Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
3 replies Latest Post - ‏2013-01-25T11:26:41Z by bpaskin
lorlor
lorlor
2 Posts
ACCEPTED ANSWER

Pinned topic WAS 8.5 - Active Directory integration issue with Groups. Works with users

‏2013-01-21T16:31:33Z |
Hi,
I have downloaded for WAS8.5 for evaluation and face an issue with AD integration.
AD integration is functional for users but i face an issue when using Groups.
Would someone be able to propose an action plan. Details below.

WAS8.5 integrated with AD
I have created a Federated repository with both File and AD.
If i assign Administrator role to AD user, it works i.e AD user can connect to WAS console.
but
If i assign Administrator role to an AD group, same user is denied access to WAS console.
Within WAS when i check Groups, Group information confirms AD user is part of AD group.
Any idea how to troubleshoot this issue ?
Updated on 2013-01-25T11:26:41Z at 2013-01-25T11:26:41Z by bpaskin
  • gas
    gas
    888 Posts
    ACCEPTED ANSWER

    Re: WAS 8.5 - Active Directory integration issue with Groups. Works with users

    ‏2013-01-22T09:11:05Z  in response to lorlor
    Hi,

    Check if you are able to see correct groups via Manage Groups in WAS admin console. Also check, if you can see user in the group via members and group in the user details via Group membership.

    Also restart the server after changes in role assignement.

    If it wont help try the following trace:

    *=info:com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all:com.ibm.websphere.wim.*=all:com.ibm.wsspi.wim.*=all:com.ibm.ws.wim.*=all
    • lorlor
      lorlor
      2 Posts
      ACCEPTED ANSWER

      Re: WAS 8.5 - Active Directory integration issue with Groups. Works with users

      ‏2013-01-24T21:16:59Z  in response to gas
      Thanks Gas for looking into this. Sorry for delay.
      Yes, AD Groups are listed through "Manage Groups"
      Yes, users are listed in Group membership.
      As a consequence, my understanding is WAS reads information from AD without any problem

      As I was enabling trace with flags you proposed, i have bounced server and Group configuration is now .... functional.

      I am new to WebSphere. For my understanding, can you confirm which log files i should look at now that your flags are activated.
      This will help me next time i face a similar issue :-)

      Thanks again for your help and time

      Appreciated
      • bpaskin
        bpaskin
        3898 Posts
        ACCEPTED ANSWER

        Re: WAS 8.5 - Active Directory integration issue with Groups. Works with users

        ‏2013-01-25T11:26:41Z  in response to lorlor
        Hi, Please make sure the group name does not exist in both the File Repository and Active Directory. Also make sure that the group name is unique within the Active Directory.

        Regards,
        Brian