Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 3 Integrating TIBCO Administrator with an LDAP Directory Server : Managing LDAP Users and Group-synchronized Roles

Managing LDAP Users and Group-synchronized Roles
The LDAP users that display in the TIBCO Administrator GUI are defined in an LDAP directory. You cannot create or delete LDAP users in the TIBCO Administrator GUI. LDAP users can be assigned to roles created in TIBCO Administrator, not to LDAP group-synchronized roles synchronized from an LDAP directory server.
An LDAP directory contains users arranged in groups that normally represent the corporate hierarchy. A group has a membership list that contains users and other groups known as child groups. Each child group can have its own membership list that could contain yet other child groups and this leads to a group hierarchy.
Group membership is inherited up the group hierarchy. This means that the members of a child group are implicitly considered to be the members of its parent group. The complete membership of a group is computed by including the members of its child groups. It is also possible for a child group to be a member of more than one parent group. An LDAP directory server does not check for cyclic hierarchies, and thus cyclic hierarchies may exist.
Figure 6 Inheriting Group Membership
The root role, Authenticated Users, is available in addition to LDAP group-synchronized roles. The role hierarchy in the TIBCO Administrator GUI mirrors the LDAP group hierarchy. The LDAP group-synchronized roles that correspond to the top-level group, that is, the groups that do not have a parent in the LDAP directory, are created as child roles of Authenticated Users.
Group-synchronized roles are named using the Relative Distinguished Name (RDN) and not its Distinguished Name (DN).
An LDAP directory can contain two groups with same RDN in different parts of its object tree. However these groups will have a different DN, which uniquely identifies a group. For example the following groups (specified by their DN) have same RDN of Partners:
 
cn=Partners,dc=na,dc=tibco,dc=com
cn=Partners,ou=groups,dc=na,dc=tibco,dc=com
In the case where an LDAP directory contains groups with same RDN but different DN, synchronized roles are distinguished either by their relative location in the role hierarchy or by checking the DN for the corresponding group under the tool tip for that role. A tool tip displays when mousing over the role name in the TIBCO Administrator GUI.
Figure 7 A Tool Tip Displayed on Mouse Moved Over Role Name
When using TIBCO Domain Utility to create or modify an administration domain that is integrated with an LDAP directory, you can choose to automatically create a role for each LDAP group. You can also choose not to create these roles automatically. See the next sections for details.
Automatically Creating a Role for Each LDAP Group
When the Automatically create Roles for each Corporate Group feature is selected, a corresponding role is created for each group found in an LDAP directory server. These roles have the same name as their corresponding LDAP group, and the membership of these roles is directly governed by the membership of the LDAP group that it is synchronized with. The membership in this case is fixed and can not be modified. These roles are referred as LDAP roles or LDAP group-synchronized roles.
The synchronization process used to create LDAP group-synchronized roles is periodically executed in background within a TIBCO Administrator service. Only one primary instance of a TIBCO Administrator service runs this process (in a fault tolerant mode).
Choosing Specific LDAP Groups to Synchronize
When using TIBCO Domain Utility to create an administration domain that uses an LDAP directory, if the Automatically create Roles for each Corporate Group feature is not selected, no LDAP group-synchronized roles are created in the TIBCO Administrator GUI for LDAP groups. Instead, each LDAP user is assigned to the root role, Authenticated Users, in the TIBCO Administrator GUI.
Even though no LDAP group-synchronized roles are created automatically for each LDAP group, you can still manually synchronize using the Synchronize button in the Select: LDAP Groups screen in the TIBCO Administrator GUI. See Selecting LDAP Groups to Synchronize in TIBCO Administrator for more information.
 

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved