You are having a Lightweight Directory Access Protocol (LDAP) integration problem in WebSphere Process Server problems. You would like to know what documentation you must collect (MustGather) so that the WebSphere Process Server Support team can diagnose your problem. If you gather this documentation before contacting support it will expedite the troubleshooting process, and save you time.
Resolving the problem
LDAP configuration problems have many causes:
- The distinguished name (DN) is not in the access control list (ACL), so some LDAP queries cannot be performed.
- The DN was locked out of LDAP because of too many failed login attempts.
- The DN password is not valid; it might have been changed.
- The LDAP server might not allow anonymous queries.
- The default filter defined in WebSphere Application Server might not be compatible with your settings (for example, objectclass=someObjectClass is not defined)
- The firewall does not allow communication on the port.
- The LDAP is set to use a nonstandard port (standard ports: 389 and 636 (SSL) ).
- The LDAP administrator ID is used as the server ID, but the administrator is not defined as a regular user.
These are only some of the possible reasons for LDAP configuration problems. The best and fastest way to debug the problem is to use the ldapsearch utility. This utility is similar to what WebSphere Process Server uses to query the LDAP server, but it is used on the command line. The ldapsearch utility bypasses WebSphere Process Server, and allows you to see what is returned from the query, which is normally hidden by WebSphere Process Server. On UNIX® systems, ldapsearch is a native tool; for Windows® systems, you can download a corresponding version here: ldapsearch (Windows) .
The method for using ldapsearch is to use the same configuration settings that you have defined for the WebSphere Process Server Administrative console > Security > Global security > User registries > LDAP settings.
|Server user ID||The short name of the ID that is queried from LDAP|
|Server user password||The server user ID password in LDAP|
|Directory type||A predefined list of supported LDAP servers. Selecting the proper directory updates the filters that are defined in Advanced properties. These can be changed.|
|Host||The host name of LDAP server. This name can be a short name, long name, or IP address.|
|Port||The default LDAP port is 389.|
|Base distinguished name (baseDN)||Query starting location in your LDAP tree|
|Bind distinguished name (bindDN)||The fully qualified DN that has the authority to "bind" to the LDAP server and preform the requested queries. Some LDAP servers allow for anonymous queries, so bindDN and bind password might not be required.|
|Bind password||BindDN password|
LDAP Advanced Properties
|User filter||The string that is used to query the LDAP server|
|User ID map||The definition of what is displayed in WebSphere from the resulting query|
The directory server can be queried with the following command:
ldapsearch -h host -p port -b "baseDN" -D bindDN -w bind_password "user_filter"
On Tivoli® Directory Server, using the -w option with a question mark ( ? ) prompts you for bind_password so that the password does not appear in the shell history. The password security mechanism for your version of ldapsearch and your LDAP server might differ.
Following is a short example of using ldapsearch:
C:\> ldapsearch -h petunia -p 389 -b "o=ibm,c=us" uid=test
The search should return one result. If no result or more than one result is returned, modify user_filter and the filters that used in WebSphere Process Server.
Collecting general information
Submit to IBM Support the relevant information documented in the Collecting troubleshooting data for WebSphere Process Server for Version 6 technote.
Collecting LDAP-specific information
Submit the following LDAP-specific information to IBM Support:. Follow the instructions in Exchanging Information with IBM technical support technote.
- Output of the ldapsearch query for your environment, including the same settings (baseDN, bindDN, bind password, and so on) that defined in WebSphere Process Server.
- If you use Secure Sockets Layer (SSL) encryption but you do not experience problems when you do not use SSL, generate new certificates using passwords that you can share, then try again and send the certificates with passwords to IBM Support. Also specify if you use server authentication, client authentication, or both.
- Package the following directory: WPS_install/profiles/profile_name/logs/server_name.
- Screen captures of the LDAP configuration parameters from the administrative console:
- Security > Global security
- Security > Global security > LDAP
- Security > Global security > LDAP > Advanced Lightweight Directory Access Protocol (LDAP) user registry settings (if the search filter is not fully visible please copy the search string for User Filter and Group Filter)
- Security > Global security > LDAP > Custom properties
If LDAP-related problems occur while setting up the LDAP staff plug-in provider, also submit the following screen captures:
- Resources > Staff plug-in provider > LDAP Staff Plugin Provider
- Resources > Staff plug-in provider > LDAP Staff Plugin Provider > Custom properties
- Resources > Staff plug-in provider > LDAP Staff Plugin Provider > Staff plug-in configuration (if the default LDAP Staff Plugin Configuration sample is not used, also submit the XSL file you use)
- Resources > Staff plug-in provider > LDAP Staff Plugin Provider > Staff plug-in configuration > LDAP Staff Plugin Configuration sample (or the corresponding XSL file)
- Resources > Staff plug-in provider > LDAP Staff Plugin Provider > Staff plug-in configuration > LDAP Staff Plugin Configuration sample > Custom properties (or the corresponding XSL file)
- Project interchange (PI) file that uses the LDAP staff plug-in provider. Describe in detail how to deploy and configure the application so that the problem can be reproduced.
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.