IS 10.11 with the latest fixes
production (customer) instance
Our company has complex AD structures with many OU. We used to use LDAP authentication on MWS but have moved LDAP configuration to IS recently, since we do not develop on MWS anymore. A configuration like this OU=OU1, DC=company, DC=com works properly and all users from OU1 get authenticated. This solution, however, is not acceptable, because some users are in OU=OU1, DC=company, DC=com and others in OU=OU2,
DC=company, DC=com. We have in total more than 10 OUs meaning that we have to create one LDAP-entry for every OU to cover all users in our company, which is very cumbersome. Therefore we tried to make the Root DN more general covering all existing OUs like this DC=company, DC=com. Unfortunately this solution does not work and brings exceptions like these:
2022-09-10 19:23:19 CEST [ISS.0002.0010E] (tid=100) Error querying for user xxxx: Unprocessed Continuation Reference(s)
2022-09-10 19:23:19 CEST [ISS.0012.0012W] (tid=100) Authentication of user “xxxx” failed with exception: Login Failure: all modules ignored.
The problem seems to be related to java.naming.referral that should be set to ignore.
- PI96453: ENVIRONMENT PROPERTY "JAVA.NAMING.REFERRAL" IN "COM.SPSS.SECURITY.PROVIDER.LDAP.LDAPPROVIDERCONFIGV2" SHOULD BE CONFIGURABLE
- webMethods 8.2 LDAP connect - #22 by rmg
- Referrals in the JNDI
Unfortunately, I have no idea how to set this variable. I tried to set it in watt.server.ldap.extendedProps=java.naming.customProperty=customValue => did not help.
I tried to put it in custom_wrapper.conf as
wrapper.java.additional.400=-Djava.naming.referral=ignore => did not help.
So if anybody knows how to fix it we would much appreciate it.
Another related-question: how to set on IS LDAP filter conditions similar to (&(<condition_1>)(<condition_2>)…) => we could not find any field for this?