PM99472: MANAGEMENT OF ACLS IN APPCENTER USING LDAP DOES NOT WORK IF USERS AND GROUPS ARE IN SAME LDAP SUBTREE WHEN USING JNDI AP

Download for IBM Worklight V6.0.0 Fix Pack 2 and IBM Mobile Foundation V6.0.0 Fix Pack 2

APAR status

• Closed as program error.

Error description

• When using Worklight Server and Application Center, using an
  application server that uses the JNDI API (currently, WebSphere
  Application Server Liberty Profile, or Tomcat), it is not
  possible to use LDAP for Application Center ACL management when
  users and groups are in the same LDAP subtree (when
  "ibm.appcenter.ldap.user.base" and
  "ibm.appcenter.ldap.group.base" are set to the same value).  In
  this environment, there is an undocumented constrant that users
  and groups must exist in different LDAP subtrees.
  

Local fix

• No workarounds available, other than reconfiguring the LDAP
  envrionment to such that users and groups exist in different
  subtrees, or hosting the Worklight Server and Application
  Center on an applicaiton server that does not have this
  constraint.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * Users using ACL management with the LDAP JNDI API in the     *
  * Application Center (on the WebSphere Liberty Profile and     *
  * Tomcat).                                                     *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * When the users and groups are defined in the same LDAP       *
  * subtree, the ACL search in the Application Center gives an   *
  * incorrect result : duplicate entries are listed and some are *
  * not listed.                                                  *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * -                                                            *
  ****************************************************************
  

Problem conclusion

• To support users and groups in the same LDAP subtree, 3 new JNDI
  properties must be configured in the server.xml file for Tomcat
  or Liberty :
  
  1) ibm.appcenter.ldap.user.filter: LDAP user search filter for
  the user login name attribute. Use %v as the placeholder for the
  login name attribute
  2) ibm.appcenter.ldap.group.filter: LDAP group search filter.
  Use %v as the placeholder for the group attribute
  3) ibm.appcenter.ldap.user.displayName.filter: LDAP user search
  filter for the user display name attribute . Use %v as the
  placeholder for the user display name  attribute
  
  The fix for this APAR is currently targeted for fixpack 6.0.0.2.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WORKLIGHT CONSU

• Fixed component ID

  5725I4301

Applicable component levels

• R600 PSY

     UP