PQ67391: SECURITY COMPONENT WON'T TAKE FULL LDAP NAME.

 A fix is available

4.0.5: WebSphere Application Server Version 4.0 Fix Pack 5 (Version 4.0.5)



APAR status
Closed as program error.

Error description
We have developed an application that requires Group/Role
Mappings. The
Groups are contained in the LDAP directory and are referenced by
DN of
type: "cn=GroupName, o=infoscore,c=de". We can install the
application
in the Admin Console GUI and setup the mappings, using the
User/Role
Mappings dialog.
In our application 3 Roles are defined, which are mapped to the
following groups:
Role                           Users/Groups
ISSAdmin                       cn=AdminISSGroup,
o=infoscore,c=de
VendorAdmin                    cn=AdminGroup,ou=IBD,
o=infoscore,c=de
                               cn=AdminGroup,ou=ICD,
o=infoscore,c=de
ISSAdminBatch                  cn=AdminISSBatchGroup,
o=infoscore,c=de
Once the roles have been setup in the AdminConsole, I can then
see the
mappings in the WSCP as follows:
wscp> SecurityRoleAssignment getGroupRoleMapping
/EnterpriseApp:admin/
{ISSAdmin cn=AdminISSGroup, o=infoscore,c=de} {VendorAdmin
cn=AdminGroup,ou=IBD, o=infoscore,c=de} {VendorAdmin
cn=AdminGroup,ou=ICD, o=infoscore,c=de} {ISSAdminBatch
cn=AdminISSBatchGroup, o=infoscore,c=de}
However, when we try to set up the mappings using WSCP, it does
not
work. Here is an example of how we attempt to set up one of the
mappings
in WSCP:
wscp> SecurityRoleAssignment addGroupRoleMapping
/EnterpriseApp:admin/
-grouproles {ISSAdmin cn=AdminISSGroup, o=infoscore,c=de}
WSCP0038E: Invalid attribute format : ISSAdmin cn=AdminISSGroup,
o=infoscore,c=de
The installation procedure for our production system requires
that we
use the WSCP, so that this task can be scripted.  Therefore, it
is
essential that we are able to setup our User/Role mappings in
WSCP.
This was the problem as described by customer.
I suggested they issue the command as follows:
wscp> SecurityRoleAssignment  addGroupRoleMapping
/EnterpriseApp:admin/
-grouproles {ISSAdmin {cn=AdminISSGroup, o=infoscore,c=de}}
and install apar 
PQ60772, since the apar description seemed to
match
the issue.
After installing this apar, the customer got a different
error:
From customer:
Installing 
PQ60772 hasn't solved the problem. I am now getting a
different error:
wscp> SecurityRoleAssignment  addGroupRoleMapping
/EnterpriseApp:admin/
-grouproles {ISSAdmin {cn=AdminISSGroup, o=infoscore,c=de}}
java.lang.NullPointerException
        at
com.ibm.xmi.xmi2.impl.XMI2WriterImpl.writeFeatures(XMI2WriterImp
l.java:3
07)
With regards to the use of short names, customer must use full
names.
From customer:
Unfortunately for us, we must use the full DN. Standard LDAP
configuration does not include a short name for groups. In
particular,
in one of the examples I showed you, the use of short names
would not
solve the problem. In order to distinguish both of the groups
(AdminGroup) in this example, we must use the full DN:
{VendorAdmin cn=AdminGroup,ou=IBD, o=infoscore,c=de}
{VendorAdmin cn=AdminGroup,ou=ICD, o=infoscore,c=de}
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server security        *
*                 users who use WSCP to assign group DN to     *
*                 roles                                        *
****************************************************************
* PROBLEM DESCRIPTION: WSCP fails to assign group DNs to a     *
*                      security role.                          *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
WSCP cannot assign groups to security roles if the given
group name is DN(distinguished name) instead of single
attribute value.
Problem conclusion
Modify Ldap registry implementation in security to accept both
DN and short name as groups search pattern. Originally,
only short name was acceptable search pattern.
Temporary fix
provide testing eFix. Waiting for feedback.
Comments
APAR information
APAR number PQ67391
Reported component name WEBSPHERE AE SO
Reported component ID 5630A2202
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-10-18
Closed date 2002-10-30
Last modified date 2003-04-30

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
PQ65592

Modules/Macros
SECURITY          

SRLS

Fix information
Fixed component name WEBSPHERE AE SO
Fixed component ID 5630A2202

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ67391
IBM Group: Software Group
Modified date: Apr 30, 2003