Troubleshooting Guide - Users are not found during a User Directory LDAP synchronization
Last updated:
4:11pm May 05, 2016

What to collect:

  • Logs - All LDAP related errors are captured in the server.log log file on TIBCO Spotfire® Server
  • Server Configuration - The LDAP configuration(s) can be seen in an xml file by exporting the current configuration from Spotfire® Server. Each LDAP configuration starts with the tag
  • Directory - Check the directory server itself to verify user/group access and attributes. Access the directory using a 3rd party tool like Softerra LDAP Browser to login with the account specified in the Spotfire® LDAP configuration and view the user and group object attributes as specified in the Spotfire LDAP configuration
  • Database - Look in the USERS, GROUPS, and GROUP_MEMBERS table in the Spotfire application database

Troubleshooting Checklist:

  • Verify and capture the Spotfire Server LDAP Configuration. This is viewable here:
    1. Open Spotfire configuration tool: Start > Programs > TIBCO Spotfire Server X.X > Configure TIBCO Spotfire Server
    2. Enter configuration tool password to unlock configuration
    3. On 'Configuration' tab, click 'User Directory: LDAP'
    4. Choose the configuration with the * indicating it is the current active configuration, click Export
       
  • If the user is new, ensure an LDAP synchronization has completed successfully since the user was added. If not, initiate an LDAP sync. For example, search for the final log entry for an LDAP sync:
    • [*LdapSynchronizer.RestartRunnable*] userdir.ldap.LdapSynchronizer: ...done synchronizing the User Directory with external LDAP directories at restart
       
  • Verify the account used by Spotfire in the LDAP configuration.
    • This account must have read permissions in the directory on all user objects and attributes used in the configuration. For example:
      • LDAP username: myDomain\myUser
      • LDAP password: myPassword
         
  • Verify the LDAP server and port used by Spotfire in the LDAP configuration.
    • This will be used when testing. For example:
      • LDAP Server URL: ldap://myDomainController:389
         
  • Where are the users located?
    • Spotfire will search the context names for the users to import. All Spotfire users MUST be present within these containers or their subfolders as specified in the LDAP configuration. For example:
      • Context names: OU=Users,DC=myDomain,DC=com
         
  • Verify the user search filter used by Spotfire in the LDAP configuration.
    • The attributes for all Spotfire users MUST match this user search filter. For example:
      • Advanced settings > User Search Filter: objectClass=user
    • Or more advanced examples (see https://technet.microsoft.com/en-us/library/Aa996205%28v=EXCHG.65%29.aspx for LDAP query basics):
      • Advanced settings > User Search Filter:
        &(objectClass=user)(myCustomAttribute=mySpotfireUsers)
        or
        &(objectClass=user)(memberOf=MySpotfireUserGroup)
         
  • Verify access to the problem users and their critical attributes with a 3rd party directory browser tool like Softerra LDAP Browser.
    1. Download and install LDAP Browser from Softerra: http://www.ldapbrowser.com/download.htm
    2. Start Softerra LDAP Browser
    3. Create a new profile using the same LDAP server, port, security options (SSL) and credentials used in the Spotfire Server LDAP configuration as verified earlier:
    4. File > New > New Profile
    5. In the Scope Pane on the left, open your new profile and browse to the Users/Groups/Objects not seen in Spotfire. These must be present in the contexts used in the Spotfire Server LDAP configuration as verified earlier
    6. Verify you can see the user object and read all attribute referenced in the LDAP configuration Advanced Settings (Username attribute, Authentication attribute, User display name)
    7. Verify the attributes referenced in the User Search Filter match the problem users exactly
    8. [Optional] In the Scope Pane on the left, right click on the missing Users/Groups/Objects and select "Export data". Select LDIF as the file format and click "Finish".
       
  • If the configurations all appear to be correct, enable DEBUG (or TRACE) logging and look for errors in the server.log during an LDAP synchronization (search for “[*LdapSynchronizer” in the server.log)

What to look for:

  • Check the exact ldap configuration settings in the server’s exported configuration file. Each ldap configuration starts with
     
  • Check in the directory that the user objects are in the correct location and attributes are readable and values match the Spotfire LDAP configuration. Use the instructions above to ensure the connection uses the exact same LDAP server, port, and account for connection as is used in the Spotfire LDAP configuration. Once configured, you should see the users present in the correct containers (context names) and with their attributes present and readable, like this example:

     
  • Check the server.log file on the Spotfire Server for any errors. You can compare against a log entry capturing a normal succesful synchronization. For example:
    INFO 2015-08-05T07:54:15,905-0700 [*LdapSynchronizer.RestartRunnable*] userdir.ldap.LdapSynchronizer: Scheduling immediate synchronization for LDAP configuration dc-east-basic
    DEBUG 2015-08-05T07:54:15,905-0700 [*LdapSynchronizer.RestartRunnable*] userdir.ldap.LdapSynchronizer: Synchronizing the User Directory with the external LDAP directory for LDAP configuration dc-east-basic
    DEBUG 2015-08-05T07:54:15,905-0700 [*LdapSynchronizer.RestartRunnable*] server.config.ConfigurationPropertiesImpl: Initializing ConfigurationPropertiesImpl
    INFO 2015-08-05T07:54:15,967-0700 [*LdapSynchronizer.RestartRunnable*] server.config.DatabaseConfigurationProvider: Using configuration: 9d7bcbfcd586d0acf2fd816909b077b94807d804
    DEBUG 2015-08-05T07:54:16,014-0700 [*LdapSynchronizer.RestartRunnable*] server.config.UnionConfigurationProvider: No server local configuration to apply
    DEBUG 2015-08-05T07:54:16,030-0700 [*LdapSynchronizer.RestartRunnable*] server.config.ConfigurationPropertiesImpl: ...done initializing ConfigurationPropertiesImpl
    DEBUG 2015-08-05T07:54:16,030-0700 [*LdapSynchronizer.RestartRunnable*] server.ldap.LdapConfig: Updating LDAP configuration 'dc-east-basic' before synchronizing
    DEBUG 2015-08-05T07:54:16,030-0700 [*LdapSynchronizer.RestartRunnable*] server.ldap.LdapConfig: The LDAP configuration 'dc-east-basic' now synchronizes the following groups: { OU=EAST-GROUPS,OU=EAST-OBJECTS,DC=east,DC=local }
    DEBUG 2015-08-05T07:54:16,030-0700 [*LdapSynchronizer.RestartRunnable*] server.ldap.LdapContextFactory: Creating an LDAP connection for principal 'east\spotfireLDAPaccount' to LDAP server(s) ldap://10.97.38.145:389
    DEBUG 2015-08-05T07:54:16,045-0700 [*LdapSynchronizer.RestartRunnable*] server.ldap.LdapContextFactory: Successfully created an LDAP connection for principal 'east\spotfireLDAPaccount' to LDAP server ldap://10.97.38.145:389
    DEBUG 2015-08-05T07:54:16,045-0700 [*LdapSynchronizer.RestartRunnable*] userdir.ldap.LdapProvider: Loading users for LDAP configuration dc-east-basic
    WARN 2015-08-05T07:54:16,217-0700 [*LdapSynchronizer.RestartRunnable*] server.ldap.LdapSearcher: Error performing an LDAP search
    DEBUG 2015-08-05T07:54:16,233-0700 [*LdapSynchronizer.RestartRunnable*] userdir.ldap.LdapProvider: Loading groups for LDAP configuration dc-east-basic
    DEBUG 2015-08-05T07:54:16,248-0700 [*LdapSynchronizer.RestartRunnable*] userdir.ldap.LdapProvider: Creating list of groups to synchronize: synchronizing group/container OU=EAST-GROUPS,OU=EAST-OBJECTS,DC=east,DC=local
    DEBUG 2015-08-05T07:54:16,248-0700 [*LdapSynchronizer.RestartRunnable*] userdir.ldap.LdapProvider: Finalizing the list of groups to synchronize
    DEBUG 2015-08-05T07:54:16,248-0700 [*LdapSynchronizer.RestartRunnable*] userdir.ldap.LdapProvider: Finalizing the list of groups to synchronize: synchronizing group CN=EAST-ADMINS,OU=EAST-GROUPS,OU=EAST-OBJECTS,DC=east,DC=local
    DEBUG 2015-08-05T07:54:16,248-0700 [*LdapSynchronizer.RestartRunnable*] userdir.ldap.LdapProvider: Finalizing the list of groups to synchronize: synchronizing group CN=EAST-TEST,OU=EAST-GROUPS,OU=EAST-OBJECTS,DC=east,DC=local
    WARN 2015-08-05T07:54:16,264-0700 [*LdapSynchronizer.RestartRunnable*] server.ldap.LdapSearcher: Error performing an LDAP search
    WARN 2015-08-05T07:54:16,264-0700 [*LdapSynchronizer.RestartRunnable*] server.ldap.LdapSearcher: Error performing an LDAP search
    WARN 2015-08-05T07:54:16,280-0700 [*LdapSynchronizer.RestartRunnable*] server.ldap.LdapSearcher: Error performing an LDAP search
    WARN 2015-08-05T07:54:16,280-0700 [*LdapSynchronizer.RestartRunnable*] server.ldap.LdapSearcher: Error performing an LDAP search
    DEBUG 2015-08-05T07:54:16,280-0700 [*LdapSynchronizer.RestartRunnable*] userdir.ldap.LdapProvider: Creating group map
    DEBUG 2015-08-05T07:54:16,280-0700 [*LdapSynchronizer.RestartRunnable*] userdir.ldap.LdapProvider: Loaded principals for LDAP configuration dc-east-basic: found #37 users and #2 groups
    DEBUG 2015-08-05T07:54:16,295-0700 [*LdapSynchronizer.RestartRunnable*] server.userdir.AbstractDatabaseProvider: Updating the User Directory with external principals: #37 users and #2 groups
    DEBUG 2015-08-05T07:54:16,358-0700 [*LdapSynchronizer.RestartRunnable*] server.userdir.AbstractDatabaseProvider: Preparing to batch insert #37 users into a temporary table, using a batch size of 100
    DEBUG 2015-08-05T07:54:16,405-0700 [*LdapSynchronizer.RestartRunnable*] server.userdir.AbstractDatabaseProvider: Inserted #37 users into the temporary table in 47 ms
    DEBUG 2015-08-05T07:54:16,436-0700 [*LdapSynchronizer.RestartRunnable*] server.userdir.AbstractDatabaseProvider: Disabled #0 missing user principals
    DEBUG 2015-08-05T07:54:16,483-0700 [*LdapSynchronizer.RestartRunnable*] server.userdir.MSSQLDatabaseProvider: Updated external info for #0 existing user principals
    DEBUG 2015-08-05T07:54:16,498-0700 [*LdapSynchronizer.RestartRunnable*] server.userdir.AbstractDatabaseProvider: Added #0 new users
    DEBUG 2015-08-05T07:54:16,514-0700 [*LdapSynchronizer.RestartRunnable*] server.userdir.AbstractDatabaseProvider: Preparing to batch insert #2 groups into a temporary table, using batch size 100
    DEBUG 2015-08-05T07:54:16,530-0700 [*LdapSynchronizer.RestartRunnable*] server.userdir.AbstractDatabaseProvider: Inserted #2 groups into the temporary table in 16 ms
    DEBUG 2015-08-05T07:54:16,545-0700 [*LdapSynchronizer.RestartRunnable*] server.userdir.AbstractDatabaseProvider: Disconnected #0 missing group principals
    DEBUG 2015-08-05T07:54:16,592-0700 [*LdapSynchronizer.RestartRunnable*] server.userdir.MSSQLDatabaseProvider: Updated external info for #0 existing group principals
    DEBUG 2015-08-05T07:54:16,608-0700 [*LdapSynchronizer.RestartRunnable*] server.userdir.AbstractDatabaseProvider: Inserted #0 new groups
    DEBUG 2015-08-05T07:54:16,608-0700 [*LdapSynchronizer.RestartRunnable*] server.userdir.AbstractDatabaseProvider: Preparing to batch insert #2 group memberships into a temporary table, using a batch size of 100
    DEBUG 2015-08-05T07:54:16,655-0700 [*LdapSynchronizer.RestartRunnable*] server.userdir.AbstractDatabaseProvider: Inserted #8 group membership associations into the temporary table in 47 ms
    DEBUG 2015-08-05T07:54:16,717-0700 [*LdapSynchronizer.RestartRunnable*] server.userdir.AbstractDatabaseProvider: Removed #8 old membership associations
    DEBUG 2015-08-05T07:54:16,780-0700 [*LdapSynchronizer.RestartRunnable*] server.userdir.AbstractDatabaseProvider: Updated #8 membership associations
    DEBUG 2015-08-05T07:54:16,795-0700 [*LdapSynchronizer.RestartRunnable*] server.userdir.AbstractDatabaseProvider: Successfully updated the User Directory with external principals
    DEBUG 2015-08-05T07:54:16,936-0700 [*LdapSynchronizer.RestartRunnable*] server.userdir.AbstractDatabaseProvider: ...done updating the User Directory with external principals
    DEBUG 2015-08-05T07:54:16,936-0700 [*LdapSynchronizer.RestartRunnable*] userdir.ldap.LdapSynchronizer: Done synchronizing the User Directory with the external LDAP directory for LDAP configuration dc-east-basic
    INFO 2015-08-05T07:54:16,936-0700 [*LdapSynchronizer.RestartRunnable*] userdir.ldap.LdapSynchronizer: ...done synchronizing the User Directory with external LDAP directories at restart