Fixes are available
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR10 Cumulative Fix for WebSphere Application Server
6.1.0.31: Java SDK 1.5 SR11 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
6.1.0.29: Java SDK 1.5 SR11 Cumulative Fix for WebSphere Application Server
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
APAR status
Closed as program error.
Error description
When LDAP is used as user registry, in getGroups and getUsers when a full DN is used, the code searches for the DN with (objectclass=*) which does not distinguish between users and groups. Instead it should use ther elevant objectclasses for groups and users seperately. A custom property is going to be added to enable honoring user or group filter for full DN search in getUsers() and getGroups() methods.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server version 6 * * users with Standalone Lightweight Directory * * Access Protocol (LDAP) user registry. * **************************************************************** * PROBLEM DESCRIPTION: LDAP user registry is not able to * * distinguish user object and group * * object when searching by using * * distinguished name. * **************************************************************** * RECOMMENDATION: * **************************************************************** The original implementation of LDAP user registry always uses predefined search filter (i.e., "(objectclass=*)) for searching by a distinguished name. As a result, it may return user object for group search, and vice versa. To resolve the issue, two custom properties of LDAP user registry are newly added: 1) To overwrite the distinguished name group search filter, add the following as LDAP user registry custom property: key: com.ibm.websphere.security.ldap.groupDnSearchFilter value: search filter that is, (objectClass=group) 2) To overwrite the distinguished name user search filter, add the following as LDAP user registry custom property: key: com.ibm.websphere.security.ldap.userDnSearchFilter value: search filter that is., (objectClass=user)
Problem conclusion
With this fix, LDAP user registry is now capable to set separate search filter for group and user search. The fix for this APAR is currently targeted for inclusion in fixpacks 6.0.2.27 and 6.1.0.15. Please refer to the recommended updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
A test fix sent to the PMR originator.
Comments
APAR Information
APAR number
PK51257
Reported component name
WEBSPH APP SERV
Reported component ID
5724J0800
Reported release
60W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-08-20
Closed date
2007-12-06
Last modified date
2007-12-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPH APP SERV
Fixed component ID
5724J0800
Applicable component levels
R60A PSY
UP
R60H PSY
UP
R60I PSY
UP
R60P PSY
UP
R60S PSY
UP
R60W PSY
UP
R60Z PSY
UP
R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP
Document Information
Modified date:
29 December 2021