IBM Support

PK42672: SECURITY WILL MAKE MULTIPLE LDAP CALLS WHEN LDAP HOSTNAME IS MAPPED WITH MULTIPLE IP ADDRESSES.

Fixes are available

Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR10 Cumulative Fix for WebSphere Application Server
6.1.0.31: Java SDK 1.5 SR11 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
6.1.0.29: Java SDK 1.5 SR11 Cumulative Fix for WebSphere Application Server
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When single LDAP hostname is mapped to multiple IP address in
network configuration,
If invalid password is entered at the time of login,
WebSphere makes LDAP bind retries as many times as (number of
associated ip addresses + 1)
This may cause LDAP account lockout.

Impact : One invalid logon can cause LDAP account lockout.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  WebSphere Application Server users of       *
*                  Lightweight Directory Access Protocol       *
*                  (LDAP)                                      *
*                  user registries                             *
****************************************************************
* PROBLEM DESCRIPTION: One login try with an incorrect         *
*                      password causes an LDAP user account    *
*                      lockout.                                *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When a single LDAP hostname is mapped to multiple IP addresses
in a network configuration, if an invalid password is
entered at the time of login, Application Server retries
LDAP bind as many times as (number of associated ip
addresses + 1) This may cause an LDAP account lockout.

    



Problem conclusion


    

  • The following custom properties are introduced to prevent the
issue from happening. It depends on the LDAP failover
configuration to choose which property to use.

1. If LDAP failover is configured by registering backend LDAP
server hostnames using wsadmin command, set the following
property to true by going Security->User Registries -> LDAP ->
Custom Properties in the administrative console

com.ibm.websphere.security.ldap.retryBind

If this property is set to false, Application Server does not
retry LDAP bind calls. The default value for this property is
true.

2. If LDAP failover is configured by associating hostname
with mutlipe ip addresses using network configuration, set the
following property to false by going Security-> User
Registries -> LDAP -> Custom Properties in the administrative
console.

com.ibm.websphere.security.registry.ldap.singleLDAP

If this property is set to true, Application Server does not
resolve an LDAP hostname to multiple IP addressed. The default
value for this property is false.

The fix for this APAR is currently targeted for inclusion
in fixpacks 6.0.2.21 and 6.1.0.11.
Please refer to the recommended updates page for delivery
information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PK42672
    • 

  • Reported component name
    WEBSPH APP SERV
    • 

  • Reported component ID
    5724J0800
    • 

  • Reported release
    60W
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2007-04-04
    • 

  • Closed date
    2007-05-21
    • 

  • Last modified date
    2012-02-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
PK45229
    

    • 



Modules/Macros


    

  • SECURITY

    



Fix information


    

  • Fixed component name
    WEBSPH APP SERV
    • 

  • Fixed component ID
    5724J0800
    • 



Applicable component levels


    

  • R60A  PSY
       UP
    • 

  • R60H  PSY
       UP
    • 

  • R60I  PSY
       UP
    • 

  • R60P  PSY
       UP
    • 

  • R60S  PSY
       UP
    • 

  • R60W  PSY
       UP
    • 

  • R60Z  PSY
       UP
    • 

  • R61A  PSY
       UP
    • 

  • R61H  PSY
       UP
    • 

  • R61I  PSY
       UP
    • 

  • R61P  PSY
       UP
    • 

  • R61S  PSY
       UP
    • 

  • R61W  PSY
       UP
    • 

  • R61Z  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            28 December 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback