|
Problem(Abstract) |
After upgrading the WebSphere® Application Server with new
release, LDAP authentication for ID server fails.
[22.03.05 13:35:51:874 CET] 3386aeb0 LdapRegistryI E SECJ0352E: Die
Benutzer, die dem Muster wpsbind entsprechen, konnten nicht abgerufen
werden, weil die Ausnahme javax.naming.CannotProceedException; remaining
name ''
In English
The users, who correspond to the sample wpsbind, could not be called up,
because the exception javax.naming.CannotProceedException; remaining name
'' |
|
|
Base Distinguished Name
Specifies the base distinguished name of the directory service, indicating
the starting point for LDAP searches of the directory service.
For example, for a user with a distinguished name (DN) of cn=John Doe,
ou=Rochester, o=IBM, c=US, you can specify the base DN as (assuming a
suffix of c=us): ou=Rochester,o=IBM,c=us or o=IBM,c=us. For authorization
purposes, this field is case sensitive. This specification implies that if
a token is received (for example, from another cell or Domino) the base DN
in the server must match the base DN from the other cell or Domino server
exactly. If case sensitivity is not a consideration for authorization,
enable the Ignore Case field.
If you need to interoperate between WebSphere Application Server
Version 5 and a Version 5.0.1 or later server, you must enter a normalized
base distinguished name. A normalized base distinguished name does not
contain spaces before or after commas and equal symbols. An example of a
non-normalized base distinguished name is o = ibm, c = us or o=ibm, c=us.
An example of a normalized base distinguished name is o=ibm,c=us. In
WebSphere Application Server, Version 5.0.1 or later, the normalization
occurs automatically at the run time
This field is required for all Lightweight Directory Access Protocol
(LDAP) directories except for the Domino Directory, where this field is
optional.
In systemout.log following error message is logged due to in LDAP registry
configuration you have not define the base DN, if the base DN is empty
then LDAP search may fail. So to correct this please specified the base DN
via adminconsole.
[13.04.05 10:40:00:166 CEST] 1df91deb UserRegistryI A SECJ0136I: Die
benutzerdefinierte Registry
com.ibm.ws.security.registry.ldap.LdapRegistryImpl wurde initialisiert.
[13.04.05 10:40:05:338 CEST] 1df91deb LdapRegistryI E SECJ0352E: Die
Benutzer, die dem Muster wpsbind entsprechen, konnten nicht abgerufen
werden, weil die Ausnahme javax.naming.CannotProceedException; remaining
name ''
at
javax.naming.spi.ContinuationDirContext.getTargetContext(ContinuationDirContext.java:63)
at
javax.naming.spi.ContinuationDirContext.search(ContinuationDirContext.java:239)
This issue has been fixed in WebSphere release 6.0.0.3 (PK01716). This
also has been addressed to fixed in 5.0.2.10 with an APAR - PK02309.
To correct this issue:
From Admin Console
Security -> User Registries -> LDAP -> in General Properties Base
Distinguished Name (DN)field should not be an empty. If the field is empty
then we see above error when LDAP is trying to search the registries.
|