Filtering LDAP Users and Groups to Integrate

Copyright © Cloud Software Group, Inc. All Rights Reserved

Chapter 3 Integrating TIBCO Administrator with an LDAP Directory Server : Filtering LDAP Users and Groups to Integrate

Filtering LDAP Users and Groups to Integrate

An LDAP directory can contain many users and groups. In many cases, you’ll want to use only a subset of the users and groups. When using TIBCO Domain Utility to create an administration domain that is integrated with an LDAP directory server, you typically specify a search filter to retrieve only the LDAP users and groups that are relevant for the applications managed in TIBCO Administrator.

Even if you choose not to automatically create a role for each LDAP group, you’ll want to use a search filter to return only limited LDAP groups. The synchronization feature only acts against the LDAP groups returned by this filter.

User and group search filters are written using the syntax defined in RFC 2254 The String Representation of LDAP Search Filters. See the TIBCO Runtime Agent Domain Utility User’s Guide for more information and examples.

TIBCO Administrator allows you to modify the choice of groups (and optionally their descendents) to synchronize. After you save the customizations, they are used for future syncs, rather than those set when the administration domain was created.

Selecting LDAP Groups to Synchronize in TIBCO Administrator

In addition to filtering the groups in Search filters specified in TIBCO Domain Utility, you can further limit the LDAP groups that need to be synchronized.

At anytime you can force the administration server to immediately synchronize with the LDAP server. You can:

•

Specify that all groups be synchronized

•

Specify that selected groups be synchronized. You can add or remove groups from the selection list and specify, for each group, whether the synchronization should include subgroups (descendents) on not.

When you change the list of groups to synchronize, the change becomes the default list and is used the next time an automatic synchronization is scheduled.

•

Use the CorpRoleSynchronizer command line utility to synchronize your domain with all LDAP groups in the LDAP directory associated with the domain.

To Change Synchronization Criteria

After you select and save a subset of groups to synchronize, only those groups are kept in sync with changes in the LDAP directory. Also, the changed synchronization criteria is used the next time an automatic synchronization is triggered.

1.

In the TIBCO Administrator GUI, in the left panel under User Management, select Roles.

2.

Click Select LDAP Groups.

3.

Click Selected Groups, and then click Add.

Figure 9 Select Groups to Synchronize

4.

Select the groups to synchronize and click Add. For example, the next diagram shows that the TEAK group has been added.

Figure 10 Add Group

5.

Click OK.

6.

To include sub groups, select the Include Descendents check box next to each group. For example, the next diagram shows the selection. All groups in the list and subgroups will be synchronized.

Figure 11 Include Descendents Check Box

7.

You are now ready to synchronize. There are two choices:

If you click Synchronize Now, TIBCO Administrator blocks while the synchronization operation is performed. When control returns, you must click Save to reuse the settings.

If you click Cancel, the setting are lost and the next automatic synchronization will use the previously saved settings.

If you click Save, the synchronization operation occurs in the background. That is you can access other TIBCO Administrator screens while the synchronization operation is performed. You must refresh your Browser to see results. The automatic synchronization operation will use these settings the next time it is invoked.

To do an Immediate Synchronization

When you do an immediate synchronization, the criteria for automatic synchronizations are not changed. An immediate synchronization uses the criteria from the previous synchronization operation.

1.

In the TIBCO Administrator GUI, in the left panel under User Management, select Roles.

2.

Click Select LDAP Groups.

3.

Click Synchronize Now.

4.

Click Save.

CorpRoleSynchronizer Command Line Utility

The CorpRoleSynchronizer command line utility syncs an administration domain with its associated LDAP directory. The sync occurs based on the search criteria for LDAP groups that was defined when the administration domain was created.

Your administration domain may be out of sync because the auto sync settings for the domain were not enabled when using TIBCO Domain Utility to configure the domain, or because significant changes have been made to the LDAP directory since the last automatic sync and you do want to wait for the next auto sync cycle to occur, and you do not want to do an manual sync from the TIBCO Administrator GUI.

The utility is located in the TIBCO_HOME/tra/<version>/bin directory. The domain name you provide must have been configured to use an LDAP directory server.

C:\tibco\tra\<version>\bin>CorpRoleSynchronizer -h

USAGE: CorpRoleSynchronizer -domain <domain> [-h|-?]

where

-domain <domain> - Name of a domain (case sensitive)

-h or -? - prints this help information

Note that the utility must be started with an option or an exception will result.

A summary of results is provided in the console where you launched the utility and in the TIBCO Administrator log file. Note that the command must be started with an option or an exception will result.

Setting the Maximum LDAP Objects to Return After a Search

By default, the maximum number of LDAP objects returned to TIBCO Administrator for a search is 10000. You can override the default by adding or changing the DomainUsersSearchLimit property in the AuthorizationDomain.properties file. The file is located in the TIBCO_HOME/tra/domain/domain directory.

Note that the client-side search limit is overridden by the LDAP server search limit. You may also have to change the corresponding setting on the LDAP server.