Product: TIBCO Spotfire®
How to create LDIF File of a directory object for troubleshooting LDAP User Directory and Authentication issues
The LDAP Data Interchange Format (LDIF) is a standard plain text data interchange format for representing LDAP (Lightweight Directory Access Protocol) directory content. An LDIF file shows the exact properties of the directory object which are visible to the bind account used.
When troubleshooting user directory or authentication issues it can be useful to bind to the same LDAP server and port with the same account which the TIBCO Spotfire Server is using in the LDAP configuration in order to export an LDIF file of a problematic user (and a non-problematic user for comparison) since this will replicate what Spotfire is viewing when it is accessing the directory. This is helpful in identifying missing attributes (due to insufficient permissions) or misconfigurations (mismatching filters or contexts for example).
Below is an example of how user account details are displayed in LDIF file:
dn: CN=name,CN=Users,DC=boston,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: name givenName: Name displayName: Name userAccountControl: 789656 codePage: 0 countryCode: 0 accountExpires: 92233789076545407 sAMAccountName: Name userPrincipalName: Name@boston.local
Steps to create LDIF file:
1. Download and install LDAP Browser from Softerra:
2. Start LDAP Browser
3. Create a new profile using the same server, port, security options (SSL) and credentials used in the TIBCO Spotfire Server configuration (the current Spotfire Server configuration can be exported with the export-config command for reference):
Go to File > New > Profile
Give Profile Name and click on Next
“Host” and “port” should be same as ‘LDAP Server URL’ present in TIBCO Spotfire Server UIConfig > Configuration > User Directory: LDAP (use “Lookup Servers button” to look up for LDAP domain)
Choose security options only if required.
Click on Next
Select the appropriate User Authentication Information. Most always this will be "Simple" and you will provide the "Principal" account name and "Password" for the account being used to connect to your LDAP server. The principal username and password must match exactly with the “LDAP Username” and “LDAP Password” present in the TIBCO Spotfire Server UIConfig > Configuration > User Directory:LDAP )
Click on Next
4. Click on Finish
5. In the Scope Pane on the left, open your new profile and browse to the Users/Groups/Objects not seen in Spotfire. Note: If the users or groups are also not seen here, then this explains why they are missing during Spotfire's LDAP synchronization. If this is the case, contact your directory administrator so that they can give the correct permissions for the given bind account to authenticate against the given LDAP server URL and read the objects and their attributes.
6. In the Scope Pane on the left, right click on the desired Users/Groups/Objects and select "Export data". Select LDIF as the file format and click "Finish".
Then please send the resulting .LDIF files to TIBCO Support for the investigation.