IBM Support

LO56114: SSO BETWEEN ST MEETING SERVER AND ST COMMUNITY SERVER DOESN'T WORK WITH BLANK BASE DN

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as unreproducible.

Error description

  • ENV:
    Sametime 8.5.1:
      ST System Console 8.5.1
      ST Meeting Server 8.5.1
      ST Community Server 8.5.1
    
    Domino LDAP
    
    SSO between ST Meeting Server and ST Community Server doesn't
    work when empty base DN is set in ST Meeting Server (WAS)
    federated repository. SSO only works in one way. SSO doesn't
    work in the direction of ST Community -> ST Meeting.
    
    - Customer followed InfoCenter link to import ST Meeting Server
    WAS key to Sametime Community Server web sso document:
    
    http://publib.boulder.ibm.com/infocenter/sametime/v8r5/index.jsp
    ?topic=/
    com.ibm.help.sametime.v85.doc/config/config_st_sec_import_ltpake
    ys.html
    
    - As customer is using Sametime 8.5.1 that supports blank base
    DN, and
    customer Domino LDAP do use flat groups, in ST Meeting server
    LDAP
    repository settings, customer set the following:
    - "Distinguished name of a base entry that uniquely identifies
    this set
    of entries in the realm" to "o=CompanyA"
    - "Distinguished name of a base entry in this repository" to
    blank
    
    
    - SSO works if user signs in ST Meeting server then switch to
    STCenter
    URL.
    
    - SSO fails if user signs in STCenter then switch to ST Meeting
    URL.
    "Anonymous" is shown in ST Meeting page.
    
    - Checked SystemOut.log, following errors found:
    
    ...
    [11/3/10 12:01:26:950 GMT+08:00] 0000002f LTPAServerObj E
    SECJ0373E:
    Cannot create credential for the user <null> due to failed
    validation of
    the LTPA token. The exception is
    com.ibm.websphere.wim.exception.EntityNotFoundException:
    CWWIM4527E  The
    LDAP entry 'CN=UserA,OU=TestOU' was not found:
    'javax.naming.NameNotFoundException: [LDAP: error code 32 - No
    Such
    Object]; Remaining name: 'CN=UserA,OU=TestOU';
    Resolved
    object: 'com.sun.jndi.ldap.LdapCtx@51335133''.
    ...
    
    The user actual DN is 'CN=UserA,OU=TestOU,O=CompanyA',
    but it seemed the base DN "o=CompanyA" got stripped off, user DN
    became 'CN=UserA,OU=TestOU' and WAS was unable to authenticate
    this user.
    
    - Tested in lab (Sametime 8.5.1, Domino LDAP), by setting the
    blank base dn in the field "Distinguished name of a base entry
    in this repository", I was able to reproduce the same issue.
    

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

  • This APAR is associated with SPR# YXIO8AZ9T2.
    The change team could not reproduce the problem or determined
     that the problem has already been corrected.
    

APAR Information

  • APAR number

    LO56114

  • Reported component name

    LOTUS SAMETIME

  • Reported component ID

    5724J2300

  • Reported release

    851

  • Status

    CLOSED UR5

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-11-08

  • Closed date

    2012-10-26

  • Last modified date

    2012-10-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels



Document information

More support for: IBM Sametime

Software version: 8.5.1

Reference #: LO56114

Modified date: 26 October 2012


Translate this page: