Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 3 Integrating TIBCO Administrator with an LDAP Directory Server : Overview

Overview
Most enterprises use an LDAP directory server that provides a basis for authorization for all its enterprise applications. An LDAP directory contains information about users and the groups to which users belong. Groups can also include other groups as child groups. In some cases LDAP directories also contain information about customers and vendors, providing authorization for customer service and supply chain applications.
By integrating an administration domain with an LDAP directory server, TIBCO applications and services can leverage the users and groups from the LDAP directory server. Note that an LDAP directory is referred as Corporate LDAP in various places in TIBCO Domain Utility.
Local users and local roles can be created in an administration domain that is integrated with an LDAP directory server. The following table shows the icons associated with the different users and roles that are available in a domain that uses an LDAP directory.
Note: LDAP users cannot be authenticated using password digests.
Supported LDAP Directory Servers
The following LDAP directory servers are supported:
Features
The following major features are supported.
Leverage Users
TIBCO applications and services can authenticate users against an LDAP directory and get read access to an LDAP user’s properties.
TIBCO Administrator does not create a copy of the user present in an LDAP directory. If TIBCO Administrator (or other TIBCO applications) requires LDAP user properties at runtime, TIBCO Administrator retrieves the properties directly from the LDAP directory and caches the properties in memory with a suitable expiry time. Group membership is also retrieved at runtime and cached in memory with a suitable expiry time.
TIBCO Administrator creates a user entity (an object) in its database in which only the username (or user login id) is copied from the LDAP directory. The object stores specific user profiles for use with TIBCO applications.
Local users can be created in an administration domain that is integrated with an LDAP directory.
Leverage Groups
TIBCO applications and services can use both static and dynamic LDAP groups available in an LDAP directory in the form of LDAP group-synchronized roles.
In addition to LDAP group-synchronized roles, local roles can be created in TIBCO Administrator. Local roles can include LDAP group-synchronized roles as members.
Dynamic Configuration Changes
Configuration changes in an LDAP directory server, such as the addition, deletion or modifications of user and groups do not require TIBCO applications or services to be restarted. This latest information becomes available after the next LDAP synchronization or after the expiry interval is triggered.
Connection to an LDAP Directory Server
TIBCO applications and services, including the TIBCO Administrator server can connect to an LDAP directory server using simple (or basic) authentication, or SSL (Secure Sockets Layer) authentication.
Support for Server-side Chaining and Client-side Referrals
LDAP directories provide two mechanisms to structure their Directory Information Tree (DIT) in a distributed manner: server-side chaining and client-side referrals. While searching through distributed LDAP directories, a query may need to span and traverse multiple directory servers. An administration domain can be integrated with these distributed LDAP directories.
In the case of server-side chaining, the responsibility to traverse to the chained data lies with the LDAP directory server. TIBCO applications need not do any special processing. An administration domain is configured to connect to the primary LDAP directory in the usual way.
In the case of client-side referrals, the responsibility to traverse other directories is with the client, that is, TIBCO applications or services. While searching a distributed LDAP directory, the referred LDAP directory URL is provided to the client and it traverses to that LDAP directory to collect matching LDAP entries.
Configuration through TIBCO Domain Utility
To connect to an LDAP directory server, TIBCO applications and services need to know the server’s bind information. This information is configured using Domain Utility in the domain properties screen. LDAP directory connection information includes bind information for the primary LDAP directory and for all referral LDAP directories. Bind information is validated at configuration time.
Configuration also involves specifying the search parameters for users and groups. This information is optionally validated at configuration time. The search parameter settings can be saved even if validations fail.
Synchronization parameters such as synchronization and expiry intervals are also configured through Domain Utility. Note the following distinctions between synchronization of LDAP groups and LDAP users and the administration domain.
The CorpUserSynchronizer command line utility is provided to create empty profiles of all synchronized users up front. See Pre Loading User Objects for details.
NetBIOS Domain-based Names
When using Microsoft Active Directory as the LDAP directory server, an option is available to use NetBIOS domain-based names. This option adds NetBIOS domain names as a prefix to user names and group-synchronized roles. This allows LDAP directories that contain users or roles of the same name across different domains to be used in TIBCO Administrator.
Log Files
If an LDAP directory server invocation error occurs, the complete error message displays on the console and is also written to the Administrator.log file so that you can manually recover and process the message. The log file is written in the TIBCO_HOME/tra/domain/domain/logs folder.
Tool Tips
In the TIBCO Administrator GUI, tool tips are displayed for a role when a mouse is moved over the role’s name. A tool tip displays a role’s name, description, and paths to this role, based on role hierarchy. It also displays the LDAP DN (Distinguished Name) of the corresponding group, for a group-synchronized role.
Limitations
The following are not supported when integrating an administration domain with an LDAP directory server.
No Writes to an LDAP Directory Server
TIBCO applications and services do not write to an LDAP directory server. Changing an LDAP group or its membership information from the TIBCO Administrator GUI is not supported.
Limited to Users and Groups
Information loaded from an LDAP directory server is limited to users, groups and its membership information. TIBCO applications and services do not synchronize, retrieve or use any other information from an LDAP directory.
No Advanced Authentication
Users of TIBCO applications and services are authenticated against an LDAP directory using basic authentication. Other aspects of authentication such as prompting for password changes or displaying password expiry notices in TIBCO applications are not supported.
Restrictions on Users and Roles
LDAP users and group-synchronized roles cannot be deleted or renamed in the TIBCO Administrator GUI for an LDAP integrated domain. Local users and roles created using the TIBCO Administrator GUI are allowed to be deleted or renamed.
Any role, including group-synchronized roles, can be added as a member or child of a locally created role in the TIBCO Administrator GUI. However you cannot add a local role as member or child of a group-synchronized role.
LDAP Directory Server Must be Running
If an LDAP directory server is down TIBCO applications and services will be unable to get information about LDAP users and groups. This means the TIBCO application is dependant on the LDAP directory server. In most cases an LDAP directory server also serves as the authentication source and needs to be up and running in order for any user to login to a TIBCO application or service.
Renaming Groups in an LDAP Directory
Though it is rarely used, an LDAP directory server allows group names to be renamed. A renamed group name can cause problems if a TIBCO application or service determines that a renamed group is a new group and that the old group has been deleted. This results in deleting and creating a new LDAP group-synchronized role for the renamed LDAP group. This can affect the access control list of resources that referred to the original LDAP group-synchronized role. It also affects other locally created roles that included the original LDAP group-synchronized roles as its member or child.
Searching and Active Directory Server
If your administration domain integrates with an LDAP directory for users and groups, it requires TIBCO Runtime Agent based applications (such as TIBCO Administrator) to search the LDAP directory. The search can include activities such as synchronizing roles with corporate groups, synchronizing with corporate users, retrieving corporate group membership and searching for users.
If Active Directory is used, it forces a limit of 1000 entries on a regular search. However, a paged search feature (Virtual List View) can be used to retrieve more than 1000 entries. The paged search feature works with Active Directory 2003 only (Service Pack 1 for Windows Server 2003 must be installed). The search limit is due to a defect in Windows Server 2003 that throws an"Unavailable Critical Extension" error message. The following link provides details about this defect:
http://support.microsoft.com/default.aspx?scid=kb;en-us;886683
Using the paged search feature, up to 10,000 entries can be returned. If the search involves more that 10,000 entries, the search must be broken into multiple sets of smaller queries. This can be achieved by specifying multiple sets of search parameters for users and groups under LDAP Settings in TIBCO Domain Utility.
For previous versions of Active Directory the search is limited to 1,000 entries. You can either raise this limit on your LDAP directory server using the ntdsutil utility that is part of Active Directory server, or specify multiple search parameters with smaller queries, as described in the last paragraph in this section.
If the page size limit, referred as MaxPageSize in the Active Directory installation, is configured with a non default value (other than 1000), an additional step must be performed for this feature to work correctly. The value can be viewed using the ntdsutil utility. The following parameter must be set in the AuthorizationDomain.properties file. The parameter must be set to the actual value of MaxPageSize. For example:
CorpLdapMaxPageSize=2000
You should also check the maximum value range limit, referred to as MaxValRange, in the Active Directory installation. This value can be viewed using the ntdsutil utility. This value affects the search that retrieves membership of a Corporate Group. If this limit is configured with a non default value (other than 1000), the following parameter must be set in the AuthorizationDomain.properties file. The parameter must be set to the actual value of MaxValRange. For example:
CorpLdapMaxValRange=2000

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved