Product: TIBCO Spotfire®
Spotfire users from LDAP directory are no longer able to login because their accounts are disabled in Spotfire.
Environment:
TIBCO Spotfire Server - all versions
Problem Description:
Users that are synchronized with LDAP directory can't login to Analyst client and web browser. The error displayed is "Wrong username or password". These user accounts are shown as "disabled" in Spotfire web admin console under Users&Groups.
Resolution:
This problem is a result of failed LDAP synchronization, which can occur for several reasons, but the most likely cause is failing or very slow connection to LDAP server due to network issues. This is usually logged by Spotfire as follows:
WARN 2021-06-01T18:15:50,175-0400 server.ldap.LdapSearcher: Error performing an LDAP search javax.naming.NamingException: LDAP response read timed out, timeout used:5000ms. ... ERROR 2021-06-01T18:15:50,175-0400 userdir.ldap.LdapProvider: Found no users: review the settings for the LDAP configuration OID Stage
LDAP synchronization can also fail because of other issues, for example, invalid configuration or incorrect LDAP server account password. This article only addresses network related issues.
The solution is to increase LDAP "Connection timeout" and "Read timeout" values in Spotfire Server Configuration Tool under Configuration tab-> Authentication:LDAP-> Advanced Settings-> Connection timeout, Read Timeout (in milliseconds). The default values are 0, which is no timeout, effectively waiting until connection times out on the TCP network level. In the event of network problems, these settings should be either set to 0 or increased higher than their current settings.
Once "Connection timeout" and "Read timeout" settings have been modified, a manual LDAP synchronization can be started by running "list-users" command from C:\tibco\tss\x.x.x\tomcat\spotfire-bin directory:
Windows:
config.bat list-users -f
Linux:
config.sh list-users -f
Note, by default, Spotfire will disable all users that are synchronized with an LDAP directory when LDAP synchronization to this particular directory fails. As a way to avoid this issue, it's possible to enable "safe synchronization". This configuration setting prevents users from being disabled when LDAP synchronization fails:
https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-45911
Comments
0 comments
Article is closed for comments.