Spotfire® Server and Environment - Installation and Administration

Configuring Spotfire Server for GSSAPI authentication of LDAP

These instructions apply for Active Directory LDAP configurations. Spotfire Server does not support GSSAPI for other LDAP configurations.

Before you begin

  • Make sure that you have a fully working Active Directory LDAP configuration using clear-text password authentication (also known as simple authentication mechanism).
  • Save this fully working Active Directory LDAP configuration to file.
  • Make a note of the LDAP configuration's ID.
  • Make sure that you have a fully working krb5.conf file. The content of the krb5.conf file must be the same as when setting up Spotfire Server for Kerberos authentication. See Configuring Kerberos for Java.
    Note: Make sure to stop the entire service/Java process before installing the file. If the krb5.conf file is modified after Spotfire Server has been started, you must restart the Spotfire Server process for the modifications to take effect.

Procedure

  1. Stop Spotfire Server (see Start or stop Spotfire Server).
  2. Copy the fully working krb5.conf file to the <install dir>/tomcat/spotfire-config directory on each Spotfire Server in the cluster.
  3. Open the configuration tool and go to the LDAP Configuration panel.
  4. Update the LDAP user name so that it is a proper Kerberos principal name. Usually it is sufficient to add the name of the account's Windows domain in upper-case letters. Sometimes it is also necessary to include the Windows domain name. Using a name based on a distinguished name (DN) or including a NetBIOS domain name does not work when using GSSAPI.
    Examples of correct names:
    • ldapsvc@ RESEARCH.EXAMPLE.COM
    • ldapsvc@research.example.com@ RESEARCH.EXAMPLE.COM
  5. Select the specific LDAP configuration to be enabled for GSSAPI and then expand the Advanced settings.
  6. In the Advanced dialog, make the following changes:
    1. Set the security-authentication configuration property to GSSAPI.
    2. Set the authentication-attribute to sAMAccountName or userPrincipalName (whichever works best for your configuration). The default value is empty.
      Note: If the krb5.conf file contains more than one Kerberos realm, the authentication-attribute must be set to userPrincipalName.
    3. Add a custom property with the key kerberos.login.context.name and the value SpotfireGSSAPI.
  7. Click Save configuration.
  8. Restart Spotfire Server.

What to do next

Procedure steps related to LDAP configurations must be performed for each LDAP catalogue that you want to enable for GSSAPI. For multiple LDAP configurations, repeat these steps for each configuration.

Copyright © Cloud Software Group, Inc. All rights reserved.