Topic
  • 13 replies
  • Latest Post - ‏2012-12-11T05:59:01Z by SystemAdmin
SystemAdmin
SystemAdmin
3556 Posts

Pinned topic Question on human task and Microsoft AD. Group vs Group Members

‏2012-11-09T07:11:27Z |
Hello,

I have a project that uses IBM Websphere Integrated Developer 6.2.
I currently have two versions of the same BPEL with human tasks. The only difference is in the way it queries the Potential Owners of a human task as follows:
1. Group Member
2. Group

Initially I was using the Group Member to query the users from an Microsoft AD LDAP but it threw an error that it cannot retrieve more than 1500 users. I changed the query from Group Member to Group instead to get around this problem. I used the same DN Name as I used for the Group Member query. The error regarding the limit of users did not show up anymore and the users were able to see the task assigned to them.

I encountered a problem when I rolled this out to another environment. The Group Member query works fine in the new environment however the Group query did not. The users were not seeing the tasks that should be assigned to them. The number of users in this environment were less than 1500.

I would like to know:
1. Is this a common issue when using a Microsoft AD LDAP?
2. What environment variables in Process Server should I check that could possibly affect the query?
3. What settings in the Microsoft AD LDAP I should check that could possibly affect the query?
  • gas
    gas
    36 Posts

    Re: Question on human task and Microsoft AD. Group vs Group Members

    ‏2012-11-09T08:02:46Z  
    Hi,

    For the group tasks to work you need to enable 'group work items' in the Human task manager configuration eg. via console -> server/cluster -> Business Integration > Business Process Choreographer > Human Task Manager (might be a bit different wording since I dont have console right now).

    Maybe in your other environment this was not set (it is not set by default in WPS v6.2).

    If you want to use 'group member' with more than 1500, you need to change MaxValRange setting of Active Directory policy.
    See more details here:
    http://www-01.ibm.com/support/docview.wss?uid=swg21586960

    Gas
  • SystemAdmin
    SystemAdmin
    3556 Posts

    Re: Question on human task and Microsoft AD. Group vs Group Members

    ‏2012-11-09T08:19:41Z  
    • gas
    • ‏2012-11-09T08:02:46Z
    Hi,

    For the group tasks to work you need to enable 'group work items' in the Human task manager configuration eg. via console -> server/cluster -> Business Integration > Business Process Choreographer > Human Task Manager (might be a bit different wording since I dont have console right now).

    Maybe in your other environment this was not set (it is not set by default in WPS v6.2).

    If you want to use 'group member' with more than 1500, you need to change MaxValRange setting of Active Directory policy.
    See more details here:
    http://www-01.ibm.com/support/docview.wss?uid=swg21586960

    Gas
    Hello Gas,

    The "Enable group work items" setting is checked on both our environments.

    I will be trying out the MaxValRange setting with the Group Member query.

    Thanks fror your quick reply.
    • Lord Christian
  • SystemAdmin
    SystemAdmin
    3556 Posts

    Re: Question on human task and Microsoft AD. Group vs Group Members

    ‏2012-11-09T09:47:09Z  
    • gas
    • ‏2012-11-09T08:02:46Z
    Hi,

    For the group tasks to work you need to enable 'group work items' in the Human task manager configuration eg. via console -> server/cluster -> Business Integration > Business Process Choreographer > Human Task Manager (might be a bit different wording since I dont have console right now).

    Maybe in your other environment this was not set (it is not set by default in WPS v6.2).

    If you want to use 'group member' with more than 1500, you need to change MaxValRange setting of Active Directory policy.
    See more details here:
    http://www-01.ibm.com/support/docview.wss?uid=swg21586960

    Gas
    Hello,

    I don't think we are able to change the settings of the LDAP since it is also being used by other systems of the client.

    Would you happen to know what other settings I should be looking at in the administrative console of Process Server to make the Group tasks work aside from the Enable Group Work Items.
  • gas
    gas
    36 Posts

    Re: Question on human task and Microsoft AD. Group vs Group Members

    ‏2012-11-09T11:05:23Z  
    Hi,
    Are you seeing any exceptions in SystemOut.log on any AppTarget cluster server?
    What are the differences in the LDAPS in these 2 environments?
    Are you able to view users, groups, group members via Admin console > Manage users?
    Are you using Federated repository or stand alone LDAP? Is the config same in both? < Verify this, maybe you will find some differences there.
    Are you using same WPS version in both env?

    Gas
  • SystemAdmin
    SystemAdmin
    3556 Posts

    Re: Question on human task and Microsoft AD. Group vs Group Members

    ‏2012-11-09T11:18:41Z  
    • gas
    • ‏2012-11-09T11:05:23Z
    Hi,
    Are you seeing any exceptions in SystemOut.log on any AppTarget cluster server?
    What are the differences in the LDAPS in these 2 environments?
    Are you able to view users, groups, group members via Admin console > Manage users?
    Are you using Federated repository or stand alone LDAP? Is the config same in both? < Verify this, maybe you will find some differences there.
    Are you using same WPS version in both env?

    Gas
    Hello,

    I don't see any exceptions regarding querying staff assignments in the SystemOut.log. When I refresh people queries, there are not exceptions that come out as well.

    The first environment has more users. The policies of the two LDAPs are exactly the same.

    We are using Standalone LDAP config for both environments. Only the IP of the LDAP configuration is different.

    Both environments use the same WAS and WPS version.
  • gas
    gas
    36 Posts

    Re: Question on human task and Microsoft AD. Group vs Group Members

    ‏2012-11-09T11:38:23Z  
    Hello,

    I don't see any exceptions regarding querying staff assignments in the SystemOut.log. When I refresh people queries, there are not exceptions that come out as well.

    The first environment has more users. The policies of the two LDAPs are exactly the same.

    We are using Standalone LDAP config for both environments. Only the IP of the LDAP configuration is different.

    Both environments use the same WAS and WPS version.
    Hmm, quite strange.

    Some more things you could try:
    • check if group member id map is set the same in security in ldap advanced settings in both env

    • what people directory provider are you using? Check, if config is the same

    • you could try to verify, if groups work at all - try to add your group as monitor role to the admin console, then try to log in using member of the group. You should be able to open console acting as monitor role.
  • SystemAdmin
    SystemAdmin
    3556 Posts

    Re: Question on human task and Microsoft AD. Group vs Group Members

    ‏2012-11-26T07:49:06Z  
    Still having this problem
  • SystemAdmin
    SystemAdmin
    3556 Posts

    Re: Question on human task and Microsoft AD. Group vs Group Members

    ‏2012-11-26T07:52:09Z  
    • gas
    • ‏2012-11-09T11:38:23Z
    Hmm, quite strange.

    Some more things you could try:
    • check if group member id map is set the same in security in ldap advanced settings in both env

    • what people directory provider are you using? Check, if config is the same

    • you could try to verify, if groups work at all - try to add your group as monitor role to the admin console, then try to log in using member of the group. You should be able to open console acting as monitor role.
    I've checked all of the settings in the LDAP Advanced Settings in both environments. They are the same.

    We are using Microsoft AD for our LDAP. The settings are also the same.
  • gas
    gas
    36 Posts

    Re: Question on human task and Microsoft AD. Group vs Group Members

    ‏2012-11-26T20:26:55Z  
    I've checked all of the settings in the LDAP Advanced Settings in both environments. They are the same.

    We are using Microsoft AD for our LDAP. The settings are also the same.
    Did you test on the same application? Did you try to create new taks, and see in the BPC explorer to who they are being assigned?

    It is hard to belive that you have same settings in WPS and in AD in both envioronments, and that it behaves differently.
    In that case I'd suggest to open PMR in IBM Support.

    Gas
  • SystemAdmin
    SystemAdmin
    3556 Posts

    Re: Question on human task and Microsoft AD. Group vs Group Members

    ‏2012-11-28T09:30:12Z  
    • gas
    • ‏2012-11-09T11:38:23Z
    Hmm, quite strange.

    Some more things you could try:
    • check if group member id map is set the same in security in ldap advanced settings in both env

    • what people directory provider are you using? Check, if config is the same

    • you could try to verify, if groups work at all - try to add your group as monitor role to the admin console, then try to log in using member of the group. You should be able to open console acting as monitor role.
    I've also tried the 3rd bullet:
    - you could try to verify, if groups work at all - try to add your group as monitor role to the admin console, then try to log in using member of the group. You should be able to open console acting as monitor role.

    The user was able to log in the adminstrative console as a monitor.

    Just to double check: having the People Assignment Criteria set to Group instead of group member will ignore the 1500 property in the LDAP right?

    I have recently raised a PMR on this as well. Thanks for the support gas
  • SystemAdmin
    SystemAdmin
    3556 Posts

    Re: Question on human task and Microsoft AD. Group vs Group Members

    ‏2012-11-29T03:25:21Z  
    • gas
    • ‏2012-11-26T20:26:55Z
    Did you test on the same application? Did you try to create new taks, and see in the BPC explorer to who they are being assigned?

    It is hard to belive that you have same settings in WPS and in AD in both envioronments, and that it behaves differently.
    In that case I'd suggest to open PMR in IBM Support.

    Gas
    I forgot to mention that the environment where the Group people assignment criteria isnt working is clustered with two nodes and in the logs, it keeps pushing this message:
    11/23/12 23:15:15:408 CST 00000082 WebContainer E SRVE0255E: A WebGroup/Virtual Host to handle / has not been defined.
    11/23/12 23:15:16:955 CST 00000085 WebContainer E SRVE0255E: A WebGroup/Virtual Host to handle / has not been defined.

    Would this possibly have an impact on the Group people assignment criteria?
  • SystemAdmin
    SystemAdmin
    3556 Posts

    Re: Question on human task and Microsoft AD. Group vs Group Members

    ‏2012-12-03T09:11:04Z  
    Apparently, the client gave us the group name in wrong cases. some letters needed to be in lower-case.
  • SystemAdmin
    SystemAdmin
    3556 Posts

    Re: Question on human task and Microsoft AD. Group vs Group Members

    ‏2012-12-11T05:59:01Z  
    Hello friends,

    nice post for sharing, it will help for improve knowledge related to the Microsoft AD.