PQ67391: SECURITY COMPONENT WON'T TAKE FULL LDAP NAME. | |||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description We have developed an application that requires Group/Role Mappings. The Groups are contained in the LDAP directory and are referenced by DN of type: "cn=GroupName, o=infoscore,c=de". We can install the application in the Admin Console GUI and setup the mappings, using the User/Role Mappings dialog. In our application 3 Roles are defined, which are mapped to the following groups: Role Users/Groups ISSAdmin cn=AdminISSGroup, o=infoscore,c=de VendorAdmin cn=AdminGroup,ou=IBD, o=infoscore,c=de cn=AdminGroup,ou=ICD, o=infoscore,c=de ISSAdminBatch cn=AdminISSBatchGroup, o=infoscore,c=de Once the roles have been setup in the AdminConsole, I can then see the mappings in the WSCP as follows: wscp> SecurityRoleAssignment getGroupRoleMapping /EnterpriseApp:admin/ {ISSAdmin cn=AdminISSGroup, o=infoscore,c=de} {VendorAdmin cn=AdminGroup,ou=IBD, o=infoscore,c=de} {VendorAdmin cn=AdminGroup,ou=ICD, o=infoscore,c=de} {ISSAdminBatch cn=AdminISSBatchGroup, o=infoscore,c=de} However, when we try to set up the mappings using WSCP, it does not work. Here is an example of how we attempt to set up one of the mappings in WSCP: wscp> SecurityRoleAssignment addGroupRoleMapping /EnterpriseApp:admin/ -grouproles {ISSAdmin cn=AdminISSGroup, o=infoscore,c=de} WSCP0038E: Invalid attribute format : ISSAdmin cn=AdminISSGroup, o=infoscore,c=de The installation procedure for our production system requires that we use the WSCP, so that this task can be scripted. Therefore, it is essential that we are able to setup our User/Role mappings in WSCP. This was the problem as described by customer. I suggested they issue the command as follows: wscp> SecurityRoleAssignment addGroupRoleMapping /EnterpriseApp:admin/ -grouproles {ISSAdmin {cn=AdminISSGroup, o=infoscore,c=de}} and install apar PQ60772, since the apar description seemed to match the issue. After installing this apar, the customer got a different error: From customer: Installing PQ60772 hasn't solved the problem. I am now getting a different error: wscp> SecurityRoleAssignment addGroupRoleMapping /EnterpriseApp:admin/ -grouproles {ISSAdmin {cn=AdminISSGroup, o=infoscore,c=de}} java.lang.NullPointerException at com.ibm.xmi.xmi2.impl.XMI2WriterImpl.writeFeatures(XMI2WriterImp l.java:3 07) With regards to the use of short names, customer must use full names. From customer: Unfortunately for us, we must use the full DN. Standard LDAP configuration does not include a short name for groups. In particular, in one of the examples I showed you, the use of short names would not solve the problem. In order to distinguish both of the groups (AdminGroup) in this example, we must use the full DN: {VendorAdmin cn=AdminGroup,ou=IBD, o=infoscore,c=de} {VendorAdmin cn=AdminGroup,ou=ICD, o=infoscore,c=de}Local fix Problem summary **************************************************************** * USERS AFFECTED: WebSphere Application Server security * * users who use WSCP to assign group DN to * * roles * **************************************************************** * PROBLEM DESCRIPTION: WSCP fails to assign group DNs to a * * security role. * **************************************************************** * RECOMMENDATION: * **************************************************************** WSCP cannot assign groups to security roles if the given group name is DN(distinguished name) instead of single attribute value.Problem conclusion Modify Ldap registry implementation in security to accept both DN and short name as groups search pattern. Originally, only short name was acceptable search pattern.Temporary fix provide testing eFix. Waiting for feedback.Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: PQ65592 Modules/Macros
SRLS
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ67391
IBM Group: Software Group
Modified date: Apr 30, 2003
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.