PQ61834: DO NOT RE-VALIDATE GROUP DN IF DN COMES FROM LDAP

A fix is available
WebSphere Application Server Version 3.5 Fix Pack 7 (3.5.7)

APAR

APAR status
Closed with unknown close code.

Error description
In Ldap, group memberships for each user are stored and
retrieved as valid Distinguish Name in Ldap.  After finding
user's group memberships, there is no necessary to re-validate
each group  against Ldap server.  By not re-validating each
group, there are two
benefits, one has
performance improvement in particular i.e if a user belongs to
too many groups, WAS does not have validate against each group.
The other is not to validate groups to which user belongs but
not used by WebSphere security.
Local fix
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server security        *
*                 users using LDAP registry.                   *
****************************************************************
* PROBLEM DESCRIPTION: WebSphere performs unnecessary group    *
*                      Distinguish Name validation.            *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
WebSphere revalidates group DN returned from LDAP.  In LDAP,
group memberships for each user are strored and retrieved as
valid Distinguish Names.  After findind a user's group
memberships, it is not necessary to re-validate each group
against the LDAP server.  By not re-validating each group,
there are two benefits, one has performance improvement in
particular if a user belongs to too many groups, the other
is not to validate groups to which user belongs but not used
by WebSphere security.
Problem conclusion
Group DNs returned from LDAP are now not validated.
Temporary fix
provide both working-around, and testing eFix to customer.
Comments
APAR information
APAR numberPQ61834
Reported component nameWEBSPHERE AE SO
Reported component ID5648C8402
Reported release350
StatusCLOSED
PENoPE
HIPERNoHIPER
Submitted date2003-03-03
Closed date2003-03-03
Last modified date2003-03-17

APAR is sysrouted FROM one or more of the following:
PQ67062

APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:PQ67062


Modules/Macros
SECURITY
APAR is sysrouted TO one or more of the following:Modules/Macros

Fix information
Fixed component nameWEBSPHERE AE SO
Fixed component ID5648C8402

Applicable component levels
R400 PSYUP











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, General
Software version: 350
Reference #: PQ61834
IBM Group: Software Group
Modified date: 2003-03-17