PK57646: Member fixer module cannot update CN part of a users DN.

APAR status

• Closed as program error.

Error description

• The LDAP repository WCM uses may be configured to use multiple
  branches (or organizational units) in a single
  realm where different users can exist, for example:
  
  cn=John Smith,ou=Portal Users,o=IBM
  cn=Joan Stevens,ou=WCM Users,o=IBM
  
  If the user DNs change for any reason (e.g. a user or
  organizational unit changes name), the member fixer module
  can not be used to update the user references in WCM items
  because it currently does not support updating users
  when their common name (cn) has changed.
  
  
  Problem Analysis:
  The member fixer module was constructing the new DNs based off
  the configured values in the wpconfig.properties
  file which only allowed for a single user suffix to be specified
  or it could only update the DN entry when the CN
  was the same. (ie organizational unit and/or organization could
  be different).
  

Local fix

• The member fixer module's "alt_dn" mode now checks for specific
  mapped alternate DNs in the aptrixjpe.properties
  file before using the configured values in the
  wpconfig.properties file. You should perform the following steps
  to map user and group DNs in the aptrixjpe.properties file
  before running the member fixer module:
  
  User and group DN syntax changes should be mapped in the
  PortalServer\wcm\config\aptrixjpe.properties file like
  so:
  
  EXISTING_DN_KEY=NEW_DN_SYNTAX
  
  where:
  
  EXISTING_DN_KEY is the key constructed from the existing DN by
  replacing all equals characters "=" and spaces " "
  with underscores "_".
  NEW_DN_SYNTAX is the replacement DN syntax.
  
  For example, if you have a user branch with the following DN
  syntax:
  
  cn=Jane Smith,ou=Portal Users,o=IBM
  
  You construct the EXISTING_DN_KEY by replacing all "=" and " "
  with "_" in the DN, so in this example the
  EXISTING_DN_KEY will be: cn_Jane_Smith,ou_Portal_Users,o_IBM
  
  If you are changing the syntax of this branch to:
  
  cn=Jane Jones,ou=Portal,o=IBM
  
  The NEW_DN_SYNTAX will be the new DN as is.
  
  This gives you the following mapping entry in your
  aptrixjpe.properties file:
  
  cn_Jane_Smith,ou_Portal_Users,o_IBM=cn=Jane
  Jones,ou=Portal,o=IBM
  
  You can of course have mapping entries for multiple users that
  need to explicitly mapped to a new DN
  
  cn_Jane_Smith,ou_Portal_Users,o_IBM=cn=Jane
  Jones,ou=Portal,o=IBM
  cn_Mary_Jane,ou_WCM_Users,o_IBM=cn=Mary Smith,ou=WCM,o=IBM
  
  You could then run the member fixer as normal using the alt_dn
  option:
  
  http://[HOST]:[PORT]/wps/wcm/connect?MOD=MemberFixer&library=[LI
  BRARY_NAME]&alt_dn=UPDATE&fix=true
  

Problem summary

• Member fixer module cannot update CN part of a users DN.
  
  Detailed Problem Description:
  The LDAP repository WCM uses may be configured to use multiple
  branches (or organizational units) in a single
  realm where different users can exist, for example:
  
  cn=John Smith,ou=Portal Users,o=IBM
  cn=Joan Stevens,ou=WCM Users,o=IBM
  
  If the user DNs change for any reason (e.g. a user or
  organizational unit changes name), the member fixer module
  can not be used to update the user references in WCM items
  because it currently does not support updating users
  when their common name (cn) has changed.
  
  
  Problem Analysis:
  The member fixer module was constructing the new DNs based off
  the configured values in the wpconfig.properties
  file which only allowed for a single user suffix to be specified
  or it could only update the DN entry when the CN
  was the same. (ie organizational unit and/or organization could
  be different).
  

Problem conclusion

• The member fixer module's "alt_dn" mode now checks for specific
  mapped alternate DNs in the aptrixjpe.properties
  file before using the configured values in the
  wpconfig.properties file. You should perform the following steps
  to map user and group DNs in the aptrixjpe.properties file
  before running the member fixer module:
  
  User and group DN syntax changes should be mapped in the
  PortalServer\wcm\config\aptrixjpe.properties file like
  so:
  
  EXISTING_DN_KEY=NEW_DN_SYNTAX
  
  where:
  
  EXISTING_DN_KEY is the key constructed from the existing DN by
  replacing all equals characters "=" and spaces " "
  with underscores "_".
  NEW_DN_SYNTAX is the replacement DN syntax.
  
  For example, if you have a user branch with the following DN
  syntax:
  
  cn=Jane Smith,ou=Portal Users,o=IBM
  
  You construct the EXISTING_DN_KEY by replacing all "=" and " "
  with "_" in the DN, so in this example the
  EXISTING_DN_KEY will be: cn_Jane_Smith,ou_Portal_Users,o_IBM
  
  If you are changing the syntax of this branch to:
  
  cn=Jane Jones,ou=Portal,o=IBM
  
  The NEW_DN_SYNTAX will be the new DN as is.
  
  This gives you the following mapping entry in your
  aptrixjpe.properties file:
  
  cn_Jane_Smith,ou_Portal_Users,o_IBM=cn=Jane
  Jones,ou=Portal,o=IBM
  
  You can of course have mapping entries for multiple users that
  need to explicitly mapped to a new DN
  
  cn_Jane_Smith,ou_Portal_Users,o_IBM=cn=Jane
  Jones,ou=Portal,o=IBM
  cn_Mary_Jane,ou_WCM_Users,o_IBM=cn=Mary Smith,ou=WCM,o=IBM
  
  You could then run the member fixer as normal using the alt_dn
  option:
  
  http://[HOST]:[PORT]/wps/wcm/connect?MOD=MemberFixer&library=[LI
  BRARY_NAME]&alt_dn=UPDATE&fix=true
  
  An interim fix is available for this APAR from Fix Central at:
  
  http://www.ibm.com/eserver/support/fixes/fixcentral/swgquickorde
  r?brandid=2&productid=Workplace%20Web%20Content%20Management&fix
  es=6.0.1.2-WCM-PK57646
  
  You will need to cut/paste the entire URL into a browser to
  resolve the address.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WRKPLC WEB CON

• Fixed component ID

  5724I2900

Applicable component levels

• R60G PSY

     UP