Product: TIBCO Spotfire®
'Combination of LDAP and Spotfire database authentication' feature is disabling the manually created user
As of Spotfire 7.11.0 LTS, there is a new feature introduced called "Combination of LDAP and Spotfire database authentication", through which you can configure external user directory like LDAP, etc and also can add users manually to the Spotfire database.
If you have the below 3 configurations on your end:
- You have LDAP user directory.
- You have also manually created database users.
- You have collapse domains enabled.
INFO 2018-04-10T15:05:57,915-0300 [unknown, #30, #23865] server.security.PostAuthenticationFilterImpl: Denying access, the user principal 'myuser' is currently not enabledAll the users in the database are assigned to a domain, and if "Collapse Domain" is set to TRUE, that means that all LDAP users are set to the domain "SPOTFIRE". This is the same domain that is used for all users manually created in the database, so that is why when the manually created user is not found via LDAP synchronization (as expected), the user entry will get marked as disabled.
To avoid this scenario, you can use either of the following two options in the TIBCO Spotfire Server configuration:
- Set "Collapse Domains" to FALSE - Warning: This will create new synchronized LDAP users in your system which how have the domain as reported by the directory server during the the LDAP synchronization. The previous users with the domain "SPOTFIRE" be disabled.
- Set "Safe Synchronization" to TRUE - This will prevent users not found during an LDAP synchronization from being automatically disabled.