PQ65592: SECURITY COMPONENT WON'T TAKE FULL LDAP NAME.

A fix is available
WebSphere Application Server Version 3.5 Fix Pack 7 (3.5.7)

APAR

APAR status
Closed with unknown close code.

Error description
We have developed an application that requires Group/Role
Mappings. The
Groups are contained in the LDAP directory and are referenced by
DN of
type: "cn=GroupName, o=infoscore,c=de". We can install the
application
in the Admin Console GUI and setup the mappings, using the
User/Role
Mappings dialog.
.
In our application 3 Roles are defined, which are mapped to the
following groups
.
Role                           Users/Groups
.
ISSAdmin                       cn=AdminISSGroup,
o=infoscore,c=de
VendorAdmin                    cn=AdminGroup,ou=IBD,
o=infoscore,c=de
                               cn=AdminGroup,ou=ICD,
o=infoscore,c=de
ISSAdminBatch                  cn=AdminISSBatchGroup,
o=infoscore,c=de
.
Once the roles have been setup in the AdminConsole, I can then
see the
mappings in the WSCP as follows:
.
wscp> SecurityRoleAssignment getGroupRoleMapping
/EnterpriseApp:admin/
{ISSAdmin cn=AdminISSGroup, o=infoscore,c=de} {VendorAdmin
cn=AdminGroup,ou=IBD, o=infoscore,c=de} {VendorAdmin
cn=AdminGroup,ou=ICD, o=infoscore,c=de} {ISSAdminBatch
cn=AdminISSBatchGroup, o=infoscore,c=de}
.
However, when we try to set up the mappings using WSCP, it does
not
work. Here is an example of how we attempt to set up one of the
mappings
in WSCP:mappings in the WSCP as follows:.wscp>, SecurityRoleAssignment getGroupRoleMapping/EnterpriseApp:admin/{ISSAdmin cn=AdminISSGroup, o=infoscore,c=de} {VendorAdmincn=AdminGroup,ou=IBD, o=infoscore,c=de} {VendorAdmincn=AdminGroup,ou=ICD, o=infoscore,c=de} {ISSAdminBatchcn=AdminISSBatchGroup, o=infoscore,c=de}.However, when we try to set up the mappings using WSCP, it doesnotwork. Here is an example of how we attempt to set up one of themappings
. wscp> SecurityRoleAssignment addGroupRoleMapping /EnterpriseApp:admin/ -grouproles {ISSAdmin cn=AdminISSGroup, o=infoscore,c=de} WSCP0038E: Invalid attribute format : ISSAdmin cn=AdminISSGroup, o=infoscore,c=de . The installation procedure for our production system requires that we use the WSCP, so that this task can be scripted. Therefore, it is essential that we are able to setup our User/Role mappings in WSCP. . This was the problem as described by customer. . I then suggested customer to issue the command as follows:in WSCP:.wscp>, SecurityRoleAssignment addGroupRoleMapping/EnterpriseApp:admin/-grouproles {ISSAdmin cn=AdminISSGroup, o=infoscore,c=de}WSCP0038E: Invalid attribute format : ISSAdmin cn=AdminISSGroup,o=infoscore,c=de.The installation procedure for our production system requiresthat weuse the WSCP, so that this task can be scripted. Therefore, itisessential that we are able to setup our User/Role mappings inWSCP..This was the problem as described by customer..
. wscp> SecurityRoleAssignment addGroupRoleMapping /EnterpriseApp:admin/ -grouproles {ISSAdmin {cn=AdminISSGroup, o=infoscore,c=de}} . and install apar PQ60772, since the apar description seemed to match the issue. . It was after installing this apar that customer got a different error:I then suggested customer to issue the command as follows:.wscp>, SecurityRoleAssignment addGroupRoleMapping/EnterpriseApp:admin/-grouproles {ISSAdmin {cn=AdminISSGroup, o=infoscore,c=de}}., and install aparPQ60772, since the apar description seemed tomatchthe issue..It was after installing this apar that customer got a different
. From customer:error:.
. Installing PQ60772 hasn't solved the problem. I am now getting a different error:From customer:., InstallingPQ60772, hasn't solved the problem. I am now getting a
. wscp> SecurityRoleAssignment addGroupRoleMapping /EnterpriseApp:admin/ -grouproles {ISSAdmin {cn=AdminISSGroup, o=infoscore,c=de}} java.lang.NullPointerException at com.ibm.xmi.xmi2.impl.XMI2WriterImpl.writeFeatures(XMI2WriterImp l.java:3 07) . With regards to the use of short names, customer must use full names. . From customer:different error:.wscp>, SecurityRoleAssignment addGroupRoleMapping/EnterpriseApp:admin/-grouproles {ISSAdmin {cn=AdminISSGroup, o=infoscore,c=de}}java.lang.NullPointerExceptionatcom.ibm.xmi.xmi2.impl.XMI2WriterImpl.writeFeatures(XMI2WriterImpl.java:307).With regards to the use of short names, customer must use fullnames..
. Unfortunately for us, we must use the full DN. Standard LDAP configuration does not include a short name for groups. In particular, in one of the examples I showed you, the use of short names would not solve the problem. In order to distinguish both of the groups (AdminGroup) in this example we must use the full DN:From customer:.Unfortunately for us, we must use the full DN. Standard LDAPconfiguration does not include a short name for groups. Inparticular,in one of the examples I showed you, the use of short nameswould notsolve the problem. In order to distinguish both of the groups
. {VendorAdmin cn=AdminGroup,ou=IBD, o=infoscore,c=de} {VendorAdmin cn=AdminGroup,ou=ICD, o=infoscore,c=de}
(AdminGroup) in this example we must use the full DN:.{VendorAdmin cn=AdminGroup,ou=IBD, o=infoscore,c=de}{VendorAdmin cn=AdminGroup,ou=ICD, o=infoscore,c=de}
Local fix
Use shortname, but which is unacceptable for this customer.
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server security        *
*                 users who use WSCP to assign group DN to     *
*                 roles                                        *****************************************************************
* PROBLEM DESCRIPTION: WSCP fails to assign group DNs to a     *
*                      security role.                          *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
WSCP cannot assign groups to security roles if the given
group name is DN(distinguished name) instead of single
attribute value.
Problem conclusion
Modify Ldap registry implementation in security to accept both
DN and short name as groups search pattern. Originally,
only short name was acceptable search pattern.
Temporary fix
provide testing eFix. Waiting for feedback.
Comments
APAR information
APAR numberPQ65592
Reported component nameWEBSPHERE AE SO
Reported component ID5648C8402
Reported release350
StatusCLOSED
PENoPE
HIPERNoHIPER
Submitted date2003-03-03
Closed date2003-03-03
Last modified date2003-03-17

APAR is sysrouted FROM one or more of the following:
PQ67391

APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:PQ67391


Modules/Macros
SECURITY
APAR is sysrouted TO one or more of the following:Modules/Macros

Fix information
Fixed component nameWEBSPHERE AE SO
Fixed component ID5648C8402

Applicable component levels
R400 PSYUP











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, General
Software version: 350
Reference #: PQ65592
IBM Group: Software Group
Modified date: 2003-03-17