Solved

Websphere Application Server 7 - LDAP Groups show no users

Posted on 2012-03-14
23
1,507 Views
Last Modified: 2012-03-28
Hello,

I'm using WAS 7 FP 19, with a standalone ldap repository configured for Active Directory and global security turned on.  I first noticed an issue when I could not log into my applications as any user other than the administration user.  Upon investigation, I found that in the users and groups settings, I can see all users and groups but the groups show no users and the users show no groups other that domain users.  The users are all members of several groups that effect the authorization inside the web application.

Any advice why this might be happening?

Kind regards

Darren
0
Comment
Question by:dbridle
  • 12
  • 11
23 Comments
 
LVL 41

Expert Comment

by:HonorGod
ID: 37719612
Q: Did it ever work?

Q: Are you using SSL?

Q: Did you check / verify your configuration settings?
     http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tsec_was_ad.html
0
 

Author Comment

by:dbridle
ID: 37719682
Thanks for the response.

A. It has never worked
A. No
A. I'm not sure what any of that documentation refers to, however I'm not using Network Deployment, so perhaps that doesnt apply?

I think it is configured, because its showing all of the users and groups in WAS.  Bit stumped by that link!
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 37719746
Sorry.

I couldn't tell if you were using a stand-alone, or Network Deployment (ND) environment.
Many people who use LDAP authorization have an ND.  But that's not the important part. In an ND environment, one server (the Deployment Manager) is used to manage all of the federated application servers.

When you say that "its showing all of the users and groups in WAS", where are these users showing up?

By the way, here is the link to the stand-alone (Base) Application Server documentation page about "Authenticating users with LDAP registries in a Microsoft Active Directory forest"
http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Ftsec_was_ad_filter.html&resultof=%22tsec_was_ad%22
0
 

Author Comment

by:dbridle
ID: 37719764
Few things..

1. I'm using Standalone LDAP, not federated repositories (Although will be converting to this but thats out of scope).  

2. Under Users and Groups section in Admin Console, I can search for any user/groups and they all show up.  This must prove that AD is communicating with WAS right?

3.  When I select one of the groups it found, and select Members, its empty.  But in AD, that group has 1 user account assigned to it.

4.  When I try to add a user to the group in WAS, it says, user already exists in group.

Any thoughts?

Thanks for your help so far!!

Darren
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 37719818
Q: This must prove that AD is communicating with WAS right?
A: Maybe, I have to do some more investigation.  But I believe that the right way to describe
    it would be to say that WAS is communicating with AD because AD never initiates the
    connection, it only responds to requests.

I have to go to a meeting.  After that, let me take a look and see what I can find.

Thanks for the interesting question.
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 37720384
If you show the information about a specific user, does it identify all of the groups with which this member is associated?

We may be running into a situation where the thing for which you are asking might be considered too resource intensive to provide.

Consider the situation where you have a big company with lots of people, and lots of different groups.  Think how "expensive" it would be for the LDAP server (in this case AD) to tell you the list of members of "the company".

It is generally better to look at an individual to determine the groups of which (s)he is a member.

Does this make sense?

I'm still investigating...
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 37720493
That may be wrong.  It appears that the more likely issue is related to the bind userid and password that are configured in the administrator console that are to be used to connect to the LDAP server aren't the ones that have the necessary authority to display the contents of the group(s) in question.
0
 

Author Comment

by:dbridle
ID: 37720521
Ah now that might make sense.  I'm 99 sure though that the bind user is a domain administrator!
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 37720580
Are you going to double check that though?
0
 

Author Comment

by:dbridle
ID: 37720590
Yes, just connecting to the environment now :)
0
 

Author Comment

by:dbridle
ID: 37720621
Ok I checked, my bind user "ceadmin" is a member of Domain Users and ceinstallers.  ceinstallers is a member of local administrators.

I added ceadmin to Domain Admins, went into console but still the same issue.

I did notice though, that when I click on ceadmin in WAS users, and click groups, it does say Domain Users?
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 41

Assisted Solution

by:HonorGod
HonorGod earned 500 total points
ID: 37721934
I wonder if the AppServer caches the information about the bind user when you log into the Admin Console... if it does, and you later change the groups of which this user is included, the AdminConsole may not realize it, at least until you log out of the console, and then re-authenticate by logging back in.
0
 

Author Comment

by:dbridle
ID: 37722728
I have WAS Administrative security login set to be outside of AD, so that if AD goes down, I can still log into WAS.  I have rebooted the box however, and still the same issue.

Fun one eh!  Even better, I have a demo on Friday, so I need to resolve this :(
0
 

Author Comment

by:dbridle
ID: 37723963
From the systemout

[3/15/12 9:07:00:263 GMT] 00000045 LTPAServerObj E   SECJ0369E: Authentication failed when using LTPA. The exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
[3/15/12 9:07:00:265 GMT] 00000045 FormLoginExte E   SECJ0118E: Authentication error during authentication for user dbridle

Open in new window

0
 

Accepted Solution

by:
dbridle earned 0 total points
ID: 37723975
Hello, I found the problem, I'm stunned !

The password had !! at the end, apparently, the web app doesn't like that!  Changed it to not include those and everything works fine, kind of annoyed!

Thanks for your help, awarding points as you were making me think about different ways to get to the solution!
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 37724174
I am thrilled to hear that you figured it out.

Which "web app" didn't like the special characters?
Is it yours, or one of IBM's?
0
 

Author Comment

by:dbridle
ID: 37724190
One of IBM's.
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 37724540
Which one?
0
 

Author Comment

by:dbridle
ID: 37724604
P8 Content Engine, although it could just as easily be WAS.
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 37738707
You might want to consider contacting IBM technical support to open a product defect for this issue.

Is there anything else that I can do to assist with this question?
0
 

Author Comment

by:dbridle
ID: 37738792
I may pursue it with IBM, but no nothing else, you have been very helpful thanks!
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 37738854
You should probably close the question then.

Thanks.
0
 

Author Closing Comment

by:dbridle
ID: 37775639
It turned out to be a problem with the password I was using.  It took the suggestions from HonorGod to get to that point though.  Many thanks
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now