PQ67062: DO NOT RE-VALIDATE GROUP DN IF DN COMES FROM LDAP

 A fix is available

4.0.5: WebSphere Application Server Version 4.0 Fix Pack 5 (Version 4.0.5)



APAR status
Closed as program error.

Error description
In Ldap, group memberships for each user are stored and
retrieved as valid Distinguish Name in Ldap.  After finding
user's group memberships, there is no necessary to re-validate
each group  against Ldap server.  By not re-validating each
group, there are two
benefits, one has
performance improvement in particular i.e if a user belongs to
too many groups, WAS does not have validate against each group.
The other is not to validate groups to which user belongs but
not used by WebSphere security.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server security        *
*                 users using LDAP registry.                   *
****************************************************************
* PROBLEM DESCRIPTION: WebSphere performs unnecessary group    *
*                      Distinguish Name validation.            *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
WebSphere revalidates group DN returned from LDAP.  In LDAP,
group memberships for each user are strored and retrieved as
valid Distinguish Names.  After findind a user's group
memberships, it is not necessary to re-validate each group
against the LDAP server.  By not re-validating each group,
there are two benefits, one has performance improvement in
particular if a user belongs to too many groups, the other
is not to validate groups to which user belongs but not used
by WebSphere security.
Problem conclusion
Group DNs returned from LDAP are now not validated.
Temporary fix
provide both working-around, and testing eFix to customer.
Comments
APAR information
APAR number PQ67062
Reported component name WEBSPHERE AE SO
Reported component ID 5630A2202
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-10-09
Closed date 2002-10-28
Last modified date 2002-10-28

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
PQ61834

Modules/Macros
SECURITY          

SRLS

Fix information
Fixed component name WEBSPHERE AE SO
Fixed component ID 5630A2202

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ67062
IBM Group: Software Group
Modified date: Oct 28, 2002