You can configure
Spotfire Server to integrate with external directories such as LDAP directories or Windows domains.
Spotfire Server keeps track of which domain every user belongs to. Users who are created by an administrator directly within
Spotfire Server belong to the SPOTFIRE domain. When the user directory is configured for
Database, this is the domain being used.
External users keep their domain name from the external directory, and the domain name appears as part of their user name throughout the
Spotfire interface.
The supported external directories can have domain names in two forms:
- DNS domain names, for example "research.example.com". A complete user name looks like this: someone@research.example.com.
- NetBIOS domain names, for example "RESEARCH". A complete user name looks like this: RESEARCH\someone.
When configuring
Spotfire Server, the desired domain name style must be set before the server is started for the first time. The domain name style to use is dependent on the combination of authentication method and user directory of your
Spotfire implementation.
Note: Be careful when selecting a domain name style for your system; it will affect what information
Spotfire Server stores within the
Spotfire database. The domain name style can be changed using the
switch-domain-name-style command if the user directory is in LDAP mode and is synchronizing with an Active Directory Server. For other user directory modes, there are no tools to alter that information if the domain name style later needs to be changed.
Below is a matrix showing which domain name style to use for different combinations of authentication method and user directory. Combinations that are not supported are marked " — ".
Spotfire Server will warn and even refuse to start if you try to set up an authentication method and a user directory with incompatible domain name styles. If you for some reason need to go ahead with an officially incompatible configuration, you will need to set the
allow incompatible domain name styles configuration property to make the server start at all. One way to handle this could be a custom post-authentication filter that creates a bridge between the two originally incompatible domain name styles. (The
allow incompatible domain name styles option can be set using the
config‐userdir command. For information about custom post-authentication filters, see
Post-authentication filter.)
Collapse Domains Configuration Property Enabled
|
User directory type
|
Authentication method
|
Database
|
LPAD/AD
|
LDAP/other
|
Windows NT
|
Basic database
|
NetBIOS(DNS)
|
—
|
—
|
—
|
Basic/LDAP/AD
|
NetBIOS(DNS)
|
NetBIOS(DNS)
|
NetBIOS(DNS)
|
—
|
Basic/LDAP/other
|
NetBIOS(DNS)
|
NetBIOS(DNS)
|
NetBIOS(DNS)
|
—
|
Basic/Windows NT
|
—
|
—
|
—
|
NetBIOS(DNS)
|
NTLM
|
NetBIOS(DNS)
|
NetBIOS(DNS)
|
NetBIOS(DNS)
|
—
|
Kerberos
|
NetBIOS(DNS)
|
NetBIOS(DNS)
|
NetBIOS(DNS)
|
—
|
X.509 Client Certs.
|
NetBIOS(DNS)
|
NetBIOS(DNS)
|
NetBIOS(DNS)
|
—
|
— Unsupported combination of authentication method and user directory.
Collapse Domains Configuration Property Not Enabled
|
User directory type
|
Authentication method
|
Database
|
LPAD/AD
|
LDAP/other
|
Windows NT
|
Basic database
|
NetBIOS, DNS
|
—
|
—
|
—
|
Basic/LDAP/AD
|
NetBIOS, DNS
|
NetBIOS, DNS
|
#
|
—
|
Basic/LDAP/other
|
NetBIOS, DNS
|
#
|
DNS
|
—
|
Basic/Windows NT
|
—
|
—
|
—
|
NetBIOS, DNS
|
NTLM
|
NetBIOS, DNS
|
NetBIOS, DNS
|
#
|
—
|
Kerberos
|
NetBIOS, DNS
|
NetBIOS, DNS
|
DNS
|
—
|
X.509 Client Certs.
|
NetBIOS, DNS
|
NetBIOS, DNS
|
DNS
|
—
|
Note: NetBIOS is the recommended domain name style, but DNS will also work.
— Unsupported combination of authentication method and user directory.
# For this combination of authentication method and user directory, enable the collapse domains option.
A consequence of the new domain tracking is that users may have to provide the domain names as part of their user names when logging in to
Spotfire Server. For the Basic/LDAP and Basic/Windows NT authentication methods, the setting of the wildcard domain configuration property decides how the server maps a user to a domain during authentication. When the wildcard domain configuration property is enabled (this is the default),
Spotfire Server checks whether the user name contains a domain name, and if it does, that domain name is used. If not, the server attempts to authenticate the user with the provided user name and password in every domain it knows about, until the combination of domain name, user name, and password results in a successful authentication, or until there are no more domain names to try. If the wildcard domain configuration property is turned off, the domain name must be specified by the user unless it belongs to the configured default domain. This can be configured in the configuration tool.
Note: If the wildcard domain configuration property is enabled and two identically named users in different domains have the same password, there is a risk that the wrong account will be selected when one of these users logs in. Thus, if security has a higher priority than user convenience, make sure to turn off the wildcard domain configuration property. There is also the risk that multiple authentication attempts will lock out the "correct" user.
Spotfire Server provides a configuration property that reverts to the behavior from previous releases. The configuration property is called
collapse-domains and enabling this means that the external domain of a user is essentially ignored, and that different users with the same user name, but in different domains, will share an account on
Spotfire Server. When the collapse domains configuration property is enabled, all external users and groups will be associated with the SPOTFIRE domain, regardless of which domain they belong to in the external directory.
If you want to keep running
Spotfire Server without ever caring about domain names, enable both the
collapse-domains and
wildcard-domain configuration properties. Doing so will ensure that all users belong to the internal SPOTFIRE domain, and no users will have to enter a domain name when logging in. (The
collapse-domains configuration property can be set in the configuration tool or by using the
config‐userdir command).
Note: All users will belong to one domain when the
collapse-domains configuration property is enabled. If there are multiple users with the same account name in different external domains, they will now effectively share the same account within
Spotfire Server. If security has a higher priority than user convenience, make sure not to enable the collapse domain configuration property.
Note: It is not recommended to change the
collapse-domains configuration property after once having synchronized
Spotfire Server with an external directory. This creates double accounts with different domain names for every synchronized user and group in the user directory. The new accounts do not inherit the permissions of the old accounts.
Copyright © TIBCO Software Inc. All rights reserved.