Rainer Brandl

IBM CCM and Cognos integration fails to look up users in environments using Domino LDAP with complex LDAP search filters.


Source: IBM TechNote 1672398

Problem

Connections Content Manager and Cognos integration (i.e. Metrics) is not working for LDAP users in environments where the LDAP server is Domino AND complex LDAP search filters (for example nested boolean queries) have been specified in Federated Repositories configuration.

Symptom

For CCM, the symptoms are the same as described in the following Technotes:
http://www.ibm.com/support/docview.wss?uid=swg21664341
http://www.ibm.com/support/docview.wss?uid=swg21666357

In other words, when LDAP users try to access a community library they have the following error:
“The library may have been deleted or modified, or your access may have changed. Try reloading. If that fails, contact the library owner.”

OR:
When user clicks into the Library, there is no “Upload Files” or “New Folder” buttons present, even though they are a Community Member or Owner.

This does not happen for non-LDAP local users like ‘wasadmin’.

————————————————————————————————————————————————

For Cognos integration, the problem manifests itself when it’s not possible to add LDAP users to the IbmConnectionsMetricsAdmin role, but it is possible to add non-LDAP local users like ‘wasadmin’.


Cause

This is a known issue for Domino LDAP server that is tracked in SPR #CAHT959LQG.
Complex LDAP search filters (for example nested boolean queries) return no results from Domino LDAP.
The issue is independent from the use of wildcards or how the query is formulated, basically no results are returned even though a directory entry exists that matches the search attributes. Normal queries work as expected.

This is a normal query:
(&(uid=tuser)(cn=test user)(objectClass=dominoPerson))

This is a nested query:
(&(uid=tuser)(&(cn=test user)(objectClass=dominoPerson)))

Environment

IBM Connections 4.5
Domino LDAP

An example of a complex search filter is shown in the screen shot below.
In the Federated Repositories configuration for the Domino LDAP being used for Connections, there is a filter set in the LDAP Entity Type for PersonAccount, i.e.
(&(objectclass=dominoPerson)(availablefordirsync=1))


Diagnosing the problem

Remove the search filter from the Federated Repositories configuration for the Domino LDAP, synch the nodes and restart the Connections environment (including the nodeagent(s) and deployment manager).
Then retest the CCM or Cognos issue in Connections. If it now works OK, then it’s very likely you are experiencing this issue.


Resolving the problem

Contact Domino Support to obtain a Hotfix for SPR CAHT959LQG for your specific Domino version.

However, the fix for this issue could introduce a performance degradation when there are many nested groups. Due to the performance regression potential, IBM is doing 2 things:
1. Working on an interim fix for 8.5.3 FP6 that disables this code path by default and adds the ini LDAP_COMPLEX_FILTER=1. This ini won’t be active until 8.5.3 FP6 Interim Fix 1 and 9.0.1 Fix Pack 2. It will be documented under SPR MJON9GQHLL.
2. Working on a better solution that will not introduce a performance regression.

Related information

Complex Ldap Search Filter Returns No Results

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s