You are having a Lightweight Directory Access Protocol (LDAP) integration problem in WebSphere Process Server. You would like to know what documentation you must collect (MustGather) so that the WebSphere Process Server Support team can diagnose your problem. If you gather this documentation before contacting support, it will expedite the troubleshooting process, and save you time.
Resolving the problem
LDAP configuration problems can have one of the following causes:
- The distinguished name (DN) is not in the access control list (ACL), so some LDAP queries cannot be performed.
- The DN was locked out of LDAP because of too many failed login attempts.
- The DN password is not valid; it might have been changed.
- The LDAP server might not allow anonymous queries.
- The default filter that is defined in WebSphere Application Server might not be compatible with your settings (for example, objectclass=someObjectClass is not defined)
- The firewall does not allow communication on the port.
- The LDAP server is set to use a nonstandard port (standard ports: 389 and 636 (SSL) ).
- The LDAP administrator ID is used as the server ID, but the administrator is not defined as a regular user.
These problems are only some of the possible reasons for LDAP configuration problems. The best and fastest way to debug the problem is to use the ldapsearch utility. This utility is similar to what WebSphere Process Server uses to query the LDAP server, but it is used on the command line. The ldapsearch utility bypasses WebSphere Process Server, and allows you to see what is returned from the query, which is normally hidden by WebSphere Process Server. On UNIX- based systems, ldapsearch is a native tool. For Microsoft Windows systems, you can download a corresponding version from the Using ldapsearch to debug LDAP configuration problems document.
The method for using ldapsearch is to use the same configuration settings that you have defined in the WebSphere Process Server Administrative console under Security > Global security > User registries > LDAP settings. See the following tables for descriptions of the settings and properties.
|Server user ID||This setting is the short name of the ID that is queried from the LDAP server.|
|Server user password||This setting is the server user ID password in the LDAP server.|
|Directory type||This setting is a predefined list of supported LDAP servers. Selecting the proper directory updates the filters that are defined in Advanced properties. You can change these values.|
|Host||This setting is the host name of the LDAP server. This name can be a short name, long name, or IP address.|
|Port||This setting is the port value, which has a default value of 389.|
|Base distinguished name (baseDN)||This setting is the query starting location in your LDAP tree.|
|Bind distinguished name (bindDN)||This setting is the fully qualified DN that has the authority to "bind" to the LDAP server and perform the requested queries. Some LDAP servers allow anonymous queries, so the bindDN and bind password might not be required.|
|Bind password||This setting is the BindDN password.|
LDAP Advanced Properties
|User filter||This property is the string that is used to query the LDAP server.|
|User ID map||This property is the definition of what is displayed in WebSphere from the resulting query.|
You can use the following command to query the directory server:
ldapsearch -h host -p port -b "baseDN" -D bindDN -w bind_password "user_filter"
With Tivoli Directory Server, using the -w option with a question mark ( ? ) prompts you for bind_password so that the password does not show in the shell history. The password security mechanism for your version of ldapsearch and your LDAP server might differ.
Following is a short example of using ldapsearch:
C:\> ldapsearch -h petunia -p 389 -b "o=ibm,c=us" uid=test
The search should return one result. If there is not a result or more than one result is returned, modify the user_filter and the filters that are used in WebSphere Process Server.
Collecting general information
Send IBM Support the relevant information, which is documented in the Collecting troubleshooting data for WebSphere Process Server for Version 6 document.
Collecting LDAP-specific information
Submit the following LDAP-specific information to IBM Support:. Follow the instructions in Exchanging Information with IBM technical support technote.
- Output of the ldapsearch query for your environment, including the same settings (baseDN, bindDN, bind password, and so on) that are defined in WebSphere Process Server.
- If you use Secure Sockets Layer (SSL) encryption but you do not experience problems when you do not use SSL, generate new certificates using passwords that you can share. Then, try again and send the certificates with passwords to IBM Support. Also, specify if you use server authentication, client authentication, or both.
- Package the following directory: WPS_install/profiles/profile_name/logs/server_name.
- Screen captures of the LDAP configuration parameters from the administrative console:
- Security > Global security
- Security > Global security > LDAP
- Security > Global security > LDAP > Advanced Lightweight Directory Access Protocol (LDAP) user registry settings
If the search filter is not fully visible, copy the search string for User Filter and Group Filter.
- Security > Global security > LDAP > Custom properties
If LDAP-related problems occur while setting up the LDAP staff plug-in provider, also submit the following screen captures:
- Resources > Staff plug-in provider > LDAP Staff Plugin Provider
- Resources > Staff plug-in provider > LDAP Staff Plugin Provider > Custom properties
- Resources > Staff plug-in provider > LDAP Staff Plugin Provider > Staff plug-in configuration
If the default LDAP Staff Plugin Configuration sample is not used, also submit the XSL file that you use.
- Resources > Staff plug-in provider > LDAP Staff Plugin Provider > Staff plug-in configuration > LDAP Staff Plugin Configuration sample (or the corresponding XSL file)
- Resources > Staff plug-in provider > LDAP Staff Plugin Provider > Staff plug-in configuration > LDAP Staff Plugin Configuration sample > Custom properties (or the corresponding XSL file)
- Project interchange (PI) file that uses the LDAP staff plug-in provider. Describe in detail how to deploy and configure the application so that the problem can be reproduced.