Connections Content Manager and Cognos integration (i.e. Metrics) is not working for LDAP users in environments where the LDAP server is Domino AND complex LDAP search filters (for example nested boolean queries) have been specified in Federated Repositories configuration.
In other words, when LDAP users try to access a community library they have the following error: “The library may have been deleted or modified, or your access may have changed. Try reloading. If that fails, contact the library owner.”
OR: When user clicks into the Library, there is no “Upload Files” or “New Folder” buttons present, even though they are a Community Member or Owner.
This does not happen for non-LDAP local users like ‘wasadmin’.
For Cognos integration, the problem manifests itself when it’s not possible to add LDAP users to the IbmConnectionsMetricsAdmin role, but it is possible to add non-LDAP local users like ‘wasadmin’.
This is a known issue for Domino LDAP server that is tracked in SPR #CAHT959LQG.
Complex LDAP search filters (for example nested boolean queries) return no results from Domino LDAP.
The issue is independent from the use of wildcards or how the query is formulated, basically no results are returned even though a directory entry exists that matches the search attributes. Normal queries work as expected.
This is a normal query: (&(uid=tuser)(cn=test user)(objectClass=dominoPerson))
This is a nested query: (&(uid=tuser)(&(cn=test user)(objectClass=dominoPerson)))
IBM Connections 4.5
An example of a complex search filter is shown in the screen shot below. In the Federated Repositories configuration for the Domino LDAP being used for Connections, there is a filter set in the LDAP Entity Type for PersonAccount, i.e. (&(objectclass=dominoPerson)(availablefordirsync=1))
Diagnosing the problem
Remove the search filter from the Federated Repositories configuration for the Domino LDAP, synch the nodes and restart the Connections environment (including the nodeagent(s) and deployment manager).
Then retest the CCM or Cognos issue in Connections. If it now works OK, then it’s very likely you are experiencing this issue.
Resolving the problem
Contact Domino Support to obtain a Hotfix for SPR CAHT959LQG for your specific Domino version.
However, the fix for this issue could introduce a performance degradation when there are many nested groups. Due to the performance regression potential, IBM is doing 2 things: 1. Working on an interim fix for 8.5.3 FP6 that disables this code path by default and adds the ini LDAP_COMPLEX_FILTER=1. This ini won’t be active until 8.5.3 FP6 Interim Fix 1 and 9.0.1 Fix Pack 2. It will be documented under SPR MJON9GQHLL. 2. Working on a better solution that will not introduce a performance regression.