Topic
  • 11 replies
  • Latest Post - ‏2009-04-06T17:28:30Z by fang
pranav143
pranav143
87 Posts

Pinned topic Unable to create new user in portal 6.1 after enaling security with TDS 6.1

‏2009-03-06T06:40:33Z |
I have configured portal 6.1 with TDS 6.1 and it got successfully configured .I got the message task completed successfully.
But the problem is that I am not able to create any user even though i am administrator.

I am also not able to sign up .Only those users which exist in the ldap only those users can login into the portal .

In short i am unbale to vreate any New user in the portal but able to login with the existing user.

EJPSG0015E: Data Backend Problem com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.NoPermissionException: LDAP: error code 50 - Insufficient Access Rights; remaining name 'uid=pranav,cn=users,dc=yourco,dc=com'; resolved object com.sun.jndi.ldap.LdapCtx@5b945b94' naming exception occurred during processing

Please help me .
Thanks

Regards..

Pranav
Updated on 2009-04-06T17:28:30Z at 2009-04-06T17:28:30Z by fang
  • pranav143
    pranav143
    87 Posts

    Re: Unable to create new user in portal 6.1 after enaling security with TDS 6.1

    ‏2009-03-06T06:42:22Z  
    I have configured portal 6.1 with TDS 6.1 and it got successfully configured .I got the message task completed successfully.

    But the problem is that I am not able to create any user even though i am administrator.

    I am also not able to sign up .Only those users which exist in the ldap only those users can login into the portal .

    In short i am unbale to create any New user in the portal but able to login with the existing user.
    EJPSG0015E: Data Backend Problem com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.NoPermissionException: LDAP: error code 50 - Insufficient Access Rights; remaining name 'uid=pranav,cn=users,dc=yourco,dc=com'; resolved object com.sun.jndi.ldap.LdapCtx@5b945b94' naming exception occurred during processing

    Please help me .

    Thanks

    Regards..

    Pranav
  • JMW98
    JMW98
    1144 Posts

    Re: Unable to create new user in portal 6.1 after enaling security with TDS 6.1

    ‏2009-03-06T20:23:53Z  
    It sounds like the bind DN for this LDAP defined in VMM is not granted the right to create users in the LDAP. Check with your LDAP administrator. You can check the bind DN in wimconfig.xml:

    <config:repositories xsi:type="config:LdapRepositoryType" ...
    ...
    <config:ldapServerConfiguration ...
    ...
    <config:ldapServers ... bindDN="cn=root" ...
    ...
    <config:connections host="ldapserver.yourco.com" port="389"/>
    ...
    </config:ldapServers>
    </config:ldapServerConfiguration>
  • pranav143
    pranav143
    87 Posts

    Re: Unable to create new user in portal 6.1 after enaling security with TDS 6.1

    ‏2009-03-09T06:39:36Z  
    • JMW98
    • ‏2009-03-06T20:23:53Z
    It sounds like the bind DN for this LDAP defined in VMM is not granted the right to create users in the LDAP. Check with your LDAP administrator. You can check the bind DN in wimconfig.xml:

    <config:repositories xsi:type="config:LdapRepositoryType" ...
    ...
    <config:ldapServerConfiguration ...
    ...
    <config:ldapServers ... bindDN="cn=root" ...
    ...
    <config:connections host="ldapserver.yourco.com" port="389"/>
    ...
    </config:ldapServers>
    </config:ldapServerConfiguration>
    What exactly i have to check in wimconfig.xml ?
    <config:ldapServers authentication="simple" bindDN="uid=wpsadmin,cn=users,dc=yourco,dc=com"
    bindPassword="{xor}KC8sPjsyNjE=" connectionPool="true" connectTimeout="0"
    derefAliases="always" referal="ignore" sslEnabled="false">
    <config:connections host="192.168.0.26" port="389"/>

    I can see this in my wimconfig.xml
    Thanks

    Pranav.
  • JMW98
    JMW98
    1144 Posts

    Re: Unable to create new user in portal 6.1 after enaling security with TDS 6.1

    ‏2009-03-09T12:39:31Z  
    Ask your LDAP administrator if this:

    bindDN="uid=wpsadmin,cn=users,dc=yourco,dc=com"

    is really the distinguished name (DN) Portal should use to bind to LDAP when creating users (if you cut-and-pasted this verbatim, I doubt that your LDAP contains "dc=yourco,dc=com"). If the DN is correct, ask the LDAP administrator to make sure it has the right permissions for creating users.

    You won't be able to verify the password by looking directly at wimconfig.xml. You would have to verify that through wkplc.properties (assuming you haven't deleted the clear-text password from that file already). So, check the DN & permissions first. Then if you have to verify the password, do so with wkplc.properties & the appropriate ConfigEngine task. This doesn't look like a password-related error though.
  • pranav143
    pranav143
    87 Posts

    Re: Unable to create new user in portal 6.1 after enaling security with TDS 6.1

    ‏2009-03-10T10:44:17Z  
    • JMW98
    • ‏2009-03-09T12:39:31Z
    Ask your LDAP administrator if this:

    bindDN="uid=wpsadmin,cn=users,dc=yourco,dc=com"

    is really the distinguished name (DN) Portal should use to bind to LDAP when creating users (if you cut-and-pasted this verbatim, I doubt that your LDAP contains "dc=yourco,dc=com"). If the DN is correct, ask the LDAP administrator to make sure it has the right permissions for creating users.

    You won't be able to verify the password by looking directly at wimconfig.xml. You would have to verify that through wkplc.properties (assuming you haven't deleted the clear-text password from that file already). So, check the DN & permissions first. Then if you have to verify the password, do so with wkplc.properties & the appropriate ConfigEngine task. This doesn't look like a password-related error though.
    Actually in TDS 6.1 you need to ADD the admin group in ACL from IDSWebApp Admin console.This solved the problem.
  • SystemAdmin
    SystemAdmin
    30895 Posts

    Re: Unable to create new user in portal 6.1 after enaling security with TDS 6.1

    ‏2009-03-26T00:31:10Z  
    • pranav143
    • ‏2009-03-10T10:44:17Z
    Actually in TDS 6.1 you need to ADD the admin group in ACL from IDSWebApp Admin console.This solved the problem.
    I have a the same problem. Could please share a more detailed description of your solution above? Thanks.
  • pranav143
    pranav143
    87 Posts

    Re: Unable to create new user in portal 6.1 after enaling security with TDS 6.1

    ‏2009-03-26T04:23:12Z  
    I have a the same problem. Could please share a more detailed description of your solution above? Thanks.
    Log into the admin console, open the "Directory Management" tab in the left navbar and then select "Manage entries". Select your RDN and then select edit ACL from the dropdown list at the top.

    On the next screen, select the "OWNERS TAB "

    Here you will have to add the admin group.

    Then add the admin group i.e wpsadmins(in my case ) in the filtered ACL's .

    Test it and let me know whether it works or not.

    Thanks

    Pranav
  • SystemAdmin
    SystemAdmin
    30895 Posts

    Re: Unable to create new user in portal 6.1 after enaling security with TDS 6.1

    ‏2009-03-26T15:24:13Z  
    • pranav143
    • ‏2009-03-26T04:23:12Z
    Log into the admin console, open the "Directory Management" tab in the left navbar and then select "Manage entries". Select your RDN and then select edit ACL from the dropdown list at the top.

    On the next screen, select the "OWNERS TAB "

    Here you will have to add the admin group.

    Then add the admin group i.e wpsadmins(in my case ) in the filtered ACL's .

    Test it and let me know whether it works or not.

    Thanks

    Pranav
    Here is what I did

    • Login as root
    • Clicked Directory management > Manage entries
    • Selected dc=acllc,dc=com
    • On Select Action list, chose Edit ACL...
    • On the Owners tab, added cn=wpsadmins,cn=groups,dc=acllc,dc=com with Subject type group
    • On Filtered ACLs (this is where I am not sure)
    - clicked add,
    - On the next page,
    - Subject DN: cn=wpsadmins,cn=groups,dc=acllc,dc=com
    - Subject type: group
    - Rights: Add child=grant, Delete entry=grant
    - Filter: (&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))
    - Security class access rights: Grant all
    - clicked OK, close and logout, restarted directory server.

    I tested with ldapsearch, just to make sure.. It still works
    uid=wpsadmin,cn=users,dc=acllc,dc=com
    objectclass=organizationalPerson
    objectclass=person
    objectclass=top
    objectclass=inetOrgPerson
    uid=wpsadmin
    sn=admin
    givenName=wps
    cn=wps admin
    After restarting Portal, I logged in as wpsadmin. Then, I tried to add a new user under Administration > Access > Users and Groups but it still fails for me...

    EJPSG0015E: Data Backend Problem com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.NoPermissionException: LDAP: error code 50 - Insufficient Access Rights; remaining name 'uid=daangus,cn=users,dc=acllc,dc=com'; resolved object com.sun.jndi.ldap.LdapCtx@2aaa2aaa' naming exception occurred during processing.
    com.ibm.wps.util.DataBackendException: EJPSG0015E: Data Backend Problem com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.NoPermissionException: LDAP: error code 50 - Insufficient Access Rights; remaining name 'uid=daangus,cn=users,dc=acllc,dc=com'; resolved object com.sun.jndi.ldap.LdapCtx@2aaa2aaa' naming exception occurred during processing.
    EJPSG0015E: Data Backend Problem com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.NoPermissionException: LDAP: error code 50 - Insufficient Access Rights; remaining name 'uid=daangus,cn=users,dc=acllc,dc=com'; resolved object com.sun.jndi.ldap.LdapCtx@2aaa2aaa' naming exception occurred during processing.
    CWWIM4520E The 'javax.naming.NoPermissionException: LDAP: error code 50 - Insufficient Access Rights; remaining name 'uid=daangus,cn=users,dc=acllc,dc=com'; resolved object com.sun.jndi.ldap.LdapCtx@2aaa2aaa' naming exception occurred during processing.
  • pranav143
    pranav143
    87 Posts

    Re: Unable to create new user in portal 6.1 after enaling security with TDS 6.1

    ‏2009-03-27T04:12:12Z  
    Here is what I did

    • Login as root
    • Clicked Directory management > Manage entries
    • Selected dc=acllc,dc=com
    • On Select Action list, chose Edit ACL...
    • On the Owners tab, added cn=wpsadmins,cn=groups,dc=acllc,dc=com with Subject type group
    • On Filtered ACLs (this is where I am not sure)
    - clicked add,
    - On the next page,
    - Subject DN: cn=wpsadmins,cn=groups,dc=acllc,dc=com
    - Subject type: group
    - Rights: Add child=grant, Delete entry=grant
    - Filter: (&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))
    - Security class access rights: Grant all
    - clicked OK, close and logout, restarted directory server.

    I tested with ldapsearch, just to make sure.. It still works
    uid=wpsadmin,cn=users,dc=acllc,dc=com
    objectclass=organizationalPerson
    objectclass=person
    objectclass=top
    objectclass=inetOrgPerson
    uid=wpsadmin
    sn=admin
    givenName=wps
    cn=wps admin
    After restarting Portal, I logged in as wpsadmin. Then, I tried to add a new user under Administration > Access > Users and Groups but it still fails for me...

    EJPSG0015E: Data Backend Problem com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.NoPermissionException: LDAP: error code 50 - Insufficient Access Rights; remaining name 'uid=daangus,cn=users,dc=acllc,dc=com'; resolved object com.sun.jndi.ldap.LdapCtx@2aaa2aaa' naming exception occurred during processing.
    com.ibm.wps.util.DataBackendException: EJPSG0015E: Data Backend Problem com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.NoPermissionException: LDAP: error code 50 - Insufficient Access Rights; remaining name 'uid=daangus,cn=users,dc=acllc,dc=com'; resolved object com.sun.jndi.ldap.LdapCtx@2aaa2aaa' naming exception occurred during processing.
    EJPSG0015E: Data Backend Problem com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.NoPermissionException: LDAP: error code 50 - Insufficient Access Rights; remaining name 'uid=daangus,cn=users,dc=acllc,dc=com'; resolved object com.sun.jndi.ldap.LdapCtx@2aaa2aaa' naming exception occurred during processing.
    CWWIM4520E The 'javax.naming.NoPermissionException: LDAP: error code 50 - Insufficient Access Rights; remaining name 'uid=daangus,cn=users,dc=acllc,dc=com'; resolved object com.sun.jndi.ldap.LdapCtx@2aaa2aaa' naming exception occurred during processing.
    In filtered ACL . Select True and add the admins group in this as well.

    For checking- Go to effective ACL's and then click on load .
    If you are able to get the admins group when you click load then i think it should work .

    Thanks

    Pranav
  • bn_shyam
    bn_shyam
    107 Posts

    Re: Unable to create new user in portal 6.1 after enaling security with TDS 6.1

    ‏2009-04-06T17:11:43Z  
    • pranav143
    • ‏2009-03-27T04:12:12Z
    In filtered ACL . Select True and add the admins group in this as well.

    For checking- Go to effective ACL's and then click on load .
    If you are able to get the admins group when you click load then i think it should work .

    Thanks

    Pranav
    Hey, is it possible to grant read/write access to only few attributes to the bindDN account instead "Grant All" permissions?

    Requirement - Users wont be signed up using portal but they should have the capabilities to modify preferred language and password through the portal. And not giving "Grant all" permissions to the bindDN ldap account.

    I tired granting attribute wise permissions to the bind user. But its not working. Is there way to go about achieving my requirement

    Thanks,
    Shyam
  • fang
    fang
    769 Posts

    Re: Unable to create new user in portal 6.1 after enaling security with TDS

    ‏2009-04-06T17:28:30Z  
    • bn_shyam
    • ‏2009-04-06T17:11:43Z
    Hey, is it possible to grant read/write access to only few attributes to the bindDN account instead "Grant All" permissions?

    Requirement - Users wont be signed up using portal but they should have the capabilities to modify preferred language and password through the portal. And not giving "Grant all" permissions to the bindDN ldap account.

    I tired granting attribute wise permissions to the bind user. But its not working. Is there way to go about achieving my requirement

    Thanks,
    Shyam
    I believe ITDS support granular ACL settings down to attribute level, but this is more like a question to the LDAP support folks.

    -FF

    The postings on this site are my own and do not necessarily represent the positions, strategies or opinions of IBM.