Newly registered users cannot log in immediately, but can log in after some period of time.

Technote (troubleshooting)


Problem

Newly registered users cannot log in immediately, but can log in after some period of time.

Cause

When WebSphere Portal authenticates users with a federated repository, Virtual Member Manager's (VMM) search cache may prevent users from logging in immediately after they register. This technote generically refers to actions taken to add a user to the user repository as registering.

Diagnosing the problem

Evaluate the use case. Collect the documentation specified in the Collecting Data: Login document appropriate for your version. This problem occurs when:

1. A federated repository is configured.

2. A user visits the WebSphere Portal site for the first time.

3. This user thinks he has already registered with this site, but in actuality, he has not. He attempts to log in with a user ID, for example: user1.

4. VMM searches for user1 in the LDAP, does not find it, and populates its search cache.
ServiceProvid > com.ibm.websphere.wim.ServiceProvider WIM_API login ENTRY ...
<wim:principalName>user1</wim:principalName> ...
LdapConnectio > com.ibm.ws.wim.adapter.ldap.LdapConnection searchEntities ENTRY dc=ibm,dc=com (...uid=user1...) ...
LdapConnectio > com.ibm.ws.wim.adapter.ldap.LdapConnection JNDI_CALL search(...
LdapConnectio < com.ibm.ws.wim.adapter.ldap.LdapConnection searchEntities RETURN []

5. User registers to the site with this same user ID, user1.

6. user1 attempts to log in.

7. VMM searches for user1, hits its search cache from (4), and denies the authentication request.

ServiceProvid > com.ibm.websphere.wim.ServiceProvider WIM_API login ENTRY ...
<wim:principalName>user1</wim:principalName> ...
LdapConnectio > com.ibm.ws.wim.adapter.ldap.LdapConnection searchEntities ENTRY dc=ibm,dc=com (...uid=user1...) ...
LdapConnectio 3 com.ibm.ws.wim.adapter.ldap.LdapConnection checkSearchCache Hit cache: ...
LdapConnectio < com.ibm.ws.wim.adapter.ldap.LdapConnection searchEntities RETURN [] ...
exception     1 com.ibm.ws.wim.ProfileManager loginImpl CWWIM4537E  No principal is found from the 'user1' principal name. ...
LTPAServerObj E   SECJ0369E: Authentication failed when using LTPA. The exception is CWWIM4537E  No principal is found from the 'user1' principal name

8. After 10 minutes (default), VMM times out its search cache entry from (4).

9. user1 attempts to log in again.

10. VMM finds user1 in the LDAP and authenticates the user as expected.
ServiceProvid > com.ibm.websphere.wim.ServiceProvider WIM_API login ENTRY ...
<wim:principalName>user1</wim:principalName> ...
LdapConnectio > com.ibm.ws.wim.adapter.ldap.LdapConnection searchEntities ENTRY dc=ibm,dc=com (...uid=user1...) ...
LdapConnectio > com.ibm.ws.wim.adapter.ldap.LdapConnection JNDI_CALL search(...
LdapConnectio < com.ibm.ws.wim.adapter.ldap.LdapConnection searchEntities RETURN [...uid=user1...]


Resolving the problem

Configure the VMM search results cache to meet your requirements and notify new users accordingly.

If your require new users to log in immediately regardless of previous failed login attempts, you should disable VMM's search cache. Understand that this could affect performance.

If your requirements favor performance and allow for some delay in account activation, then you could set VMM's search cache timeout to 60 seconds, for example. In your custom registration portlet, you could then display a message saying that it may take up to one minute for new accounts to activate.

You may configure VMM's search cache with the WebSphere Application Server (WAS) Integrated Solutions Console (ISC):

Global security > Federated repositories > [LDAP identifier] > Performance > Caches > Cache the search results

For example, this will update the following stanza in VMM's configuration file, <profile>/config/cells/<cell name>/wim/config/wimconfig.xml from:

<config:cacheConfiguration>
...
<config:searchResultsCache cacheSize="2000" cacheTimeOut="600" enabled="true" searchResultSizeLimit="1000"/>
</config:cacheConfiguration>

to:

<config:cacheConfiguration>
...
<config:searchResultsCache cacheSize="2000" cacheTimeOut="60" enabled="true" searchResultSizeLimit="1000"/>
</config:cacheConfiguration>


Related information

WAS InfoCenter
WebSphere Portal - Collecting Data


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Portal
VMM - Virtual Member Manager

Software version:

6.1, 7.0, 8.0

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows, i5/OS, z/OS

Reference #:

1623916

Modified date:

2013-02-06

Translate my page

Machine Translation

Content navigation