LDAP authentication for ID server fails
 Technote (troubleshooting)
 
Problem(Abstract)
After upgrading the WebSphere® Application Server with new release, LDAP authentication for ID server fails.

[22.03.05 13:35:51:874 CET] 3386aeb0 LdapRegistryI E SECJ0352E: Die
Benutzer, die dem Muster wpsbind entsprechen, konnten nicht abgerufen
werden, weil die Ausnahme javax.naming.CannotProceedException; remaining name ''

In English
The users, who correspond to the sample wpsbind, could not be called up, because the exception javax.naming.CannotProceedException; remaining name ''
 
Cause
Base Distinguished Name (DN) was empty
 
Resolving the problem
Base Distinguished Name
Specifies the base distinguished name of the directory service, indicating the starting point for LDAP searches of the directory service.

For example, for a user with a distinguished name (DN) of cn=John Doe, ou=Rochester, o=IBM, c=US, you can specify the base DN as (assuming a suffix of c=us): ou=Rochester,o=IBM,c=us or o=IBM,c=us. For authorization purposes, this field is case sensitive. This specification implies that if a token is received (for example, from another cell or Domino) the base DN in the server must match the base DN from the other cell or Domino server exactly. If case sensitivity is not a consideration for authorization, enable the Ignore Case field.

If you need to interoperate between WebSphere Application Server Version 5 and a Version 5.0.1 or later server, you must enter a normalized base distinguished name. A normalized base distinguished name does not contain spaces before or after commas and equal symbols. An example of a non-normalized base distinguished name is o = ibm, c = us or o=ibm, c=us. An example of a normalized base distinguished name is o=ibm,c=us. In WebSphere Application Server, Version 5.0.1 or later, the normalization occurs automatically at the run time

This field is required for all Lightweight Directory Access Protocol (LDAP) directories except for the Domino Directory, where this field is optional.
In systemout.log following error message is logged due to in LDAP registry configuration you have not define the base DN, if the base DN is empty then LDAP search may fail. So to correct this please specified the base DN via adminconsole.

[13.04.05 10:40:00:166 CEST] 1df91deb UserRegistryI A SECJ0136I: Die benutzerdefinierte Registry com.ibm.ws.security.registry.ldap.LdapRegistryImpl wurde initialisiert.
[13.04.05 10:40:05:338 CEST] 1df91deb LdapRegistryI E SECJ0352E: Die Benutzer, die dem Muster wpsbind entsprechen, konnten nicht abgerufen werden, weil die Ausnahme javax.naming.CannotProceedException; remaining name ''
at javax.naming.spi.ContinuationDirContext.getTargetContext(ContinuationDirContext.java:63)
at javax.naming.spi.ContinuationDirContext.search(ContinuationDirContext.java:239)

This issue has been fixed in WebSphere release 6.0.0.3 (PK01716). This also has been addressed to fixed in 5.0.2.10 with an APAR - PK02309.

To correct this issue:

From Admin Console

Security -> User Registries -> LDAP -> in General Properties Base Distinguished Name (DN)field should not be an empty. If the field is empty then we see above error when LDAP is trying to search the registries.

 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
Historical Number
PMR: 48035
999
724
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): AIX
Software version: 5.1.1.4
Software edition:
Reference #: 1210863
IBM Group: Software Group
Modified date: Jun 30, 2005