plainPort=389;baseDN=OU=Users,DC=corp,DC=tibcodomain,DC=com;searchUnder=false;allowEmptyPassword=false;objectClass=*;hint=acme_dir
The following error is generated:
[ERROR][test_upg.$gmp][MemberManager.cpp:630][processAuthentication] [general_advisory] [sAMAccountName=s413495,OU=Users,DC=corp,DC=tibcodomain,DC=com] [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1À]
SYS_ERROR (action_failed -
Failed Command: connect name 'test_upg' discovery 'tcp://subd843.hq.tibcodomain.com:5010;hqlnxprodvm837.hq.tibcodomain.com:5010' member_name "test_Admin2" security_token "mytoken5.txt"
Cause: action_failed
Message: [sAMAccountName=s413495,OU=Users,DC=corp,DC=tibcodomain,DC=com] [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1À]
)
Cause:
Using the option sAMAccountName in the policy configurations does not work because the Windows AD server uses CN to find a user. Use AD Explore and do a search in your AD Server and open a user. Pay special attention to baseDN property of the user. This unique distinguishedName (baseDN) for the user is used to search for the user. If found and if the password returns true, it will allow access. For this scenario it look likes the following:
baseDN=tibco1,OU=Users,DC=corp,DC=tibcodomain,DC=com
This article describes a known issue of using TIBCO ActiveSpaces with the attribute name sAMAccountName on Windows Active Directory
Symptoms:
When you setup the policy file to use name=sAMAccountName such as
authentication=userpwd;source=ldap;name=sAMAccountName;host=DXBEGDC03PV;plainPort=389;baseDN=OU=Users,DC=corp,DC=tibcodomain,DC=com;searchUnder=false;allowEmptyPassword=false;objectClass=*;hint=acme_dir
The following error is generated:
[ERROR][test_upg.$gmp][MemberManager.cpp:630][processAuthentication] [general_advisory] [sAMAccountName=s413495,OU=Users,DC=corp,DC=tibcodomain,DC=com] [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1À]
SYS_ERROR (action_failed -
Failed Command: connect name 'test_upg' discovery 'tcp://subd843.hq.tibcodomain.com:5010;hqlnxprodvm837.hq.tibcodomain.com:5010' member_name "test_Admin2" security_token "mytoken5.txt"
Cause: action_failed
Message: [sAMAccountName=s413495,OU=Users,DC=corp,DC=tibcodomain,DC=com] [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1À]
)
Cause:
Using the option sAMAccountName in the policy configurations does not work because the Windows AD server uses CN to find a user. Use AD Explore and do a search in your AD Server and open a user. Pay special attention to baseDN property of the user. This unique distinguishedName (baseDN) for the user is used to search for the user. If found and if the password returns true, it will allow access. For this scenario it look likes the following:
baseDN=tibco1,OU=Users,DC=corp,DC=tibcodomain,DC=com
Issue/Introduction
TIBCO ActiveSpaces integration with Windows Active Directory using the sAMAccountName attrribute.
Resolution
Replace sAMAccountName with CN as show below
authentication=userpwd;source=ldap;name=CN;host=DXBEGDC03PV;plainPort=389;baseDN=OU=Users,DC=corp,DC=tibcodomain,DC=com;searchUnder=false;allowEmptyPassword=false;objectClass=*;hint=acme_dir
CN is the username of the AD user.
authentication=userpwd;source=ldap;name=CN;host=DXBEGDC03PV;plainPort=389;baseDN=OU=Users,DC=corp,DC=tibcodomain,DC=com;searchUnder=false;allowEmptyPassword=false;objectClass=*;hint=acme_dir
CN is the username of the AD user.
Feedback
Yes
No
Powered by
