Active Directory - Excluding Users

[Skippystrand]

Ran into an issue with an Active Directory Group that has thousands of User ID's. Within the Cognos 10 admin tool, when we query that user group, it only brings up 103 user ID's, and the rest of the ID's were either ignored or not read.  As a result, users who are not within those 103 are being denied access.

I eyeballed members that were accepted, and saw that characters, back slashes, forward slashes and periods were all being accepted. It does not appear to be rejecting members for unusual characters.

Any thoughts??

[AussiePete2011]

Hi there

Just out of curiousity if you download the Softera LDAP browser and use the same BASE DN and bind credentials do you pull back the same number of users?

The BASE DN entry determines from where you start the search in the ADS tree.

Cheers
Peter B

[Skippystrand]

Peter~

I'll take a stab...perhaps this will identify it for us....

[Skippystrand]

Peter - Tried this with various LDAP Browsers, including the one you submitted. Received the same error.

Question: The Cognos Environment in on Linux, and LDAP is Windows. Would this cause compatibility issues within the AD Group?

[AussiePete2011]

Hi there

It depends on how you set up the namespace.  Because Cognos is sitting on Linux, keberos is not directly supported so you wont see Active Directory in the dropdown for the Authentication sources.  You're using LDAP and there is some setting up on Linux to be done to get AD working correctly.

If this is really urgent, for you to get this system up and running, I'd install the Content Manager on Windows and configure authentication using LDAP as seen on LInux and test to confirm you do have access.  This install can be disabled without affecting your overall C8 install.

Assuming you can connect then the next step is to look at the version of Linux and kernel and turn on LDAP tracing.
See http://en.gentoo-wiki.com/wiki/Active_Directory_Authentication_using_LDAP
Its suggested to use a utility called wireshark.  This is an ethernet sniffer so you may need to get IT permission to install it but it should give you more information on the real error.

Also see
http://publib.boulder.ibm.com/infocenter/c8bi/v8r4m0/topic/com.ibm.swg.im.cognos.inst_cr_winux.8.4.0.doc/inst_cr_winux_id26415GroupMembershipisMissingFromActive.html#GroupMembershipisMissingFromActiveDirectoryNamespace

I vaguely remember an issue where a similar problem occurred and it was due to a setting on AD that stopped large blocks of information being returned.
See http://technet.microsoft.com/en-us/library/aa996478%28EXCHG.65%29.aspx

This is how AD searches and is only added as a reference
http://technet.microsoft.com/en-us/library/cc755809%28WS.10%29.aspx
Let me know how you get on.
Cheers
Peter B

[Skippystrand]

Pete~

These are great bits of information!

I assume that these will also apply to Cognos 10 <I noticed several times your mentioned 8.4>?

[AussiePete2011]

Hi there.

Thanks for the feedback.  Yeap same for 10 as is for 8.4.x.

Let me know how you get on.
Cheers
Peter B