Login fails because Virtual Member Manager cannot find user (CWWIM4537E)

Technote (troubleshooting)


Problem

WebSphere Portal relies on Virtual Member Manager (VMM) for authentication when configured for federated LDAP security. VMM cannot find users when incorrectly configured. Users' attempts to log in fail.

Symptom

Users cannot log in. Instead they receive:

EJPAK0004W: Login failed. Please enter a valid user ID and password.

Tracing the failure shows:

... LoginBridge   > com.ibm.ws.wim.registry.util.LoginBridge checkPassword ENTRY inputUser = "user1", inputPassword = *
...
... LdapConnectio > com.ibm.ws.wim.adapter.ldap.LdapConnection searchEntities ENTRY "dc=ibm,dc=com" (&(objectClass=...)(uid=user1)) null 2 [LoginAccount, PersonAccount] [] false false
...
... LdapConnectio > com.ibm.ws.wim.adapter.ldap.LdapConnection JNDI_CALL search(...) ENTRY "dc=ibm,dc=com" (&(objectClass...)(uid=user1)) ...
... LdapConnectio < com.ibm.ws.wim.adapter.ldap.LdapConnection JNDI_CALL ... RETURN...
... LdapConnectio < com.ibm.ws.wim.adapter.ldap.LdapConnection searchEntities RETURN []
...
... exception     1 com.ibm.ws.wim.ProfileManager loginImpl                                  com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4537E No principal is found from the 'user1' principal name.... at com.ibm.ws.wim.registry.util.LoginBridge.checkPassword(LoginBridge.java:168)... at com.ibm.wps.engine.commands.LoginUserAuth.doAuthenticate(LoginUserAuth.java:85)



Cause

VMM's configuration does not allow it to find the users in the LDAP.

Resolving the problem

Recreate and trace the failure. Determine the search criteria VMM uses by referencing the following line in trace.log:

LdapConnectio > com.ibm.ws.wim.adapter.ldap.LdapConnection JNDI_CALL search(...) ENTRY "dc=ibm,dc=com" (&(|(objectClass...))(uid=user1))

Use ldapsearch to verify this search criteria. In this example, "dc=ibm,dc=com" is the base DN for the search and "(&(|(objectClass...))(uid=user1))" is the search filter.

Correct VMM's configuration as needed. In this example, one of the following may need to be corrected: the repository's baseEntries, or PersonAccount's loginProperties, searchFilter, or objectClasses (from <profile>/config/cells/<cell name>/wim/config/wimconfig.xml):

<config:repositories xsi:type="config:LdapRepositoryType" ... id="ibm" ...>
   <config:baseEntries name="dc=ibm,dc=com" nameInRepository="dc=ibm,dc=com"/>
   <config:loginProperties>uid</config:loginProperties>
    ...
    <config:ldapEntityTypes name="PersonAccount" searchFilter="">
        <config:objectClasses>...</config:objectClasses>
...

You may use WebSphere Portal configuration tasks to update VMM's configuration. You may also modify wimconfig.xml directly. If you choose to edit the file directly, back it up first and synchronize if clustered. Restart WebSphere Portal to pick up configuration changes (restart node agent and deployment manager as well, if clustered).


Related information

ldapsearch
Managing the User Registry
Login MustGather


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Portal
VMM - Virtual Member Manager

Software version:

6.1

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, i5/OS, z/OS

Software edition:

Enable, Express, Extend, Server

Reference #:

1426941

Modified date:

2011-06-07

Translate my page

Machine Translation

Content navigation