[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1582
  • Last Modified:

Websphere Application Server 7 - LDAP Groups show no users

Hello,

I'm using WAS 7 FP 19, with a standalone ldap repository configured for Active Directory and global security turned on.  I first noticed an issue when I could not log into my applications as any user other than the administration user.  Upon investigation, I found that in the users and groups settings, I can see all users and groups but the groups show no users and the users show no groups other that domain users.  The users are all members of several groups that effect the authorization inside the web application.

Any advice why this might be happening?

Kind regards

Darren
0
dbridle
Asked:
dbridle
  • 12
  • 11
2 Solutions
 
HonorGodCommented:
Q: Did it ever work?

Q: Are you using SSL?

Q: Did you check / verify your configuration settings?
     http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tsec_was_ad.html
0
 
dbridleAuthor Commented:
Thanks for the response.

A. It has never worked
A. No
A. I'm not sure what any of that documentation refers to, however I'm not using Network Deployment, so perhaps that doesnt apply?

I think it is configured, because its showing all of the users and groups in WAS.  Bit stumped by that link!
0
 
HonorGodCommented:
Sorry.

I couldn't tell if you were using a stand-alone, or Network Deployment (ND) environment.
Many people who use LDAP authorization have an ND.  But that's not the important part. In an ND environment, one server (the Deployment Manager) is used to manage all of the federated application servers.

When you say that "its showing all of the users and groups in WAS", where are these users showing up?

By the way, here is the link to the stand-alone (Base) Application Server documentation page about "Authenticating users with LDAP registries in a Microsoft Active Directory forest"
http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Ftsec_was_ad_filter.html&resultof=%22tsec_was_ad%22
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
dbridleAuthor Commented:
Few things..

1. I'm using Standalone LDAP, not federated repositories (Although will be converting to this but thats out of scope).  

2. Under Users and Groups section in Admin Console, I can search for any user/groups and they all show up.  This must prove that AD is communicating with WAS right?

3.  When I select one of the groups it found, and select Members, its empty.  But in AD, that group has 1 user account assigned to it.

4.  When I try to add a user to the group in WAS, it says, user already exists in group.

Any thoughts?

Thanks for your help so far!!

Darren
0
 
HonorGodCommented:
Q: This must prove that AD is communicating with WAS right?
A: Maybe, I have to do some more investigation.  But I believe that the right way to describe
    it would be to say that WAS is communicating with AD because AD never initiates the
    connection, it only responds to requests.

I have to go to a meeting.  After that, let me take a look and see what I can find.

Thanks for the interesting question.
0
 
HonorGodCommented:
If you show the information about a specific user, does it identify all of the groups with which this member is associated?

We may be running into a situation where the thing for which you are asking might be considered too resource intensive to provide.

Consider the situation where you have a big company with lots of people, and lots of different groups.  Think how "expensive" it would be for the LDAP server (in this case AD) to tell you the list of members of "the company".

It is generally better to look at an individual to determine the groups of which (s)he is a member.

Does this make sense?

I'm still investigating...
0
 
HonorGodCommented:
That may be wrong.  It appears that the more likely issue is related to the bind userid and password that are configured in the administrator console that are to be used to connect to the LDAP server aren't the ones that have the necessary authority to display the contents of the group(s) in question.
0
 
dbridleAuthor Commented:
Ah now that might make sense.  I'm 99 sure though that the bind user is a domain administrator!
0
 
HonorGodCommented:
Are you going to double check that though?
0
 
dbridleAuthor Commented:
Yes, just connecting to the environment now :)
0
 
dbridleAuthor Commented:
Ok I checked, my bind user "ceadmin" is a member of Domain Users and ceinstallers.  ceinstallers is a member of local administrators.

I added ceadmin to Domain Admins, went into console but still the same issue.

I did notice though, that when I click on ceadmin in WAS users, and click groups, it does say Domain Users?
0
 
HonorGodCommented:
I wonder if the AppServer caches the information about the bind user when you log into the Admin Console... if it does, and you later change the groups of which this user is included, the AdminConsole may not realize it, at least until you log out of the console, and then re-authenticate by logging back in.
0
 
dbridleAuthor Commented:
I have WAS Administrative security login set to be outside of AD, so that if AD goes down, I can still log into WAS.  I have rebooted the box however, and still the same issue.

Fun one eh!  Even better, I have a demo on Friday, so I need to resolve this :(
0
 
dbridleAuthor Commented:
From the systemout

[3/15/12 9:07:00:263 GMT] 00000045 LTPAServerObj E   SECJ0369E: Authentication failed when using LTPA. The exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
[3/15/12 9:07:00:265 GMT] 00000045 FormLoginExte E   SECJ0118E: Authentication error during authentication for user dbridle

Open in new window

0
 
dbridleAuthor Commented:
Hello, I found the problem, I'm stunned !

The password had !! at the end, apparently, the web app doesn't like that!  Changed it to not include those and everything works fine, kind of annoyed!

Thanks for your help, awarding points as you were making me think about different ways to get to the solution!
0
 
HonorGodCommented:
I am thrilled to hear that you figured it out.

Which "web app" didn't like the special characters?
Is it yours, or one of IBM's?
0
 
dbridleAuthor Commented:
One of IBM's.
0
 
HonorGodCommented:
Which one?
0
 
dbridleAuthor Commented:
P8 Content Engine, although it could just as easily be WAS.
0
 
HonorGodCommented:
You might want to consider contacting IBM technical support to open a product defect for this issue.

Is there anything else that I can do to assist with this question?
0
 
dbridleAuthor Commented:
I may pursue it with IBM, but no nothing else, you have been very helpful thanks!
0
 
HonorGodCommented:
You should probably close the question then.

Thanks.
0
 
dbridleAuthor Commented:
It turned out to be a problem with the password I was using.  It took the suggestions from HonorGod to get to that point though.  Many thanks
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 12
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now