Limitations

The following are not supported when integrating an administration domain with an LDAP directory server.

No Writes to an LDAP Directory Server

TIBCO applications and services do not write to an LDAP directory server. Changing an LDAP group or its membership information from the TIBCO Administrator GUI is not supported.

Limited to Users and Groups

Information loaded from an LDAP directory server is limited to users, groups and its membership information. TIBCO applications and services do not synchronize, retrieve or use any other information from an LDAP directory.

No Advanced Authentication

Users of TIBCO applications and services are authenticated against an LDAP directory using basic authentication. Other aspects of authentication such as prompting for password changes or displaying password expiry notices in TIBCO applications are not supported.

Restrictions on Users and Roles

LDAP users and group-synchronized roles cannot be deleted or renamed in the TIBCO Administrator GUI for an LDAP integrated domain. Local users and roles created using the TIBCO Administrator GUI are allowed to be deleted or renamed.

Any role, including group-synchronized roles, can be added as a member or child of a locally created role in the TIBCO Administrator GUI. However you cannot add a local role as a member or child of a group-synchronized role.

LDAP Directory Server Must be Running

If an LDAP directory server is down TIBCO applications and services will be unable to get information about LDAP users and groups. This means the TIBCO application is dependent on the LDAP directory server. In most cases an LDAP directory server also serves as the authentication source and needs to be up and running in order for any user to log in to a TIBCO application or service.

Note: When the administration server (or other TIBCO applications that connect to an administration domain) starts and you find an error in the server’s log file that indicates the LDAP directory server is down, the administration server (and other TIBCO applications) must be restarted after starting the LDAP directory server. If, however, the LDAP directory server goes down later in the session and is brought back, there is no need to restart the server (or other TIBCO applications).

Renaming Groups in an LDAP Directory

Though it is rarely used, an LDAP directory server allows group names to be renamed. A renamed group name can cause problems if a TIBCO application or service determines that a renamed group is a new group and that the old group has been deleted. This results in deleting and creating a new LDAP group-synchronized role for the renamed LDAP group. This can affect the access control list of resources that referred to the original LDAP group-synchronized role. It also affects other locally created roles that included the original LDAP group-synchronized roles as its member or child.

Note: If your administration domain is integrated with Microsoft Active Directory, group renames will be detected during the LDAP synchronization cycle.

Searching and Active Directory Server

If your administration domain integrates with an LDAP directory for users and groups, it requires TIBCO Runtime Agent based applications (such as TIBCO Administrator) to search the LDAP directory. The search can include activities such as synchronizing roles with corporate groups, synchronizing with corporate users, retrieving corporate group membership and searching for users.

If Active Directory is used, it forces a limit of 1000 entries on a regular search. However, a paged search feature (Virtual List View) can be used to retrieve more than 1000 entries. The paged search feature works with Active Directory 2003 only (Service Pack 1 for Windows Server 2003 must be installed). The search limit is due to a defect in Windows Server 2003 that throws an "Unavailable Critical Extension" error message.

Using the paged search feature, up to 10,000 entries can be returned. If the search involves more than 10,000 entries, the search must be broken into multiple sets of smaller queries. This can be achieved by specifying multiple sets of search parameters for users and groups under LDAP Settings in TIBCO Domain Utility.

For previous versions of Active Directory the search is limited to 1,000 entries. You can either raise this limit on your LDAP directory server using the ntdsutil utility that is a part of the Active Directory server, or specify multiple search parameters with smaller queries, as described in the last paragraph in this section.

If the page size limit, referred as MaxPageSize in the Active Directory installation, is configured with a value other than the default value (other than 1000), an additional step must be performed for this feature to work correctly. The value can be viewed using the ntdsutil utility. The following parameter must be set in the AuthorizationDomain.properties file. The parameter must be set to the actual value of MaxPageSize. For example: CorpLdapMaxPageSize=2000

You should also check the maximum value range limit, referred to as MaxValRange, in the Active Directory installation. This value can be viewed using the ntdsutil utility. This value affects the search that retrieves membership of a Corporate Group. If this limit is configured with a non-default value (other than 1000), the following parameter must be set in the AuthorizationDomain.properties file. The parameter must be set to the actual value of MaxValRange. For example: CorpLdapMaxValRange=2000

Did you find this helpful?

Yes No