Cannot display LDAP group members defined with a custom RDN

Technote (troubleshooting)


Problem

Members of an LDAP group defined with a custom Relative Distinguished Name (RDN) cannot be displayed in the Portal

Symptom

LDAP: error code 32 - No Such Object in the trace, No results displayed in the WebSphere Portal Users and Groups portlet


Diagnosing the problem

Portal login works as expected with the custom rdn.

A search for an individual user in the Users and Groups portlet returns the expected results. However, a search for a group, followed by clicking on the group to show the group members returns no results.

Collect the Portal User Management Architecture (PUMA) trace and files for the Portal version in use.

Collect an LDIF export of the group from the LDAP server. The LDIF export can be used to confirm the member definition.

dn: cn=portal_staff,ou=groups,o=ibm.com
uniquemember: ibmid=51833,ou=portal,o=ibm.com,
uniquemember: ibmid=66222,ou=portal,o=ibm.com,
uniquemember: ibmid=72735,ou=portal,o=ibm.com,
uniquemember: ibmid=24133,ou=portal,o=ibm.com,

Ordinarily, the user rdn might be uid or cn, Here, the custom rdn is ibmid.

Additionally, if the custom rdn is not known to Virtual Member Manager (VMM) a trace of the issue will show the members returned as a list rather than as members of the group and the following exception will be seen:

LdapConnectio 1 com.ibm.ws.wim.adapter.ldap.LdapConnection getAttributes Exception caught:
 javax.naming.NameNotFoundException: LDAP: error code 32 - No Such Object; Remaining name: 'cn=portal_staff,ou=groups,o=ibm.com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode
at com.sun.jndi.ldap.LdapCtx.processReturnCode


Resolving the problem

To resolve the issue, update the VMM configuration to add "ibmid" as a property for the PersonAccount entity type.


You may use one of two methods, Portal configuration tasks or direct update to the VMM configuration. Either method will yield the same end result.

Method #1: Direct update
1. Examine the file wimconfig.xml to determine the repository id for the LDAP that contains the group. The id is the string "portal" in this example:

<config:repositories xsi:type="config:LdapRepositoryType" adapterClassName="com.ibm.ws.wim.adapter.ldap.LdapAdapter"
id="portal" isExtIdUnique="true" supportAsyncMode="false" supportExternalName="false" supportPaging="false" supportSorting="false" supportTransactions="false" certificateFilter=""   certificateMapMode="EXACT_DN" ldapServerType="IDS" translateRDN="false">
...

2. Run the following wsadmin command:

$AdminTask addIdMgrPropertyToEntityTypes {-name ibmid -dataType String -isMultiValued false -entityTypeNames PersonAccount -repositoryIds portal}

where name is the new rdn and repositoryIds is the id of the LDAP from Step 1.

3. Save the change to wimconfig.xml with the command $AdminConfig save

4. Define "ibmid" property as an rdn property for EntityType by editing wimconfig.xml manually

Change wimconfig.xml from

<config:supportedEntityTypes defaultParent="..." name="PersonAccount">
<config:rdnProperties>uid</config:rdnProperties>
</config:supportedEntityTypes>

To

<config:supportedEntityTypes defaultParent="..." name="PersonAccount">
<config:rdnProperties>uid</config:rdnProperties>
<config:rdnProperties>ibmid</config:rdnProperties>
</config:supportedEntityTypes>

5. If in a clustered configuration, restart the Deployment Manager, nodeagent(s) and Portal server(s). If in a standalone configuration, restart the Portal server.

Method #2: Configuration task method
Follow the "Adding attributes" and "Updating an entity type" instructions in the Portal documentation. The links provided are for AIX but the main steps are the same for all distributed platforms.

The main steps are to install the Enterprise Application WIMSYSTEM.ear in the environment and then run the configuration tasks to add the attribute and update the entity type with the new RDN.

Note: If you intend to add other custom properties to the configuration then it is recommended to use the Configuration task method.


Related information

addIdMgrPropertyToEntityTypes Command


Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Portal

Software version:

6.1, 7.0, 8.0

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows, i5/OS, z/OS

Reference #:

1623115

Modified date:

2013-01-29

Translate my page

Machine Translation

Content navigation