LDAP authentication does not work on IS with short Root DN

Hello,

What product/components do you use and which version/fix level are you on?

IS 10.11 with the latest fixes

Is your question related to the free trial, or to a production (customer) instance?

production (customer) instance

What are you trying to achieve? Please describe it in detail.

Our company has complex AD structures with many OU. We used to use LDAP authentication on MWS but have moved LDAP configuration to IS recently, since we do not develop on MWS anymore. A configuration like this OU=OU1, DC=company, DC=com works properly and all users from OU1 get authenticated. This solution, however, is not acceptable, because some users are in OU=OU1, DC=company, DC=com and others in OU=OU2,
DC=company, DC=com. We have in total more than 10 OUs meaning that we have to create one LDAP-entry for every OU to cover all users in our company, which is very cumbersome. Therefore we tried to make the Root DN more general covering all existing OUs like this DC=company, DC=com. Unfortunately this solution does not work and brings exceptions like these:
2022-09-10 19:23:19 CEST [ISS.0002.0010E] (tid=100) Error querying for user xxxx: Unprocessed Continuation Reference(s)
2022-09-10 19:23:19 CEST [ISS.0012.0012W] (tid=100) Authentication of user “xxxx” failed with exception: Login Failure: all modules ignored.

The problem seems to be related to java.naming.referral that should be set to ignore.
see:

  1. PI96453: ENVIRONMENT PROPERTY "JAVA.NAMING.REFERRAL" IN "COM.SPSS.SECURITY.PROVIDER.LDAP.LDAPPROVIDERCONFIGV2" SHOULD BE CONFIGURABLE
  2. webMethods 8.2 LDAP connect - #22 by rmg
  3. Referrals in the JNDI

Unfortunately, I have no idea how to set this variable. I tried to set it in watt.server.ldap.extendedProps=java.naming.customProperty=customValue => did not help.

I tried to put it in custom_wrapper.conf as
wrapper.java.additional.400=-Djava.naming.referral=ignore => did not help.

So if anybody knows how to fix it we would much appreciate it.

Another related-question: how to set on IS LDAP filter conditions similar to (&(<condition_1>)(<condition_2>)…) => we could not find any field for this?

Thanks.

Hi @Veaceslav_Samohvalov ,
Can you please share the screenshot of the how you have configured the LDAP entry in the IS or IntegrationServer\instances<instance>\config\ldap.cnf. What is current 10.11 fix level in your environment?

Thanks.

Working configuration:

Not working configuration:

Fixes:



image (2)