Collect troubleshooting data for LDAP integration problems with WebSphere Process Server problems

LDAP configuration problems have many causes:

• The distinguished name (DN) is not in the access control list (ACL), so some LDAP queries cannot be performed.
• The DN was locked out of LDAP because of too many failed login attempts.
• The DN password is not valid; it might have been changed.
• The LDAP server might not allow anonymous queries.
• The default filter defined in WebSphere Application Server might not be compatible with your settings (for example, objectclass=someObjectClass is not defined)
• The firewall does not allow communication on the port.
• The LDAP is set to use a nonstandard port (standard ports: 389 and 636 (SSL) ).
• The LDAP administrator ID is used as the server ID, but the administrator is not defined as a regular user.

These are only some of the possible reasons for LDAP configuration problems. The best and fastest way to debug the problem is to use the ldapsearch utility. This utility is similar to what WebSphere Process Server uses to query the LDAP server, but it is used on the command line. The ldapsearch utility bypasses WebSphere Process Server, and allows you to see what is returned from the query, which is normally hidden by WebSphere Process Server. On UNIX® systems, ldapsearch is a native tool; for Windows® systems, you can download a corresponding version here: ldapsearch (Windows) .

The method for using ldapsearch is to use the same configuration settings that you have defined for the WebSphere Process Server Administrative console > Security > Global security > User registries > LDAP settings.

Setting	Description
Server user ID	The short name of the ID that is queried from LDAP
Server user password	The server user ID password in LDAP
Directory type	A predefined list of supported LDAP servers. Selecting the proper directory updates the filters that are defined in Advanced properties. These can be changed.
Host	The host name of LDAP server. This name can be a short name, long name, or IP address.
Port	The default LDAP port is 389.
Base distinguished name (baseDN)	Query starting location in your LDAP tree
Bind distinguished name (bindDN)	The fully qualified DN that has the authority to "bind" to the LDAP server and preform the requested queries. Some LDAP servers allow for anonymous queries, so bindDN and bind password might not be required.
Bind password	BindDN password

LDAP Advanced Properties	Description
User filter	The string that is used to query the LDAP server
User ID map	The definition of what is displayed in WebSphere from the resulting query

The directory server can be queried with the following command:

ldapsearch -h host -p port -b "baseDN" -D bindDN -w bind_password "user_filter"

On Tivoli® Directory Server, using the -w option with a question mark ( ? ) prompts you for bind_password so that the password does not appear in the shell history. The password security mechanism for your version of ldapsearch and your LDAP server might differ.

Following is a short example of using ldapsearch:
C:\> ldapsearch -h petunia -p 389 -b "o=ibm,c=us" uid=test
cn=test,o=ibm,c=us
sn=test
objectclass=top
objectclass=organizationalPerson
objectclass=ePerson
objectclass=person
objectclass=inetOrgPerson
uid=test
cn=test

The search should return one result. If no result or more than one result is returned, modify user_filter and the filters that used in WebSphere Process Server.

Collecting general information
Submit to IBM Support the relevant information documented in the Collecting troubleshooting data for WebSphere Process Server for Version 6 technote.

Collecting LDAP-specific information
Submit the following LDAP-specific information to IBM Support:. Follow the instructions in Exchanging Information with IBM technical support technote.

• Output of the ldapsearch query for your environment, including the same settings (baseDN, bindDN, bind password, and so on) that defined in WebSphere Process Server.
• If you use Secure Sockets Layer (SSL) encryption but you do not experience problems when you do not use SSL, generate new certificates using passwords that you can share, then try again and send the certificates with passwords to IBM Support. Also specify if you use server authentication, client authentication, or both.
• Package the following directory: WPS_install/profiles/profile_name/logs/server_name.
• Screen captures of the LDAP configuration parameters from the administrative console:
  • Security > Global security
  • Security > Global security > LDAP
  • Security > Global security > LDAP > Advanced Lightweight Directory Access Protocol (LDAP) user registry settings (if the search filter is not fully visible please copy the search string for User Filter and Group Filter)
  • Security > Global security > LDAP > Custom properties

If LDAP-related problems occur while setting up the LDAP staff plug-in provider, also submit the following screen captures:
• Resources > Staff plug-in provider > LDAP Staff Plugin Provider
• Resources > Staff plug-in provider > LDAP Staff Plugin Provider > Custom properties
• Resources > Staff plug-in provider > LDAP Staff Plugin Provider > Staff plug-in configuration (if the default LDAP Staff Plugin Configuration sample is not used, also submit the XSL file you use)
• Resources > Staff plug-in provider > LDAP Staff Plugin Provider > Staff plug-in configuration > LDAP Staff Plugin Configuration sample (or the corresponding XSL file)
• Resources > Staff plug-in provider > LDAP Staff Plugin Provider > Staff plug-in configuration > LDAP Staff Plugin Configuration sample > Custom properties (or the corresponding XSL file)
• Project interchange (PI) file that uses the LDAP staff plug-in provider. Describe in detail how to deploy and configure the application so that the problem can be reproduced.
  
  
For a listing of all technotes, downloads, and educational materials specific to WebSphere Process Server ,search the WebSphere Process Server support page.