Spotfire Ideas Portal
Add a new idea Subscribe
Status Future Consideration
Product Spotfire
Categories System Administration
Created by Guest
Created on Dec 11, 2017

RELATED IDEAS

Support Active Directory users who are members of cross-domain groups

We have multiple Active Directory domains due to company mergers and acquisitions. We have synchronised those domains to Spotfire successfully and generally the application works well - users can access Spotfire, we're able to synchronise group membership and use those groups within Spotfire.

 

The problem comes when we have a group that has members from one of the other trusted domains. Spotfire will not sync those users into the members of the group, even though both domains are synched to Spotfire. AD handles this by having special 'Foreign security principal' objects in the domain where the group resides and these objects point to the actual users in a trusted domain. Ideally, Spotfire would follow these links and add users from other domains into groups.

  • Attach files
  • Guest
    Reply
    |     Jan 10, 2023

    Have just seen this after posting a duplicate idea - yes, strongly support this (for multiple-forest setups where global catalog approach won't work). This would significantly reduce admin burden and time taken for issue resolution.


  • Guest
    Reply
    |     Dec 14, 2017

    Thanks Christian. We have three forests, one of which has multiple domains - so I guess my terminology wasn't terribly accurate - the problem we need to solve is the same one as you, membership that crosses forests.

  • Guest
    Reply
    |     Dec 12, 2017

    Hi Pete we also want this functionality so you beat me to it. However are you aware that Spotfire does currently support Foreign security principals (FSPs) when using the LDAP Global Calalog, all the different domains are part of the same forests and all the groups are set to "Domain Local Scope" (which is a requirement for FSPs)? Unfortunately for us our corporate domains are on different forests so using the LDAP Global Calalog wouldn't work for us. Are your company's domains on different forests? If so this Idea makes sense. The Global Catalog LDAP service listens by default on port number 3268 (LDAP) or 3269 (LDAPS). Not all DCs have the Global Catalog, see below on how to "Determine Whether a Domain Controller Is a Global Catalog Server":

    https://technet.microsoft.com/en-us/library/cc794880%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

1 MERGED

LDAP: separate configs for user and group imports for multi-domain setups.

Merged
Spotfire LDAP currently imports a user list then group membership from one LDAP config, then repeats for other LDAP configs. If groups contain members from across multiple domains, but the user queries only return users from a single domain, then ...
over 1 year ago in Spotfire / System Administration 2 Future Consideration
This document (including, without limitation, any product roadmap or statement of direction data) illustrates the planned testing, release and availability dates for Spotfire products and services. It is for informational purposes only and its contents are subject to change without notice. Planning to implement - generally 6-12 months out. Likely to Implement - generally means 12-18 months out. Copyright © 2014-2023 Cloud Software Group, Inc. All Rights Reserved. Cloud Software Group, Inc. ("Company") follows the EU Standard Contractual Clauses as per the Company's Data Processing Agreement. Terms of Use | Privacy Policy | Trademarks | Patents | Contact Us