LDAP users are able to login until the next LDAP synchronization task is completed, even though the "Filter users by groups" option is enabled and they are not members of any synchronized LDAP group.

LDAP users are able to login until the next LDAP synchronization task is completed, even though the "Filter users by groups" option is enabled and they are not members of any synchronized LDAP group.

book

Article ID: KB0081706

calendar_today

Updated On:

Products Versions
Spotfire Server 7.0.1 HF-004 and lower

Description

LDAP users are able to temporarily login until the next LDAP synchronization task is completed, even though the "Filter users by groups" option is enabled and they are not members of any synchronized LDAP groups.

From the server log, you will see the following output:

DEBUG 2016-02-02T07:45:40,757-0500 [unknown, #128] jaas.ldap.LDAPLoginModule: Authenticating user 'new_spotfire_user' in LDAPLoginModule

...

DEBUG 2016-02-02T07:45:41,180-0500 [unknown, #128] jaas.ldap.LDAPLoginModule: Using searchFilter '(&(sAMAccountName=new_spotfire_user)(objectClass=user))'

DEBUG 2016-02-02T07:45:41,255-0500 [unknown, #128] jaas.ldap.LDAPLoginModule: Found LDAP user 'CN=new_spotfire_user,OU=Standard,OU=Users,OU=Enterprise,DC=logon,DC=ds,DC=company,DC=com', using DN as principal id

DEBUG 2016-02-02T07:45:41,342-0500 [unknown, #128] jaas.ldap.LDAPLoginModule: Could not find any user 'new_spotfire_user' in LDAP context 'OU=Groups,OU=Enterprise,DC=logon,DC=ds,DC=company,DC=com'

DEBUG 2016-02-02T07:45:41,342-0500 [unknown, #128] server.ldap.LdapContextFactory: Closing LdapContext for ldaps://company.com:389

DEBUG 2016-02-02T07:45:41,343-0500 [unknown, #128] jaas.ldap.LDAPLoginModule: Authenticating user with principal id 'CN=new_spotfire_user,OU=Standard,OU=Users,OU=Enterprise,DC=logon,DC=ds,DC=company,DC=com'

DEBUG 2016-02-02T07:45:41,343-0500 [unknown, #128] server.ldap.LdapContextFactory: Creating an LDAP connection for principal 'CN=new_spotfire_user,OU=Standard,OU=Users,OU=Enterprise,DC=logon,DC=ds,DC=company,DC=com' to LDAP server(s) ldaps://company.com:389

DEBUG 2016-02-02T07:45:41,760-0500 [unknown, #128] server.ldap.LdapContextFactory: Successfully created an LDAP connection for principal 'CN=new_spotfire_user,OU=Standard,OU=Users,OU=Enterprise,DC=logon,DC=ds,DC=company,DC=com' to LDAP server ldaps://company.com:389

DEBUG 2016-02-02T07:45:41,761-0500 [unknown, #128] server.ldap.LdapContextFactory: Closing LdapContext for ldaps://company.com:389

DEBUG 2016-02-02T07:45:41,762-0500 [unknown, #128] jaas.ldap.LDAPLoginModule: Successfully authenticated user 'new_spotfire_user' with DN 'CN=new_spotfire_user,OU=Standard,OU=Users,OU=Enterprise,DC=logon,DC=ds,DC=company,DC=com'

DEBUG 2016-02-02T07:45:41,762-0500 [unknown, #128] server.security.JaasAuthenticator: Successfully authenticated user 'new_spotfire_user' in domain 'company.com'

DEBUG 2016-02-02T07:45:41,762-0500 [unknown, #128] server.security.PostAuthenticationFilterImpl: Post-authentication filtering security context for principal 'new_spotfire_user@company.com'

DEBUG 2016-02-02T07:45:41,762-0500 [unknown, #128] server.security.PostAuthenticationFilterImpl: Post-authentication filtering in block mode

DEBUG 2016-02-02T07:45:41,762-0500 [unknown, #128] server.security.PostAuthenticationFilterImpl: Looking up the authenticated user principal 'new_spotfire_user@company.com' in the User Directory

DEBUG 2016-02-02T07:45:41,764-0500 [unknown, #128] server.userdir.UserDirectoryImpl: Checking if the user principal new_spotfire_user@company.com has been recently added to the external provider

...

DEBUG 2016-02-02T07:45:42,356-0500 [unknown, #128] server.userdir.UserDirectoryImpl: Importing user principal new_spotfire_user@company.com that was recently added to the external provider

DEBUG 2016-02-02T07:45:42,401-0500 [new_spotfire_user@company.com, #128] server.security.SecurityFilter: The client is successfully authenticated

DEBUG 2016-02-02T07:45:42,402-0500 [new_spotfire_user@company.com, #128] server.security.SecurityFilter: Passing on the request for URL /ws/LoginService to the next item in the filter chain

Resolution

This is a defect and has been fixed in a hotfix. Apply the latest Spotfire Server hotfix. Fix is in 7.0.1 HF-004 or higher.

Issue/Introduction

LDAP users are able to login until the next LDAP synchronization task is completed, even though the "Filter users by groups" option is enabled and they are not members of any synchronized LDAP group.

Additional Information

Hotfixes are from now on provided from the TIBCO Support site https://support.tibco.com. Once you have logged in there, hotfixes can be found under the Downloads menu > Hotfixes. On the Hotfixes page, Spotfire-hotfixes can be found under "AvailableDownloads" > Spotfire.
Powered by Wolken Software