IBM Support

PI30252: getUsersForGroup does not return members of subgroups when baseEntries and nameInRepository differs

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The UserRegistry.getUser ForGroup does not return nested users
    of a group in LDAP when configured LDAP repository baseEntries
    and nameInRepository differs.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: The UserRegistry.getUsersForGroup       *
    *                      does not return nested members of a     *
    *                      group in LDAP when configured LDAP      *
    *                      repository baseEntries                  *
    *                      and nameInRepository differs.           *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The UserRegistry API call getUsersForGroup(), does not return
    nested members of subgroups for an Ldap repository when
    baseEntries and nameInRepository differs in LDAP repository
    configuration, even when you specify a parameter to get the
    nested members. The API call completes without an exception
    but only direct members of the group are returned.
    

Problem conclusion

  • In order to get nested members from the API call
    getUsersForGroup(), you need to set a custom property
    "com.ibm.ws.wim.adapter.ldap.returnNestedNonGroupMembers" with
    value "true".
    
    In order to set this property, use the following command:
    
    $AdminTask setIdMgrCustomProperty { -id <Ldap Repository Id>
    -name com.ibm.ws.wim.adapter.ldap.returnNestedNonGroupMembers
    -value true}
    
    Here "Ldap_Repository_Id" is the repository id of the LDAP
    configured in VMM.
    Also save the configuration after running the previous command
    using:
    
    $AdminConfig save
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.39, 8.0.0.11 and 8.5.5.6.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI30252

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2014-11-24

  • Closed date

    2015-02-23

  • Last modified date

    2015-02-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 850

Reference #: PI30252

Modified date: 23 February 2015