IBM Support

PI96453: ENVIRONMENT PROPERTY "JAVA.NAMING.REFERRAL" IN "COM.SPSS.SECURITY.PROVIDER.LDAP.LDAPPROVIDERCONFIGV2" SHOULD BE CONFIGURABLE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • You would like to configure Active Directory authentication for
SPSS C&DS. The C&DS server is configured to connect to LDAP
through a load balancer. Direct LDAP communication from the C&DS
to the domain controllers is blocked. If you set the user base
dn to DC=company, DC=com, login attempts hang and time out after
some time.

Using netstat you can see that an LDAP connection is being
opened from the C&DS server to one of the domain controllers.
Netstat shows the SYN_SENT state for the connection attempt. The
problem does not happen when you set the user base dn to OU=OU1,
DC=company,DC=com.

This solution, however, is not acceptable, because some users
are in OU=OU1, DC=company, DC=com and others in OU=OU2,
DC=company, DC=com.

The domain consists of multiple domain controllers. Like all
objects in the domain, the controllers are in the subtree of
DC=company,DC=com, therefore when a query is made with this path
specified as the base DN, referrals are returned, because in
theory, more results could be available on the other
controllers. However, we do not need to follow the referrals in
our case. There are no domain controllers in OU=OU1,
DC=company,DC=com, so no referrals are returned when it is the
base DN.



Issue seems to be with the
com.spss.security.provider.ldap.LDAPProviderConfigV2 class. The
value of the environment property "java.naming.referral", is
hardcoded to "follow". This value should be configurable.

The property is documented here:
https://docs.oracle.com/javase/8/docs/api/javax/naming/Context.h
tml#REFERRAL

Local fix

  • An Interim Fix has been delivered by the IBM SPSS Collaboration
and Deployment Services development team to resolve this issue.
Please contact IBM SPSS Technical Support and ask to be given
permission to access this fix. Quote this APAR when raising the
Service Request.


-- INTERIM FIX DISCLAIMER --

Interim fixes are limited corrections to specific issues
reported by one or more customers. They are normally sent only
to customers who have reported one of the corrected problems,
and who require an immediate correction. Interim Fixes do not
address customer enhancement requests, and not all defect
corrections can be delivered as Interim Fixes. Due to their
urgency Interim Fixes undergo only targeted testing of specific
fixes, not full regression testing. If the fix is not urgently
required, you may prefer to wait for a scheduled Fix Pack
Release, which will be fully regression tested. Interim Fix
corrections, once fully regression tested, are automatically
included in a future Fix Pack.

Problem summary

  • ****************************************************************
* USERS AFFECTED:                                              *
* This affects all users who are using Active Directory        *
* authentication to log into the IBM SPSS Collaboration and    *
* Deployment Services repository.                              *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* ENVIRONMENT PROPERTY "JAVA.NAMING.REFERRAL" IN               *
* "COM.SPSS.SECURITY.PROVIDER.LDAP.LDAPPROVIDERCONFIGV2"       *
* SHOULD BE CONFIGURABLE                                       *
****************************************************************
* RECOMMENDATION:                                              *
* Please upgrade to IBM SPSS Collaboration and Deployment      *
* Services 8.2 to resolve this problem.                        *
****************************************************************

Problem conclusion

  • This issue has been resolved in IBM SPSS Collaboration and
Deployment Services 8.2 release. Please upgrade to this version
of our product in order to configure this module.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI96453
    • 

  • Reported component name
    SPSS CADS
    • 

  • Reported component ID
    5725A72CD
    • 

  • Reported release
    810
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2018-04-09
    • 

  • Closed date
    2018-12-11
    • 

  • Last modified date
    2018-12-11
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    SPSS CADS
    • 

  • Fixed component ID
    5725A72CD
    • 



Applicable component levels


    

  • R810  PSY
       UP
    • 

  • R811  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS69YH","label":"IBM SPSS Collaboration and Deployment Services"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"810","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            11 December 2018
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback