External directories and domains
You can configure Spotfire Server to integrate with external directories such as LDAP directories or Windows domains.
Spotfire Server keeps track of which domain every user belongs to. Users who are created by an administrator directly within Spotfire Server belong to the SPOTFIRE domain. When the user directory is configured for Database, this is the domain being used.
External users keep their domain name from the external directory, and the domain name is included as part of their user name throughout the Spotfire interface.
- DNS domain names, for example "research.example.com". A complete user name looks like this: someone@research.example.com.
- NetBIOS domain names, for example "RESEARCH". A complete user name looks like this: RESEARCH\someone.
Below is a matrix showing which domain name style to use for different combinations of authentication method and user directory. Combinations that are not supported are marked " — ".
Spotfire Server will warn and even refuse to start if you try to set up an authentication method and a user directory with incompatible domain name styles. If you for some reason must go ahead with an officially incompatible configuration, you must set the allow incompatible domain name styles configuration property to make the server start at all. One way to handle this could be a custom post-authentication filter that creates a bridge between the two originally incompatible domain name styles. (The allow incompatible domain name styles option can be set using the config‐userdir command. For information about custom post-authentication filters, see Post-authentication filter.)
User directory type | ||||
---|---|---|---|---|
Authentication method | Database | LDAP/AD | LDAP/other | Windows NT |
Username/Password - database | NetBIOS(DNS) | — | — | — |
Username/Password - LDAP/AD | NetBIOS(DNS) | NetBIOS(DNS) | NetBIOS(DNS) | — |
Username/Password - LDAP/other | NetBIOS(DNS) | NetBIOS(DNS) | NetBIOS(DNS) | — |
Username/Password - Windows NT | — | — | — | NetBIOS(DNS) |
NTLM | NetBIOS(DNS) | NetBIOS(DNS) | NetBIOS(DNS) | — |
Kerberos | NetBIOS(DNS) | NetBIOS(DNS) | NetBIOS(DNS) | — |
X.509 Client Certs. | NetBIOS(DNS) | NetBIOS(DNS) | NetBIOS(DNS) | — |
Unsupported combinations of authentication method and user directory are marked with "—" in the table.
User directory type | ||||
---|---|---|---|---|
Authentication method | Database | LDAP/AD | LDAP/other | Windows NT |
Username/Password - database | NetBIOS, DNS | — | — | — |
Username/Password - LDAP/AD | NetBIOS, DNS | NetBIOS, DNS | # | — |
Username/Password - LDAP/other | NetBIOS, DNS | # | DNS | — |
Username/Password - Windows NT | — | — | — | NetBIOS, DNS |
NTLM | NetBIOS, DNS | NetBIOS, DNS | # | — |
Kerberos | NetBIOS, DNS | NetBIOS, DNS | DNS | — |
X.509 Client Certs. | NetBIOS, DNS | NetBIOS, DNS | DNS | — |
Unsupported combinations of authentication method and user directory are marked with "—" in the table.
wildcard
domain configuration property decides how the
server maps a user to a domain during authentication. This can be configured in
the configuration tool.
- When the wildcard domain configuration property is enabled (default), Spotfire Server checks whether the user name contains a domain name, and if it does, that domain name is used.
- If the wildcard is enabled but the user name does not contain a domain name, the server attempts to authenticate the user with the provided user name and password in every domain it knows about, until the combination of domain name, user name, and password results in a successful authentication, or until there are no more domain names to try.
- If the wildcard domain property is turned off, the domain name must be specified by the user unless it belongs to the configured default domain.
Thus, if security has a higher priority than user convenience, make sure to turn off the wildcard domain configuration property. There is also the risk that multiple authentication attempts will lock out the "correct" user.
Spotfire Server
provides a configuration property,
collapse-domains
, that reverts to the behavior from
previous releases. Enabling this means that the external domain of a user is
essentially ignored. When the collapse domains configuration property is
enabled, all external users and groups will be associated with the SPOTFIRE
domain, regardless of which domain they belong to in the external directory.
The
collapse-domains
configuration property can be set in
the configuration tool or by using the
config‐userdir command.
collapse-domains
and
wildcard-domain
configuration properties simultaneously.
Doing so will make all users belong to the internal SPOTFIRE domain, and no
users will need to enter a domain name when logging in.
collapse-domains
configuration property is enabled,
all users will belong to a single domain in Spotfire. If there are multiple
users with the same account name in different external domains, they will
effectively share the same account within
Spotfire Server
when the property is enabled.
If security has a higher priority than user convenience, do not enable the collapse domain configuration property.
collapse-domains
configuration property after once
having synchronized
Spotfire Server
with an external directory. This creates double accounts with different domain
names for every synchronized user and group in the user directory. The new
accounts do not inherit the permissions of the old accounts.