External directories and domains
You can configure Spotfire Server to integrate with external directories such as LDAP directories or Windows domains.
Spotfire Server keeps track of which domain every user belongs to. Users who are created by an administrator directly within Spotfire Server belong to the SPOTFIRE domain. When the user directory is configured for Database, this is the domain being used.
External users keep their domain name from the external directory, and the domain name appears as part of their user name throughout the Spotfire interface.
- DNS domain names, for example "research.example.com". A complete user name looks like this: someone@research.example.com.
- NetBIOS domain names, for example "RESEARCH". A complete user name looks like this: RESEARCH\someone.
Below is a matrix showing which domain name style to use for different combinations of authentication method and user directory. Combinations that are not supported are marked " — ".
Spotfire Server will warn and even refuse to start if you try to set up an authentication method and a user directory with incompatible domain name styles. If you for some reason need to go ahead with an officially incompatible configuration, you will need to set the allow incompatible domain name styles configuration property to make the server start at all. One way to handle this could be a custom post-authentication filter that creates a bridge between the two originally incompatible domain name styles. (The allow incompatible domain name styles option can be set using the config‐userdir command. For information about custom post-authentication filters, see Post-authentication filter.)
User directory type | ||||
---|---|---|---|---|
Authentication method | Database | LPAD/AD | LDAP/other | Windows NT |
Basic database | NetBIOS(DNS) | — | — | — |
Basic/LDAP/AD | NetBIOS(DNS) | NetBIOS(DNS) | NetBIOS(DNS) | — |
Basic/LDAP/other | NetBIOS(DNS) | NetBIOS(DNS) | NetBIOS(DNS) | — |
Basic/Windows NT | — | — | — | NetBIOS(DNS) |
NTLM | NetBIOS(DNS) | NetBIOS(DNS) | NetBIOS(DNS) | — |
Kerberos | NetBIOS(DNS) | NetBIOS(DNS) | NetBIOS(DNS) | — |
X.509 Client Certs. | NetBIOS(DNS) | NetBIOS(DNS) | NetBIOS(DNS) | — |
— Unsupported combination of authentication method and user directory.
User directory type | ||||
---|---|---|---|---|
Authentication method | Database | LPAD/AD | LDAP/other | Windows NT |
Basic database | NetBIOS, DNS | — | — | — |
Basic/LDAP/AD | NetBIOS, DNS | NetBIOS, DNS | # | — |
Basic/LDAP/other | NetBIOS, DNS | # | DNS | — |
Basic/Windows NT | — | — | — | NetBIOS, DNS |
NTLM | NetBIOS, DNS | NetBIOS, DNS | # | — |
Kerberos | NetBIOS, DNS | NetBIOS, DNS | DNS | — |
X.509 Client Certs. | NetBIOS, DNS | NetBIOS, DNS | DNS | — |
— Unsupported combination of authentication method and user directory.
# For this combination of authentication method and user directory, enable the collapse domains option.
Spotfire Server provides a configuration property that reverts to the behavior from previous releases. The configuration property is called
collapse-domains
and enabling this means that the external domain of a user is essentially ignored, and that different users with the same user name, but in different domains, will share an account on
Spotfire Server. When the collapse domains configuration property is enabled, all external users and groups will be associated with the SPOTFIRE domain, regardless of which domain they belong to in the external directory.
collapse-domains
and
wildcard-domain
configuration properties. Doing so will ensure that all users belong to the internal SPOTFIRE domain, and no users will have to enter a domain name when logging in. (The
collapse-domains
configuration property can be set in the configuration tool or by using the
config‐userdir command).
collapse-domains
configuration property is enabled. If there are multiple users with the same account name in different external domains, they will now effectively share the same account within
Spotfire Server. If security has a higher priority than user convenience, make sure not to enable the collapse domain configuration property.
collapse-domains
configuration property after once having synchronized
Spotfire Server with an external directory. This creates double accounts with different domain names for every synchronized user and group in the user directory. The new accounts do not inherit the permissions of the old accounts.