Websphere Application Server 7 - LDAP Groups show no users


I'm using WAS 7 FP 19, with a standalone ldap repository configured for Active Directory and global security turned on.  I first noticed an issue when I could not log into my applications as any user other than the administration user.  Upon investigation, I found that in the users and groups settings, I can see all users and groups but the groups show no users and the users show no groups other that domain users.  The users are all members of several groups that effect the authorization inside the web application.

Any advice why this might be happening?

Kind regards

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

HonorGodSoftware EngineerCommented:
Q: Did it ever work?

Q: Are you using SSL?

Q: Did you check / verify your configuration settings?
dbridleAuthor Commented:
Thanks for the response.

A. It has never worked
A. No
A. I'm not sure what any of that documentation refers to, however I'm not using Network Deployment, so perhaps that doesnt apply?

I think it is configured, because its showing all of the users and groups in WAS.  Bit stumped by that link!
HonorGodSoftware EngineerCommented:

I couldn't tell if you were using a stand-alone, or Network Deployment (ND) environment.
Many people who use LDAP authorization have an ND.  But that's not the important part. In an ND environment, one server (the Deployment Manager) is used to manage all of the federated application servers.

When you say that "its showing all of the users and groups in WAS", where are these users showing up?

By the way, here is the link to the stand-alone (Base) Application Server documentation page about "Authenticating users with LDAP registries in a Microsoft Active Directory forest"
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

dbridleAuthor Commented:
Few things..

1. I'm using Standalone LDAP, not federated repositories (Although will be converting to this but thats out of scope).  

2. Under Users and Groups section in Admin Console, I can search for any user/groups and they all show up.  This must prove that AD is communicating with WAS right?

3.  When I select one of the groups it found, and select Members, its empty.  But in AD, that group has 1 user account assigned to it.

4.  When I try to add a user to the group in WAS, it says, user already exists in group.

Any thoughts?

Thanks for your help so far!!

HonorGodSoftware EngineerCommented:
Q: This must prove that AD is communicating with WAS right?
A: Maybe, I have to do some more investigation.  But I believe that the right way to describe
    it would be to say that WAS is communicating with AD because AD never initiates the
    connection, it only responds to requests.

I have to go to a meeting.  After that, let me take a look and see what I can find.

Thanks for the interesting question.
HonorGodSoftware EngineerCommented:
If you show the information about a specific user, does it identify all of the groups with which this member is associated?

We may be running into a situation where the thing for which you are asking might be considered too resource intensive to provide.

Consider the situation where you have a big company with lots of people, and lots of different groups.  Think how "expensive" it would be for the LDAP server (in this case AD) to tell you the list of members of "the company".

It is generally better to look at an individual to determine the groups of which (s)he is a member.

Does this make sense?

I'm still investigating...
HonorGodSoftware EngineerCommented:
That may be wrong.  It appears that the more likely issue is related to the bind userid and password that are configured in the administrator console that are to be used to connect to the LDAP server aren't the ones that have the necessary authority to display the contents of the group(s) in question.
dbridleAuthor Commented:
Ah now that might make sense.  I'm 99 sure though that the bind user is a domain administrator!
HonorGodSoftware EngineerCommented:
Are you going to double check that though?
dbridleAuthor Commented:
Yes, just connecting to the environment now :)
dbridleAuthor Commented:
Ok I checked, my bind user "ceadmin" is a member of Domain Users and ceinstallers.  ceinstallers is a member of local administrators.

I added ceadmin to Domain Admins, went into console but still the same issue.

I did notice though, that when I click on ceadmin in WAS users, and click groups, it does say Domain Users?
HonorGodSoftware EngineerCommented:
I wonder if the AppServer caches the information about the bind user when you log into the Admin Console... if it does, and you later change the groups of which this user is included, the AdminConsole may not realize it, at least until you log out of the console, and then re-authenticate by logging back in.
dbridleAuthor Commented:
I have WAS Administrative security login set to be outside of AD, so that if AD goes down, I can still log into WAS.  I have rebooted the box however, and still the same issue.

Fun one eh!  Even better, I have a demo on Friday, so I need to resolve this :(
dbridleAuthor Commented:
From the systemout

[3/15/12 9:07:00:263 GMT] 00000045 LTPAServerObj E   SECJ0369E: Authentication failed when using LTPA. The exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
[3/15/12 9:07:00:265 GMT] 00000045 FormLoginExte E   SECJ0118E: Authentication error during authentication for user dbridle

Open in new window

dbridleAuthor Commented:
Hello, I found the problem, I'm stunned !

The password had !! at the end, apparently, the web app doesn't like that!  Changed it to not include those and everything works fine, kind of annoyed!

Thanks for your help, awarding points as you were making me think about different ways to get to the solution!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HonorGodSoftware EngineerCommented:
I am thrilled to hear that you figured it out.

Which "web app" didn't like the special characters?
Is it yours, or one of IBM's?
dbridleAuthor Commented:
One of IBM's.
HonorGodSoftware EngineerCommented:
Which one?
dbridleAuthor Commented:
P8 Content Engine, although it could just as easily be WAS.
HonorGodSoftware EngineerCommented:
You might want to consider contacting IBM technical support to open a product defect for this issue.

Is there anything else that I can do to assist with this question?
dbridleAuthor Commented:
I may pursue it with IBM, but no nothing else, you have been very helpful thanks!
HonorGodSoftware EngineerCommented:
You should probably close the question then.

dbridleAuthor Commented:
It turned out to be a problem with the password I was using.  It took the suggestions from HonorGod to get to that point though.  Many thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Servers

From novice to tech pro — start learning today.