APAR status |
Closed with unknown close code.
| Error description
We have developed an application that requires Group/Role
Mappings. The
Groups are contained in the LDAP directory and are referenced by
DN of
type: "cn=GroupName, o=infoscore,c=de". We can install the
application
in the Admin Console GUI and setup the mappings, using the
User/Role
Mappings dialog.
.
In our application 3 Roles are defined, which are mapped to the
following groups
.
Role Users/Groups
.
ISSAdmin cn=AdminISSGroup,
o=infoscore,c=de
VendorAdmin cn=AdminGroup,ou=IBD,
o=infoscore,c=de
cn=AdminGroup,ou=ICD,
o=infoscore,c=de
ISSAdminBatch cn=AdminISSBatchGroup,
o=infoscore,c=de
.
Once the roles have been setup in the AdminConsole, I can then
see the
mappings in the WSCP as follows:
.
wscp> SecurityRoleAssignment getGroupRoleMapping
/EnterpriseApp:admin/
{ISSAdmin cn=AdminISSGroup, o=infoscore,c=de} {VendorAdmin
cn=AdminGroup,ou=IBD, o=infoscore,c=de} {VendorAdmin
cn=AdminGroup,ou=ICD, o=infoscore,c=de} {ISSAdminBatch
cn=AdminISSBatchGroup, o=infoscore,c=de}
.
However, when we try to set up the mappings using WSCP, it does
not
work. Here is an example of how we attempt to set up one of the
mappings
in WSCP:mappings in the WSCP as follows:.wscp>, SecurityRoleAssignment getGroupRoleMapping/EnterpriseApp:admin/{ISSAdmin cn=AdminISSGroup, o=infoscore,c=de} {VendorAdmincn=AdminGroup,ou=IBD, o=infoscore,c=de} {VendorAdmincn=AdminGroup,ou=ICD, o=infoscore,c=de} {ISSAdminBatchcn=AdminISSBatchGroup, o=infoscore,c=de}.However, when we try to set up the mappings using WSCP, it doesnotwork. Here is an example of how we attempt to set up one of themappings
.
wscp> SecurityRoleAssignment addGroupRoleMapping
/EnterpriseApp:admin/
-grouproles {ISSAdmin cn=AdminISSGroup, o=infoscore,c=de}
WSCP0038E: Invalid attribute format : ISSAdmin cn=AdminISSGroup,
o=infoscore,c=de
.
The installation procedure for our production system requires
that we
use the WSCP, so that this task can be scripted. Therefore, it
is
essential that we are able to setup our User/Role mappings in
WSCP.
.
This was the problem as described by customer.
.
I then suggested customer to issue the command as follows:in WSCP:.wscp>, SecurityRoleAssignment addGroupRoleMapping/EnterpriseApp:admin/-grouproles {ISSAdmin cn=AdminISSGroup, o=infoscore,c=de}WSCP0038E: Invalid attribute format : ISSAdmin cn=AdminISSGroup,o=infoscore,c=de.The installation procedure for our production system requiresthat weuse the WSCP, so that this task can be scripted. Therefore, itisessential that we are able to setup our User/Role mappings inWSCP..This was the problem as described by customer..
.
wscp> SecurityRoleAssignment addGroupRoleMapping
/EnterpriseApp:admin/
-grouproles {ISSAdmin {cn=AdminISSGroup, o=infoscore,c=de}}
.
and install apar PQ60772, since the apar description seemed to
match
the issue.
.
It was after installing this apar that customer got a different
error:I then suggested customer to issue the command as follows:.wscp>, SecurityRoleAssignment addGroupRoleMapping/EnterpriseApp:admin/-grouproles {ISSAdmin {cn=AdminISSGroup, o=infoscore,c=de}}., and install aparPQ60772, since the apar description seemed tomatchthe issue..It was after installing this apar that customer got a different
.
From customer:error:.
.
Installing PQ60772 hasn't solved the problem. I am now getting a
different error:From customer:., InstallingPQ60772, hasn't solved the problem. I am now getting a
.
wscp> SecurityRoleAssignment addGroupRoleMapping
/EnterpriseApp:admin/
-grouproles {ISSAdmin {cn=AdminISSGroup, o=infoscore,c=de}}
java.lang.NullPointerException
at
com.ibm.xmi.xmi2.impl.XMI2WriterImpl.writeFeatures(XMI2WriterImp
l.java:3
07)
.
With regards to the use of short names, customer must use full
names.
.
From customer:different error:.wscp>, SecurityRoleAssignment addGroupRoleMapping/EnterpriseApp:admin/-grouproles {ISSAdmin {cn=AdminISSGroup, o=infoscore,c=de}}java.lang.NullPointerExceptionatcom.ibm.xmi.xmi2.impl.XMI2WriterImpl.writeFeatures(XMI2WriterImpl.java:307).With regards to the use of short names, customer must use fullnames..
.
Unfortunately for us, we must use the full DN. Standard LDAP
configuration does not include a short name for groups. In
particular,
in one of the examples I showed you, the use of short names
would not
solve the problem. In order to distinguish both of the groups
(AdminGroup) in this example we must use the full DN:From customer:.Unfortunately for us, we must use the full DN. Standard LDAPconfiguration does not include a short name for groups. Inparticular,in one of the examples I showed you, the use of short nameswould notsolve the problem. In order to distinguish both of the groups
.
{VendorAdmin cn=AdminGroup,ou=IBD, o=infoscore,c=de}
{VendorAdmin cn=AdminGroup,ou=ICD, o=infoscore,c=de} (AdminGroup) in this example we must use the full DN:.{VendorAdmin cn=AdminGroup,ou=IBD, o=infoscore,c=de}{VendorAdmin cn=AdminGroup,ou=ICD, o=infoscore,c=de} Local fix
Use shortname, but which is unacceptable for this customer. Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server security *
* users who use WSCP to assign group DN to *
* roles *****************************************************************
* PROBLEM DESCRIPTION: WSCP fails to assign group DNs to a *
* security role. *
****************************************************************
* RECOMMENDATION: *
****************************************************************
WSCP cannot assign groups to security roles if the given
group name is DN(distinguished name) instead of single
attribute value. Problem conclusion
Modify Ldap registry implementation in security to accept both
DN and short name as groups search pattern. Originally,
only short name was acceptable search pattern. Temporary fix
provide testing eFix. Waiting for feedback. Comments
APAR information | APAR number | PQ65592 | Reported component name | WEBSPHERE AE SO | Reported component ID | 5648C8402 | Reported release | 350 | Status | CLOSED | PE | NoPE | HIPER | NoHIPER | Submitted date | 2003-03-03 | Closed date | 2003-03-03 | Last modified date | 2003-03-17 |
APAR is sysrouted FROM one or more of the following: PQ67391
APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:PQ67391
Modules/Macros APAR is sysrouted TO one or more of the following:Modules/Macros
|
Fix information |
Fixed component name | WEBSPHERE AE SO | Fixed component ID | 5648C8402 |
Applicable component levels | R400 PSY | UP |
|