PQ67823: FIRST ATTRIBUTE IN DN IS NOT SEARCHABLE EVEN IT SHOULD BE ALWAYSSEARCHABLE

A fix is available
WebSphere Application Server Version 3.5 Fix Pack 7 (3.5.7)

APAR

APAR status
Closed as program error.

Error description
The problem with using bluepages occurs since the first
attribute in DN is not searchable even it should be always
searchable.  What we are proposing to deal with this kind of
directory defects  is to search DN after RDN query fails.  This
way, I do not break current  working functionalities, and make
some improperly structured directory working with some
limitations.
Local fix
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server security        *
*                 users with LDAP as a user registry when      *
*                 the LDAP schema has an attribute which is    *
*                 not searchable in the DN.                    *
****************************************************************
* PROBLEM DESCRIPTION: Security can not query relative DN      *
*                      from LDAP with if any attributes of the *
*                      DN are not searchable.                  *
****************************************************************
* RECOMMENDATION: Properly configure Ldap to make attributes   *
*                 in DN searchable.                            *
*                 This is not a WebSphere defect, and we try   *
*                 give customers with improperly configured    *
*                 ldap some leverages. The support of this     *
*                 kind of ldap is limited, and some            *
*                 functionalities such as SSO with non         *
*                 WebSphere application may loss. The          *
*                 long term solution for this kind of          *
*                 problem is to fix the ldap server to make    *
*                 attributes in DN searchable.                 *
****************************************************************
If the first attrribute of the DN is not searchable,
WebSphere is unable to query relative DN to perform name
normalization.  This may be caused by multiple reasons.
Secureway 3.2.2, 3.1.1 and possibly other versions have a
defect which makes this attribute unsearchable.  Some OEM LDAP
servers may also have this defect.  Also, configuration
errors can cuase this issue.  Some LDAP servers may need
to be configured to make specific attributes searchable.
Some LDAP servers are configured to require a Bind DN before
certain attributes can be searched as well.
Problem conclusion
If Relative DN is non-searchable, WebSphere will query DN
itself and use this result.  However, if the Relative DN
search fails, and the full DN search is used, SSO may not
function with WebSeal or Domino.  If this problem occurs,
the only resolution is to make the Relative DN searchable.
Temporary fix
test internally
Comments
APAR information
APAR numberPQ67823
Reported component nameWAS ADVANCED AI
Reported component ID5648C8400
Reported release350
StatusCLOSED PER
PENoPE
HIPERNoHIPER
Submitted date2002-11-01
Closed date2002-11-01
Last modified date2002-11-01

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:

PQ67828

Modules/Macros
SECURITY
APAR is sysrouted TO one or more of the following:PQ67828Modules/Macros

Fix information
Fixed component nameWAS ADVANCED AI
Fixed component ID5648C8400

Applicable component levels
R350 PSYUP











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, General
Software version: 350
Reference #: PQ67823
IBM Group: Software Group
Modified date: 2002-11-01