IBM Support

PI21458: SUPPORT FOR LOGIN POLICY TO CHANGE PASSWORD AFTER FIRST LOGIN IN FEDERATED REPOSITORY WITH LDAP REPOSITORY CONFIGURED.

Fixes are available

7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Currently federated repository throws an exception only for
    Active directory if the login policy is configured in it. For
    the rest of the LDAPs federated repository allows the login
    and does not entertain the login policy configuration in the
    back end LDAP.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: No support for entertaining LDAP login  *
    *                      policy to "change password after first  *
    *                      login" in federated repository.         *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    If in the backend LDAP user has set the login policy to
    "change password after first login" then federated repository
    is not enforcing the login policy during login.
    

Problem conclusion

  • Federated repository entertains the login policy of "password
    must be reset" after first login if it is set in the backend
    ldap and throws an appropriate exception to the user.
    
    To enable this functionality a custom property need to be
    configured in each of the LDAP repositories for which login
    policy supported is required. The custom property that needs
    to be set is isPolicyEnforced whose value should be set to
    true. Unless this custom property is not the login policy will
    not come into effect for the login operation.
    
    This custom property can be set through the
    setIdMgrCustomProperty CLI as:
    
    Syntax: $AdminTask setIdMgrCustomProperty {-id
    <ldap_repository_name> -name <property_name> -value <value>}
    
    Example:
    $AdminTask setIdMgrCustomProperty {-id LDAP1 -name
    isPolicyEnforced -value true}
    
    Restart the sever after configuring the custom property.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.35, 8.5.5.4 and 8.0.0.10.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI21458

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2014-07-08

  • Closed date

    2014-09-15

  • Last modified date

    2015-02-25

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PI21458

Modified date: 25 February 2015