IBM Support

JR50424: USER AND GROUP ROLE ASSIGNMENTS ARE NOT PRESERVED AFTER CONVERTING FROM STAND-ALONE LDAP TO FEDERATED USER REGISTRY

Fixes are available

Download ISF roll-up 3 for InfoSphere Information Server Version 9.1.2
Download ISF roll-up 4 for InfoSphere Information Server Version 9.1.2
Download ISF roll-up 5 for InfoSphere Information Server Version 9.1.2
Download ISF roll-up 7 for InfoSphere Information Server Version 9.1.2
Download ISF roll-up 8 for InfoSphere Information Server Version 9.1.2
Download ISF roll-up 11 for InfoSphere Information Server Version 9.1.2
Download ISF roll-up 12 for InfoSphere Information Server Version 9.1.2
Download ISF roll-up 10 for InfoSphere Information Server Version 9.1.2

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When converting Information Server from a stand-alone LDAP
configuration to a Federated user registry that includes the
same LDAP registry, the Information Server security roles
previously assigned to LDAP users and groups are no longer seen
by Information Server for the same users and groups. Likewise,
any Business Glossary asset permissions or Steward assignments
no longer work. In addition, errors occur in the Information
Server Web Console when opening Users or Groups. Additional
problems occur if a user or group previously assigned a role no
longer exists in the configured LDAP registry.

Local fix

  • Some of the issues are caused by a known WAS issue and require a
WAS iFix (PM89827) to be installed. This iFix also requires a
configuration change to WAS to enable it.  However, this only
addresses the issues caused when a user or group no longer
exists in the external LDAP registry and only fixes the issue
when attributes are not mapped. So installation of this iFix
alone does little to address the complete list of problems and
thus should wait to be installed along with the complete
solution to this APAR.

Problem summary

  • Information Server security roles assigned to LDAP users and
groups, as well as Steward and access permissions configured in
Business Glossary, when the system is configured for a
stand-alone LDAP user registry, are saved in the Information
Server local repository and assigned to the LDAP full
distinguished name (DN) of the user or group. Once the user
registry is converted to Federated and this LDAP registry is
configured as one of the Federated repositories, by default
queries to the Federated registry expect short (RDN) user and
group names and return the names as short (RDN) names. For the
existing assigned roles in the Information Server local
repository to be properly associated with the LDAP entities, the
names must match with what the Federated registry returns.

To continue using the existing role assignments, the Federated
configuration must be changed to expect and return long (DN)
names. This is done by changing the Federated User repository
attribute mapping configuration in the WebSphere Integrated
Solutions Console (WAS Admin Console).
1) login to the WAS Admin Console with valid WAS administrator
   credentials
2) modify your configured Federated repository settings by
   Selecting Security > Global security > select Federated
   repositories in the Available realm definitions under User
   account repository > click Configure...
3) click "User repository attribute mapping" under Additional
   Properties
4) select groupSecurityName and userSecurityName and click Edit
5) for groupSecurityName, set Property for Input and Property
   for Output values to uniqueName
6) for userSecurityName, set Property for Input value to
   principalName and set Property for Output value to uniqueName
7) click Apply and then Save directly to the master
   configuration
8) assuming you have already completed the rest of the Federated
   configuration restart WebSphere for the changes to take
   affect.

To properly handle invalid user or group ids in the Information
Server local repository (users or groups that no longer exist in
any of the configured Federated repositories, or whose full DN
has changed since role assignment), you need to have the WAS
APAR fix for PM29846 installed and enabled. PM29846 is already
included in WAS 7.0.0.19, 8.0.0.1, 8.5.0.0 and above but is not
enabled by default. See details on how to manually enable at
http://www-01.ibm.com/support/docview.wss?uid=swg1PM29846 or
apply this Information Server patch for JR50424. A script is
included in this patch to automatically update security.xml to
enable the PM29846 fix and occurs during patch installation.

When LDAP attributes are mapped using the Information Server
DirectoryAdmin tool, so that LDAP user and group attributes from
the Federated registries can be viewed and searched in
Information Server clients, additional fixes are needed to
properly handle full DN names and invalid user and group ids in
the Information Server internal repository. This JR50424 patch
along with the WAS fixes for PI18109 and PM89827 must be
installed. The fix for PM89827 is included in WAS 8.0.0.9 and
8.5.5.1 and above. At the time of this patch publication,
PI18109 is only available as an iFix on top of WAS 8.5.5.2. For
additional information on mapped attributes in Information
Server, see "http://www-01.ibm.com/support/knowledgecenter/
SSZJPZ_9.1.0/com.ibm.swg.im.iis.found.admin.common.doc/topics/
diradmtl_displayldap.html".

Also be aware that Federated registries that return more than
4500 users or groups produce a variety of issues that can result
in Out of Memory errors or Xmeta failures in Information Server.
The WAS fix for APAR PM82122 is required to resolve this issue.
The fix for PM82122 is available in WAS 8.0.0.7 and 8.5.5.1 and
above. For more information and availability of this fix see
http://www-01.ibm.com/support/docview.wss?uid=swg1PM82122.

IBM recommends updating WebSphere to version 8.5.5.2 or above.
WAS 8.5.5.2 has all required iFixes with the exception of
PI18109 which can be found and installed using the IBM
Installation Manager once WAS 8.5.5.2 is installed. Check with
IBM Support on availability of the required iFixes (PM29846,
PM82122, PM89827, and PI18109) on other versions of WebSphere
not explicitly noted above.

Problem conclusion

  • Install this patch as well as appropriate WAS release and/or
iFixes as described above and correctly configure Federated
registry in WebSphere as described.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR50424
    • 

  • Reported component name
    INFO SRVR PLATF
    • 

  • Reported component ID
    5724Q3612
    • 

  • Reported release
    912
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2014-06-06
    • 

  • Closed date
    2014-07-18
    • 

  • Last modified date
    2014-07-18
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    INFO SRVR PLATF
    • 

  • Fixed component ID
    5724Q3612
    • 



Applicable component levels


    

  • R912  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"InfoSphere Information Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"912","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            14 October 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback