PQ60772: WSCP BUG IN VALIDATING THE USER AND GROUP NAME ON ROLE-USER/GROUP MAPPING WHEN USES THE LDPA AUTHENTICATION.

 Fixes are available

PQ60772, 4.0.2,4.0.3,4.0.4: WSCP fails to validate user/group when role mapping
4.0.5: WebSphere Application Server Version 4.0 Fix Pack 5 (Version 4.0.5)
System Management Component Cumulative Fix for 4.0.2/4.0.3/4.0.4 /4.0.5



APAR status
Closed as program error.

Error description
.
When using wscp a full DN must be used, however the full DN
fails in the wscp script where as the short name will install
correctly but a 403 is issued when accessing the bean.
This works properly during installation thru the Admin Gui
console.
The full DN needs to be allowed by wscp when using LTPA.
Local fix
Workaround:
Install thru the
console
 and select the correct role mapping which is stored in the
xmi
 file.  This ear file can be exported thru the console and
manual
 updates to the xmi file can be done to install to another
domain.
 This is very inefficient and this defect needs to be addressed
 and corrected.
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server 4.0.2/4.0.3     *
*                 users of WSCP.                               *
****************************************************************
* PROBLEM DESCRIPTION: WSCP bug in validating the user and     *
*                      group name on role-user/group mapping   *
*                      when uses the LTPA authentication.      *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When using wscp a full DN must be used, however the full DN
fails in the wscp script where as the short name will install
correctly but a 403 is issued when accessing the bean.
This works properly during installation thru the Admin Gui
console.
Problem conclusion
It is the wscp bug in validating user/group name on all query
commands of role-user/group mapping (addUserRoleMapping,
addGroupRoleMapping, deleteUserRoleMapping and
deleteGroupRoleMapping).

In order to avoid the name confusion (short name vs full DN
name) and the typo error in entering full DN name, the efix
will only allow to use the short name on all role-user/group
mapping. For example:
wscp>SecurityRoleAssignment addGroupRoleMapping
/EnterpriseApp:app1/ -grouproles {role1 user1}
Temporary fix
The testfix is posted on the wasdoc0\apars. Wait for feedback.
Comments
APAR information
APAR number PQ60772
Reported component name WEBSPHERE AE AI
Reported component ID 5630A2200
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-05-02
Closed date 2002-06-28
Last modified date 2002-06-28

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
WSCP          

SRLS

Fix information
Fixed component name WEBSPHERE AE AI
Fixed component ID 5630A2200

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ60772
IBM Group: Software Group
Modified date: Jun 28, 2002