Active Directory LDAP authentication to Reporter fails when the LDAP search user does not have "read" permissions to specific objects.
search cancel

Active Directory LDAP authentication to Reporter fails when the LDAP search user does not have "read" permissions to specific objects.

book

Article ID: 165335

calendar_today

Updated On:

Products

Reporter

Issue/Introduction

The Reporter LDAP search user requires full read rights to the entire LDAP tree.  

Example scenario:

In Active Directory, User01 is a member of Groups A, B, and C, but only Group A is defined with a role in Reporter, and given access to a Database.

The LDAP search user defined in Reporter (User02) has read access to Group A. but has no rights to Group C, which is located within an OU that the LDAP user cannot see as it does not have rights to it. The AD adminstrator has also ensured that User02 does not have rights to this OU or object.

Because of this, a valid login attempt to Reporter from User01 fails even though all necessary permissions for this to work are given to the search user. The search user has all necessary rights to read Group A, which is all that is required to setup access in Reporter.
 

Root cause:
This is caused by the way Reporter queries LDAP in authentication attempts:

Reporter sends a query to the LDAP server requesting a list of all groups a particular user is a member of. Then, it starts going down the list of groups, listing all members in each group until it comes across the group that's defined with a role in Reporter. If it finds the user inside the configured group for this role, it allows the user access to the Role and its allocated rights and database for that role. 

In this specific case, Reporter starts going down the list of groups that User01 is a member of; however, if it tries to access a group that the search user does not have permission to access, it fails.  At this point, the whole process fails, and Reporter never finds the user in the correct group.

Resolution

The only workaround at this time is to allow the LDAP search user full read rights to the entire Active Directory tree, or the BASE DN, and down. After this is done, LDAP authentication works correctly in Reporter. If you would like to discuss this issue with Symantec personal, please log a sergvice request, and quote this article.

NOTE1: Microsoft Active Directory (AD) has a restriction of only ever sending back 1500 objects, restricting the search to that many objects. See MS31071  If too many groups are requested, and that number surpasses this number, a failure might occur.

NOTE2: For more detailed information on how to setup LDAP in Reporter, see 000013348.