IBM Support

Auto assignment of user templates not occurring for new users

Troubleshooting


Problem

After following the instructions in the ESSO Configuration Guide, Appendix C - Automatically assigning User Policy Templates to new users, the assignment is not occurring as expected.

Symptom

New users are allocated the default user template.

Cause

Though the IMS Enterprise Directory configuration file (EnterpriseDirectoryConfiguration.xml) has been updated as per the guide, this is not reflected in the VMM configuration files. This means that VMM does not retrieve the newly defined attribute from the Enterprise Directory. IMS therefore see no attribute value and so assigns the default user template.

Resolving The Problem


The VMM configuration needs to be updated to match the changes made following the guide. Below the 'department' attribute is mentioned, but if a different attribute was chosen, then substitute the chosen attribute where 'department' is mentioned.

There are two ways in which this can be done:-

A) The GUI approach:-

    • Log into the IMS Configuration Tool
    • Delete the existing AD Enterprise directory entry
    • Reboot the system
    • Recreate the AD Enterprise Entry
    • Reboot again to make this active.
When the AD Enterprise directory is recreated (added again), the changes that have been made to the 'EnterpriseDirectoryConfiguration.xml' are then mirrored into the new VMM configuration files, when the IMS Configuration Tool recreates the AD repository information in VMM, ie it adds the 'department' attribute into the two key files under the wim config path in the appropriate profiles involved.

2) Manual Approach:-
    • Ensure that both ESSO applications are NOT running when making these changes. Best if WAS not running.
    • Edit the VMM config files to manually add the 'department' attribute. This would need to be done for each profile used by the ESSO IMS Applications.
      The two key files are:
      - <WASHOME>\profiles\<profilename>\config\<cellname>\wim\config\wimconfig.xml

      The following needs to be added to this file in the correct location:

      <config:attributes name="department" propertyName="department">
      <config:entityTypes>PersonAccount</config:entityTypes>
      </config:attributes>

      This should be added after the same type of entry for 'lockoutTime', ie within the <config:attributeConfiguration> node.

      - <WASHOME>\profiles\<profilename>\config\<cellname>\wim\model\wimxmlextension.xml

      The following needs to be added to this file in the correct location:

      <wim:propertySchema nsPrefix="wim" nsURI="http://www.ibm.com/websphere/wim&quot; dataType="string" multiValued="false" propertyName="department">
      <wim:applicableEntityTypeNames>PersonAccount</wim:applicableEntityTypeNames>
      </wim:propertySchema>

      Add this at the end of the '<wim:schema>' node, ie after the entry for "msDS-User-Account-Control-Computed", easiest is to copy and paste this last entry and change it to reference 'department' attribute.
    • Reboot the system

[{"Product":{"code":"SS9JLE","label":"IBM Security Access Manager for Enterprise Single Sign-On"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"IMS Server","Platform":[{"code":"PF033","label":"Windows"}],"Version":"8.2;8.2.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
03 September 2019

UID

swg21652358