Fixes are available
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR10 Cumulative Fix for WebSphere Application Server
6.1.0.31: Java SDK 1.5 SR11 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
6.1.0.29: Java SDK 1.5 SR11 Cumulative Fix for WebSphere Application Server
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
APAR status
Closed as program error.
Error description
When single LDAP hostname is mapped to multiple IP address in network configuration, If invalid password is entered at the time of login, WebSphere makes LDAP bind retries as many times as (number of associated ip addresses + 1) This may cause LDAP account lockout. Impact : One invalid logon can cause LDAP account lockout.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: WebSphere Application Server users of * * Lightweight Directory Access Protocol * * (LDAP) * * user registries * **************************************************************** * PROBLEM DESCRIPTION: One login try with an incorrect * * password causes an LDAP user account * * lockout. * **************************************************************** * RECOMMENDATION: * **************************************************************** When a single LDAP hostname is mapped to multiple IP addresses in a network configuration, if an invalid password is entered at the time of login, Application Server retries LDAP bind as many times as (number of associated ip addresses + 1) This may cause an LDAP account lockout.
Problem conclusion
The following custom properties are introduced to prevent the issue from happening. It depends on the LDAP failover configuration to choose which property to use. 1. If LDAP failover is configured by registering backend LDAP server hostnames using wsadmin command, set the following property to true by going Security->User Registries -> LDAP -> Custom Properties in the administrative console com.ibm.websphere.security.ldap.retryBind If this property is set to false, Application Server does not retry LDAP bind calls. The default value for this property is true. 2. If LDAP failover is configured by associating hostname with mutlipe ip addresses using network configuration, set the following property to false by going Security-> User Registries -> LDAP -> Custom Properties in the administrative console. com.ibm.websphere.security.registry.ldap.singleLDAP If this property is set to true, Application Server does not resolve an LDAP hostname to multiple IP addressed. The default value for this property is false. The fix for this APAR is currently targeted for inclusion in fixpacks 6.0.2.21 and 6.1.0.11. Please refer to the recommended updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PK42672
Reported component name
WEBSPH APP SERV
Reported component ID
5724J0800
Reported release
60W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-04-04
Closed date
2007-05-21
Last modified date
2012-02-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PK45229
Modules/Macros
SECURITY
Fix information
Fixed component name
WEBSPH APP SERV
Fixed component ID
5724J0800
Applicable component levels
R60A PSY
UP
R60H PSY
UP
R60I PSY
UP
R60P PSY
UP
R60S PSY
UP
R60W PSY
UP
R60Z PSY
UP
R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP
Document Information
Modified date:
28 December 2021