Fixes for: PQ51744, PQ52698, PQ53935, PQ51768, PQ51924, PQ48364, PQ60658
Fixes included for allowing user to configure an LDAP search and allowing user to use LDAP server clusters.
Download Description
This is a cumulative interim fix with the following fixes: APAR: PQ51744
What is fixed:
1) Allow user to configure an LDAP search operation time out, the maximum time to wait for results from server.
2) Allow user to use LDAP server clusters. Before this fix, WebSphere only works with single LDAP server.
How to implement the fix:
1) IBM JNDI default time out is 5 minutes, which means the maximum time to wait for results from LDAP server is 5 minutes.
With this fix, you can change time out limit to a desired value in milliseconds by adding property jndi_ldap_timeout to admin.config. The following statement change default time to 60 seconds
jndi_ldap_timeout=60000
2) WebSphere security maintains and reuse the same InitialDirContext(thus the same connection to LDAP server) for all search operations, which might not work with LDAP cluster. If LDAP servers are clusters, routers are sitting between JNDI and LDAP server, and JNDI does not have control LDAP server, so the context should be changed. If you use LDAP clusters, you are required to create new InitialDirContext (thus open new connection to LDAP server) for each search operation.
To open a new connection for each operation, add property jndi_ldap_new_connection_flag=true to admin.config.
This property is defaulted to false, such as, a single LDAP server is assumed.
jndi_ldap_new_connection_flag=true
3) After modify the admin.config, apply the jar file PQ51744-353.jar to class path, and restart admin server.
APAR: PQ52698 & PQ53935
What is fixed:
Unnecessary calls to LDAP were removed and queries for getting the groups a user belongs to were optimized to return only necessary data. This greatly increases authentication performance in certain circumstances.
APAR: PQ51768
What is fixed:
An LDAP server is configured with WSAS security, but the LDAP server contains users with distinguished names with spaces appended to the name. WSAS security doesn't interpret this trailing embedded space correctly causing authorization failure when trying to access secured resources.
APAR: PQ51924
APAR: PQ48364
APAR: PQ60658
System properties beginning with "java.naming." or "com.ibm.jndi." are automatically used in creating initial directory contexts which can be used to disable LDAP alias de-referencing
as well as other properties.
What is fixed:
WEBSPHERE performance issue using MS Active Directory as LDAP server
How to configure:
- Start AdminClient
- Go to set Global Security Wizard
- Click on User Registry
- Click Advanced
- In 'Group Member ID Map' field, add ;objectCategory:group to the end. The field should look like:
group:member;objectCategory:member
Prerequisites
WebSphere Application Server 3.5.4, 3.5.5, 3.5.6 AE
Installation instructions
Please view the readme.txt for installation instructions.