Product: TIBCO Spotfire®
Can new external users login to Spotfire if an LDAP user directory synchronization has not completed since they were added?
Yes. By default, TIBCO Spotfire Server will check the external directory to see if the user is new since the last user directory synchronization. It will import the user if the user is found according to the LDAP configuration settings. This is controlled by the <check-external-users> setting.
When TIBCO Spotfire is configured with LDAP User Directory, the user directory synchronization will occur according to the schedule defined in the LDAP configuration. For example,
<ldap-config> <id>myLDAPconfiguration</id> ... <synchronization-schedules> <schedule>@restart</schedule> <schedule>@daily</schedule> </synchronization-schedules> ... </ldap-config>
This means that if a new user is added to the external directory after the last synchronization, they will not be present in the TIBCO Spotfire Server application database (USERS table) where the user directory resides until the next scheduled synchronization. Even though the user is not present in the user directory, they are still able to login to Spotfire before the next scheduled synchronization if the <check-external-users> setting is set to "true" in the TIBCO Spotfire Server configuration. Note that the default value is <check-external-users> equal to true. If you export your TIBCO Spotfire Server configuration, the <check-external-users> setting can be seen within the <user-directory> node.
... <user-directory> <provider>ldap</provider> <ldap> <ldap-configs> <ldap-config>myLDAPconfiguration</ldap-config> </ldap-configs> <synchronization-sleep-time>60</synchronization-sleep-time> </ldap> ... <allow-user-password-modification>true</allow-user-password-modification> <check-external-users>true</check-external-users> <domain-name-style>dns</domain-name-style> <collapse-domains>false</collapse-domains> <safe-synchronization>false</safe-synchronization> ... </user-directory> ...
After authentication, the TIBCO Spotfire Server will check the user directory to verify the user is present and enabled as part of the post-authentication filter.
Example 1: <check-external-users> = true
When <check-external-users> is set to true, after the user has been successfully authenticated in the external directory server, the Spotfire Server will check the user directory to ensure that the user is present. In the example below, the user is not found in the database. Since <check-external-users> = true, the external directory is checked to see if the user is new since the last user directory synchronization. If the user is found, the user is imported to the user directory and the client is finally successfully authenticated. This activity is seen in the server.log with the "Checking if the user principal user3@east.local has been recently added to the external provider" entry. For example:
==========================
DEBUG 2016-03-10T13:03:01,852-0800 [unknown, #333] server.security.JaasAuthenticator: Authenticating user principal 'user3' using JAAS application configuration 'SpotfireLDAP'...
DEBUG 2016-03-10T13:03:01,852-0800 [unknown, #333] jaas.ldap.LDAPLoginModule: com.spotfire.server.jaas.ldap.LDAPLoginModule initialized
DEBUG 2016-03-10T13:03:01,852-0800 [unknown, #333] jaas.ldap.LDAPLoginModule: Authenticating user 'user3' in LDAPLoginModule
DEBUG 2016-03-10T13:03:01,852-0800 [unknown, #333] server.ldap.LdapContextFactory: Creating an LDAP connection for principal 'east\spotfireLDAPaccount' to LDAP server(s) ldap://10.97.38.145:389
DEBUG 2016-03-10T13:03:01,852-0800 [unknown, #333] server.ldap.LdapContextFactory: Successfully created an LDAP connection for principal 'east\spotfireLDAPaccount' to LDAP server ldap://10.97.38.145:389
DEBUG 2016-03-10T13:03:01,852-0800 [unknown, #333] jaas.ldap.LDAPLoginModule: Using searchFilter '(&(sAMAccountName=user3)(objectClass=user))'
DEBUG 2016-03-10T13:03:01,868-0800 [unknown, #333] jaas.ldap.LDAPLoginModule: Could not find any user 'user3' in LDAP context 'OU=DEV,OU=EAST-OBJECTS,DC=east,DC=local'
DEBUG 2016-03-10T13:03:01,868-0800 [unknown, #333] jaas.ldap.LDAPLoginModule: Found LDAP user 'CN=user3,OU=INFRA-Admin,OU=EAST-OBJECTS,DC=east,DC=local', using DN as principal id
DEBUG 2016-03-10T13:03:01,868-0800 [unknown, #333] jaas.ldap.LDAPLoginModule: Could not find any user 'user3' in LDAP context 'OU=TEST,OU=EAST-OBJECTS,DC=east,DC=local'
DEBUG 2016-03-10T13:03:01,868-0800 [unknown, #333] server.ldap.LdapContextFactory: Closing LdapContext for ldap://10.97.38.145:389
DEBUG 2016-03-10T13:03:01,868-0800 [unknown, #333] jaas.ldap.LDAPLoginModule: Authenticating user with principal id 'CN=user3,OU=INFRA-Admin,OU=EAST-OBJECTS,DC=east,DC=local'
DEBUG 2016-03-10T13:03:01,868-0800 [unknown, #333] server.ldap.LdapContextFactory: Creating an LDAP connection for principal 'CN=user3,OU=INFRA-Admin,OU=EAST-OBJECTS,DC=east,DC=local' to LDAP server(s) ldap://10.97.38.145:389
DEBUG 2016-03-10T13:03:01,868-0800 [unknown, #333] server.ldap.LdapContextFactory: Successfully created an LDAP connection for principal 'CN=user3,OU=INFRA-Admin,OU=EAST-OBJECTS,DC=east,DC=local' to LDAP server ldap://10.97.38.145:389
DEBUG 2016-03-10T13:03:01,868-0800 [unknown, #333] server.ldap.LdapContextFactory: Closing LdapContext for ldap://10.97.38.145:389
DEBUG 2016-03-10T13:03:01,868-0800 [unknown, #333] jaas.ldap.LDAPLoginModule: Successfully authenticated user 'user3' with DN 'CN=user3,OU=INFRA-Admin,OU=EAST-OBJECTS,DC=east,DC=local'
DEBUG 2016-03-10T13:03:01,868-0800 [unknown, #333] server.security.JaasAuthenticator: Successfully authenticated user 'user3' in domain 'east.local'
DEBUG 2016-03-10T13:03:01,868-0800 [unknown, #333] server.security.PostAuthenticationFilterImpl: Post-authentication filtering security context for principal 'user3@east.local'
DEBUG 2016-03-10T13:03:01,868-0800 [unknown, #333] server.security.PostAuthenticationFilterImpl: Post-authentication filtering in block mode
DEBUG 2016-03-10T13:03:01,868-0800 [unknown, #333] server.security.PostAuthenticationFilterImpl: Looking up the authenticated user principal 'user3@east.local' in the User Directory
DEBUG 2016-03-10T13:03:01,883-0800 [unknown, #333] server.userdir.UserDirectoryImpl: Checking if the user principal user3@east.local has been recently added to the external provider
DEBUG 2016-03-10T13:03:01,883-0800 [unknown, #333] server.ldap.LdapContextFactory: Creating an LDAP connection for principal 'east\spotfireLDAPaccount' to LDAP server(s) ldap://10.97.38.145:389
DEBUG 2016-03-10T13:03:01,883-0800 [unknown, #333] server.ldap.LdapContextFactory: Successfully created an LDAP connection for principal 'east\spotfireLDAPaccount' to LDAP server ldap://10.97.38.145:389
DEBUG 2016-03-10T13:03:01,883-0800 [unknown, #333] server.ldap.LdapContextFactory: Closing LdapContext for ldap://10.97.38.145:389
DEBUG 2016-03-10T13:03:01,883-0800 [unknown, #333] server.userdir.UserDirectoryImpl: Importing user principal user3@east.local that was recently added to the external provider
DEBUG 2016-03-10T13:03:01,899-0800 [user3@east.local, #333] server.security.SecurityFilter: The client is successfully authenticated
==========================
Example 2: <check-external-users> = false
When <check-external-users> is set to false, after the user has been successfully authenticated in the external directory server, the Spotfire Server will check the user directory to ensure the user is present. In the example below, the user is not found in the database, but since <check-external-users> = false, the external directory is not checked to see if the user is new and the authentication is denied since the user is not found in the user directory. For example:
==========================DEBUG 2016-03-10T13:23:27,390-0800 [unknown, #9] server.security.JaasAuthenticator: Authenticating user principal 'user4' using JAAS application configuration 'SpotfireLDAP'
...
DEBUG 2016-03-10T13:23:27,390-0800 [unknown, #9] jaas.ldap.LDAPLoginModule: com.spotfire.server.jaas.ldap.LDAPLoginModule initialized
DEBUG 2016-03-10T13:23:27,390-0800 [unknown, #9] jaas.ldap.LDAPLoginModule: Authenticating user 'user4' in LDAPLoginModule
DEBUG 2016-03-10T13:23:27,390-0800 [unknown, #9] server.ldap.LdapContextFactory: Creating an LDAP connection for principal 'east\spotfireLDAPaccount' to LDAP server(s) ldap://10.97.38.145:389
DEBUG 2016-03-10T13:23:27,390-0800 [unknown, #9] server.ldap.LdapContextFactory: Successfully created an LDAP connection for principal 'east\spotfireLDAPaccount' to LDAP server ldap://10.97.38.145:389
DEBUG 2016-03-10T13:23:27,390-0800 [unknown, #9] jaas.ldap.LDAPLoginModule: Using searchFilter '(&(sAMAccountName=user4)(objectClass=user))'
DEBUG 2016-03-10T13:23:27,390-0800 [unknown, #9] jaas.ldap.LDAPLoginModule: Could not find any user 'user4' in LDAP context 'OU=DEV,OU=EAST-OBJECTS,DC=east,DC=local'
DEBUG 2016-03-10T13:23:27,406-0800 [unknown, #9] jaas.ldap.LDAPLoginModule: Found LDAP user 'CN=user4,OU=INFRA-Admin,OU=EAST-OBJECTS,DC=east,DC=local', using DN as principal id
DEBUG 2016-03-10T13:23:27,406-0800 [unknown, #9] jaas.ldap.LDAPLoginModule: Could not find any user 'user4' in LDAP context 'OU=TEST,OU=EAST-OBJECTS,DC=east,DC=local'
DEBUG 2016-03-10T13:23:27,406-0800 [unknown, #9] server.ldap.LdapContextFactory: Closing LdapContext for ldap://10.97.38.145:389
DEBUG 2016-03-10T13:23:27,406-0800 [unknown, #9] jaas.ldap.LDAPLoginModule: Authenticating user with principal id 'CN=user4,OU=INFRA-Admin,OU=EAST-OBJECTS,DC=east,DC=local'
DEBUG 2016-03-10T13:23:27,406-0800 [unknown, #9] server.ldap.LdapContextFactory: Creating an LDAP connection for principal 'CN=user4,OU=INFRA-Admin,OU=EAST-OBJECTS,DC=east,DC=local' to LDAP server(s) ldap://10.97.38.145:389
DEBUG 2016-03-10T13:23:27,406-0800 [unknown, #9] server.ldap.LdapContextFactory: Successfully created an LDAP connection for principal 'CN=user4,OU=INFRA-Admin,OU=EAST-OBJECTS,DC=east,DC=local' to LDAP server ldap://10.97.38.145:389
DEBUG 2016-03-10T13:23:27,406-0800 [unknown, #9] server.ldap.LdapContextFactory: Closing LdapContext for ldap://10.97.38.145:389
DEBUG 2016-03-10T13:23:27,406-0800 [unknown, #9] jaas.ldap.LDAPLoginModule: Successfully authenticated user 'user4' with DN 'CN=user4,OU=INFRA-Admin,OU=EAST-OBJECTS,DC=east,DC=local'
DEBUG 2016-03-10T13:23:27,406-0800 [unknown, #9] server.security.JaasAuthenticator: Successfully authenticated user 'user4' in domain 'east.local'
DEBUG 2016-03-10T13:23:27,421-0800 [unknown, #9] server.security.PostAuthenticationFilterImpl: Post-authentication filtering security context for principal 'user4@east.local'
DEBUG 2016-03-10T13:23:27,421-0800 [unknown, #9] server.security.PostAuthenticationFilterImpl: Post-authentication filtering in block mode
DEBUG 2016-03-10T13:23:27,421-0800 [unknown, #9] server.security.PostAuthenticationFilterImpl: Looking up the authenticated user principal 'user4@east.local' in the User Directory
INFO 2016-03-10T13:23:27,421-0800 [unknown, #9] server.security.PostAuthenticationFilterImpl: Denying access, the user principal 'user4@east.local' cannot be found in the User Directory
DEBUG 2016-03-10T13:23:27,421-0800 [unknown, #9] server.security.SecurityFilter: No authentication credentials included in request
==========================
Comments
0 comments
Article is closed for comments.