Unable to add new groups using WebSphere Application Server

Edit online

Create new groups in LDAP, not WAS.

Problem

The following error message is displayed if you try to add a new group using WebSphere® Application Server console:
CWWIM4520E The 'javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - object class 'groupOfNames' requires attribute 'member']

Resolution

As a workaround, create the group in LDAP instead using the following procedure.
  1. Log in to the LDAP Proxy Server pod. 
    kubectl exec -it release_name-openldap-0 /bin/bash
    Where <release_name> is the name of your deployment, as specified by the value used for name (Operator Lifecycle Manager UI Form view), or name in the metadata section of the noi.ibm.com_noihybrids_cr.yaml or noi.ibm.com_nois_cr.yaml files (YAML view).
  2. Create the new group
    1. Create an LDAP Data Interchange Format file to define the new group. For example:
      vi test-group.ldif
    2. Define the contents of the LDIF file that you created by using a format similar to this example: 
      dn: cn=newgroup,ou=groups,dc=mycluster,dc=icp
cn: newgroup
owner: uid=newgroup,ou=users,dc=mycluster,dc=icp
description: newgroup test
objectClass: groupOfNames
member: uid=icpadmin,ou=users,dc=mycluster,dc=icp
      Where:
      • the value of uid and cn are the name of the new group
      • the value of dc is the domain components that were specified for the suffix and baseDN. By default the value of this parameter is dc=mycluster,dc=icp.
    3. Run the following command to create the new group 
      ldapadd -h localhost  -p  389 -D "cn=admin,dc=mycluster,dc=icp" -w password -f ./test-group.ldif
      Draft comment: LOUISERoberts
      #4658 Needs triage/work