PQ85243: Login fails when user name contains a forward slash

APAR status
Closed as program error.

Error description
When trying to log into an application with a user name that
contains a forward slash, the user is rejected.  For example, if
the user name as defined in the LDAP registry is:

CN=Bob Smith AB/CD,DC=austin,DC=ibm,DC=com

then you try to access the snoop servlet with security enabled,
and when the login panel appears you type in:

Bob Smith AB/CD

as the user name, even if your password is correct the user will
be rejected, because of the /.

Note:  This problem was reported on a 4.0.4 system with active
directory as the LDAP server.
Local fix
There is no available work around for this issue.
Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server users who   *
*                 have enabled security and configured LDAP    *
*                 as their user registry.                      *
****************************************************************
* PROBLEM DESCRIPTION: User names containing forward slashes   *
*                      ("/") fail to authenticate.             *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
User names containing forward slashes ("/") fail to
authenticate.  The reason for this is the character has
special meaning and needs to be escaped to preserve it in
LDAP operations.

Important note, this only addressed issues when using the
LDAP registry.  User names with forward slashes will still
fail when used as the server ID, for EJB Run As mode or in
a programatic login.  This is an architectural limitation of
the Secure Association Service (SAS) and a permanent
restriction.
Problem conclusion
LDAP registry code now escapes forward slashes.
Temporary fix
Test fix was provided to customer.
Comments
APAR information
APAR number PQ85243
Reported component name WEBSPHERE AE NT
Reported component ID 5630A2201
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2004-02-26
Closed date 2004-04-01
Last modified date 2004-04-01

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
security          

Fix information

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ85243
IBM Group: Software Group
Modified date: Apr 1, 2004