Users from two different LDAP Domain trees need to access Performance Center.

When configuring the LDAP integration only a single Search Domain value can be entered.

When doing this, if users in a different LDAP Domain tree attempt to log in they are faced with a message about invalid user access.

In the Performance Center SSOService.log files we see messages like this for the same users failed log in attempts.

2020-11-25 09:30:00, Product Code: pc, Username: <UserName>, Remember Me: false, SSO version: 7.0, Remote Host: <IP_Address>, Redirect URL: http://<PC_Host>:8181/pc/desktop/page, Error Message: Unable to authenticate user.

All supported Performance Management releases

The user is not in the defined Search Domain tree in the LDAP configuration.

In order for this to work with Performance Management we have two paths to choose from.

1. If not already configured this way set up the LDAP Domain trees so that the two containing the target users are found under a single higher level tree above.
   1. Modify the configured Search Domain to represent the tree above the two where the users are found.
   2. Ensure the Search Scope is configured for 'subtree'.
      • This tells the configuration to search all sub-trees under the configured Search Domain tree.
      • Use of the onelevel or base options for Search Scope will cause this process to fail.
2. Move users in LDAP configuration so that they are all found in the same LDAP Domain tree or those under it.
   1. Ensure the Search Domain is set to the tree that will result in a search of trees underneath which contain the target users to be found.
   2. Ensure the Search Scope is configured for 'subtree'.
      • This tells the configuration to search all sub-trees under the configured Search Domain tree.
      • Use of the onelevel or base options for Search Scope will cause this process to fail.

Set Up LDAP Authentication documentation