PK42672: SECURITY WILL MAKE MULTIPLE LDAP CALLS WHEN LDAP HOSTNAME IS MAPPED WITH MULTIPLE IP ADDRESSES.

Fixes are available

APAR status

Closed as program error.

Error description

When single LDAP hostname is mapped to multiple IP address in
network configuration,
If invalid password is entered at the time of login,
WebSphere makes LDAP bind retries as many times as (number of
associated ip addresses + 1)
This may cause LDAP account lockout.

Impact : One invalid logon can cause LDAP account lockout.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  WebSphere Application Server users of       *
*                  Lightweight Directory Access Protocol       *
*                  (LDAP)                                      *
*                  user registries                             *
****************************************************************
* PROBLEM DESCRIPTION: One login try with an incorrect         *
*                      password causes an LDAP user account    *
*                      lockout.                                *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When a single LDAP hostname is mapped to multiple IP addresses
in a network configuration, if an invalid password is
entered at the time of login, Application Server retries
LDAP bind as many times as (number of associated ip
addresses + 1) This may cause an LDAP account lockout.

Problem conclusion

The following custom properties are introduced to prevent the
issue from happening. It depends on the LDAP failover
configuration to choose which property to use.

1. If LDAP failover is configured by registering backend LDAP
server hostnames using wsadmin command, set the following
property to true by going Security->User Registries -> LDAP ->
Custom Properties in the administrative console

com.ibm.websphere.security.ldap.retryBind

If this property is set to false, Application Server does not
retry LDAP bind calls. The default value for this property is
true.

2. If LDAP failover is configured by associating hostname
with mutlipe ip addresses using network configuration, set the
following property to false by going Security-> User
Registries -> LDAP -> Custom Properties in the administrative
console.

com.ibm.websphere.security.registry.ldap.singleLDAP

If this property is set to true, Application Server does not
resolve an LDAP hostname to multiple IP addressed. The default
value for this property is false.

The fix for this APAR is currently targeted for inclusion
in fixpacks 6.0.2.21 and 6.1.0.11.
Please refer to the recommended updates page for delivery
information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PK42672
Reported component name
WEBSPH APP SERV
Reported component ID
5724J0800
Reported release
60W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-04-04
Closed date
2007-05-21
Last modified date
2012-02-01

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

PK45229

Modules/Macros

```
SECURITY
```

Fix information

Fixed component name
WEBSPH APP SERV
Fixed component ID
5724J0800

Applicable component levels

R60A PSY
UP
R60H PSY
UP
R60I PSY
UP
R60P PSY
UP
R60S PSY
UP
R60W PSY
UP
R60Z PSY
UP
R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP

Rate this page:

(0 users)Average rating

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Document information

WebSphere Application Server

General

Software version:
6.0

Reference #:
PK42672

Modified date:
2012-02-01

PK42672: SECURITY WILL MAKE MULTIPLE LDAP CALLS WHEN LDAP HOSTNAME IS MAPPED WITH MULTIPLE IP ADDRESSES.

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R60A PSY

R60H PSY

R60I PSY

R60P PSY

R60S PSY

R60W PSY

R60Z PSY

R61A PSY

R61H PSY

R61I PSY

R61P PSY

R61S PSY

R61W PSY

R61Z PSY

Rate this page:

Copyright and trademark information

Rate this page:

Add comments

Document information

Translate my page

Content navigation

Footer links