APAR status |
Closed with unknown close code.
| Error description
In Ldap, group memberships for each user are stored and
retrieved as valid Distinguish Name in Ldap. After finding
user's group memberships, there is no necessary to re-validate
each group against Ldap server. By not re-validating each
group, there are two
benefits, one has
performance improvement in particular i.e if a user belongs to
too many groups, WAS does not have validate against each group.
The other is not to validate groups to which user belongs but
not used by WebSphere security. Local fixProblem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server security *
* users using LDAP registry. *
****************************************************************
* PROBLEM DESCRIPTION: WebSphere performs unnecessary group *
* Distinguish Name validation. *
****************************************************************
* RECOMMENDATION: *
****************************************************************
WebSphere revalidates group DN returned from LDAP. In LDAP,
group memberships for each user are strored and retrieved as
valid Distinguish Names. After findind a user's group
memberships, it is not necessary to re-validate each group
against the LDAP server. By not re-validating each group,
there are two benefits, one has performance improvement in
particular if a user belongs to too many groups, the other
is not to validate groups to which user belongs but not used
by WebSphere security. Problem conclusion
Group DNs returned from LDAP are now not validated. Temporary fix
provide both working-around, and testing eFix to customer. Comments
APAR information | APAR number | PQ61834 | Reported component name | WEBSPHERE AE SO | Reported component ID | 5648C8402 | Reported release | 350 | Status | CLOSED | PE | NoPE | HIPER | NoHIPER | Submitted date | 2003-03-03 | Closed date | 2003-03-03 | Last modified date | 2003-03-17 |
APAR is sysrouted FROM one or more of the following: PQ67062
APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:PQ67062
Modules/Macros APAR is sysrouted TO one or more of the following:Modules/Macros
|
Fix information |
Fixed component name | WEBSPHERE AE SO | Fixed component ID | 5648C8402 |
Applicable component levels | R400 PSY | UP |
|