Topic
4 replies Latest Post - ‏2013-07-18T20:17:15Z by claudef
claudef
claudef
7 Posts
ACCEPTED ANSWER

Pinned topic LDAP basic authentication Smash vs. Liberty

‏2013-07-18T00:23:39Z |

I'm trying to convert an existing Smash application into a WAS Liberty server. The IBM internal LDAP authentiation throws an error, even when using very similar definitions, see below: 

Smash LDAP setup:

/config/security/userservice/ldap += {
    "jndiProviderUrl" : "ldap://bluegroups.ibm.com:389",
    "ldapUserIdSearchFilterPattern" : "(&(mail={0})(objectclass=ibmPerson))",
    "ldapUserIdBaseDn" : "ou=bluepages,o=ibm.com",
    "ldapGroupBaseDn" : "ou=bluepages,o=ibm.com"
   }

WAS Liberty LDAP setup:

    <ldapRegistry baseDN="ou=bluepages,o=ibm.com" ldapType="IBM Tivoli Directory Server"
        port="389" host="bluegroups.ibm.com" ignoreCase="true"
        userFilter="(&amp;amp;((mail={0})(objectclass=ibmPerson))"
        ldapUserIdBaseDn="ou=bluepages,o=ibm.com"
        ldapGroupBaseDn="ou=bluepages,o=ibm.com"
        id="MyRegistry"/>

Error:

AUDIT   ] CWWKS1100A: Authentication did not succeed for user ID xxxxxx@xx.ibm.com. An invalid user ID or password was specified.

What setup adjustment is needed in the server.xml to make it work? Is there a simple way to test the bluepage access (w3)

with an  ldapsearch command? 

Thanks in advance for your guidance.

  • Sunil George
    Sunil George
    3 Posts
    ACCEPTED ANSWER

    Re: LDAP basic authentication Smash vs. Liberty

    ‏2013-07-18T12:49:29Z  in response to claudef

    Hi,

    Could you modify the ldapRegistry snippet in the server.xml as shown below and try the operation. Also are there any other error messages that you see in the trace file ?  

         <ldapRegistry baseDN="ou=bluepages,o=ibm.com" ldapType="IBM Tivoli Directory Server"

    port="389" host="bluegroups.ibm.com" ignoreCase="true"
    userFilter="(&amp;((mail={0})(objectclass=ibmPerson))"
    id="MyRegistry"/>

     

    Thanks.

    • claudef
      claudef
      7 Posts
      ACCEPTED ANSWER

      Re: LDAP basic authentication Smash vs. Liberty

      ‏2013-07-18T13:48:07Z  in response to Sunil George

      Dear Sunil,

      I've replaced the ldapRegistry definition with the new tag shwon above and restarted the server. Unfortunatly I got the same error message. No further debug message is shown at the console and log, see below:

      [AUDIT   ] CWWKF0011I: The server defaultServer is ready to run a smarter planet.
      [AUDIT   ] CWWKS1100A: Authentication did not succeed for user ID xxxxxxx@xx.ibm.com. An invalid user ID or password was specified.

      Is there some Debug tool or logger available?

      Thanks for feedback.

      Claude

       

       

      • Sunil George
        Sunil George
        3 Posts
        ACCEPTED ANSWER

        Re: LDAP basic authentication Smash vs. Liberty

        ‏2013-07-18T17:18:10Z  in response to claudef

        Hi Claude,

                Could you upload your server.xml file as well as the trace file (enable trace for packages com.ibm.ws.wim.*=all:com.ibm.ws.security.*=all::com.ibm.ws.webcontainer.security.*=all) ->http://www-01.ibm.com/support/docview.wss?uid=swg21596714

        Thanks,

        Sunil.

        • claudef
          claudef
          7 Posts
          ACCEPTED ANSWER

          Re: LDAP basic authentication Smash vs. Liberty

          ‏2013-07-18T20:17:15Z  in response to Sunil George

          Good news, I found a solution that works OK for e-mail compatible userid like user@company, here the new filters definition that solved the problem using the IBM Tivoli Directory Server:

            <idsFilters
                       userFilter="(&amp;(emailAddress=%v)(objectclass=ibmPerson))"
                       groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))"
                       userIdMap="*:emailAddress"
                       groupIdMap="*:cn"
                       groupMemberIdMap="mycompany-allGroups:member;mycompany-allGroups:uniqueMember;
                                groupOfNames:member;groupOfUniqueNames:uniqueMember"/>
                       </ldapRegistry>

          Thanks so much for your assistance and support.