IBM Support

PK81423; 7.0.0.1: Mapping an LDAP user with a comma in the name may not work

Download


Abstract

Mapping an LDAP User to an Administrative Role may not work if the user name has a comma in it.

Download Description

PK81423 resolves the following problem:

ERROR DESCRIPTION:
Mapping an LDAP User to an Administrative Role may not work if the user name has a comma in it. Users may see MalformedObjectNameException or NullPointerException FFDC entries.

LOCAL FIX:
n/a

PROBLEM SUMMARY

USERS AFFECTED:

All users of WebSphere Application Server V7.0

PROBLEM DESCRIPTION:
Mapping an LDAP User to an Administrative Role may not work if the user name has a comma in it.

RECOMMENDATION:
None

Mapping of LDAP users to Administrative roles fails because LDAP inserts a back slash in front of the comma in the user name. This LDAP behavior results in the user name in the configuration containing the \, sequence. This sequence cannot be present in an ObjectName key properties value string and when we try to create an ObjectName, we get a MalformedObjectNameException. This failure also results in a NullPointerException in a subsequent getAttribute ConfigService call.

The MalformedObjectNameException FFDC entry stack trace looks like the following:

FFDC Exception:javax.management.MalformedObjectNameException
SourceId:com.ibm.ws.management.configservice.WorkspaceHelper.cre
ateObjectName ProbeId:171
javax.management.MalformedObjectNameException: Invalid quoted
character sequence '\,'
at javax.management.ObjectName.parseValue(ObjectName.java:921)
at javax.management.ObjectName.checkValue(ObjectName.java:1001)
at javax.management.ObjectName.construct(ObjectName.java:720)
at javax.management.ObjectName.<init>(ObjectName.java:1448)
at
com.ibm.ws.management.configservice.WorkspaceHelper.createObject
Name(WorkspaceHelper.java:624)
at
com.ibm.ws.management.configservice.MOFUtil.createObjectName(MOF
Util.java:640)
at
com.ibm.ws.management.configservice.MOFUtil.getNodeProperties(MO
FUtil.java:1535)
at
com.ibm.ws.management.configservice.MOFUtil.isValidType(MOFUtil.
java:1425)
at
com.ibm.ws.management.configservice.MOFUtil.getAttribute(MOFUtil
.java:494)
at
com.ibm.ws.management.configservice.MOFUtil.getAttributes(MOFUti
l.java:430)
at
com.ibm.ws.management.configservice.DocAccessor.getAttributes(Do
cAccessor.java:766)
at
com.ibm.ws.management.configservice.ConfigServiceImpl.getAttribu
tesBasic(ConfigServiceImpl.java:1431)
at
com.ibm.ws.management.configservice.ConfigServiceImpl.getAttribu
tes(ConfigServiceImpl.java:1145)
at
com.ibm.ws.management.configservice.ConfigServiceServerProxy$20.
run(ConfigServiceServerProxy.java:813)
at
com.ibm.ws.security.util.AccessController.doPrivileged(AccessCon
troller.java:118)
at
com.ibm.ws.management.configservice.ConfigServiceServerProxy.get
Attributes(ConfigServiceServerProxy.java:804)
at
com.ibm.ws.management.configservice.ConfigServiceServerProxy.get
Attribute(ConfigServiceServerProxy.java:883)
at
com.ibm.ws.management.commands.authzgroup.AuthzGroupCommandsProv
ider.listIDsOfAuthozGroup(AuthzGroupCommandsProvider.java:894)
at
com.ibm.ws.management.commands.authzgroup.AuthzGroupCommandsProv
ider.listUserIDsOfAuthorizationGroup(AuthzGroupCommandsProvider.
java:840)
.
.
.

The NullPointerException FFDC entry stack trace looks like the following:

FFDC Exception:java.lang.NullPointerException
SourceId:com.ibm.ws.management.commands.authzgroup.mapUsersToAdm
inRole ProbeId:200
java.lang.NullPointerException
at
com.ibm.websphere.management.configservice.ConfigServiceHelper.g
etConfigDataType(ConfigServiceHelper.java:235)
at
com.ibm.ws.management.configservice.WorkspaceHelper.getType(Work
spaceHelper.java:549)
at
com.ibm.ws.management.configservice.WorkspaceHelper.getDelegator
(WorkspaceHelper.java:562)
at
com.ibm.ws.management.configservice.ConfigServiceImpl.getAttribu
tes(ConfigServiceImpl.java:1143)
at
com.ibm.ws.management.configservice.ConfigServiceServerProxy$20.
run(ConfigServiceServerProxy.java:813)
at
com.ibm.ws.security.util.AccessController.doPrivileged(AccessCon
troller.java:118)
at
com.ibm.ws.management.configservice.ConfigServiceServerProxy.get
Attributes(ConfigServiceServerProxy.java:804)
at
com.ibm.ws.management.configservice.ConfigServiceServerProxy.get
Attribute(ConfigServiceServerProxy.java:883)
at
com.ibm.ws.management.commands.authzgroup.AuthzGroupCommandsProv
ider.findRoleIDInAuthorization(AuthzGroupCommandsProvider.java:1
275)
at
com.ibm.ws.management.commands.authzgroup.AuthzGroupCommandsProv
ider.addRemoveRoleOrGroupID(AuthzGroupCommandsProvider.java:1096
)
at
com.ibm.ws.management.commands.authzgroup.AuthzGroupCommandsProv
ider.mapUsersToAdminRole(AuthzGroupCommandsProvider.java:263)
.
.
.

PROBLEM CONCLUSION:
The issue has been resolved by detecting cases where we have a \, sequence in the user names, and adding an additional backslash before the existing one. This changes the sequence to \\, which is a valid sequence for an ObjectName key properties value string.

The fix for this APAR is currently targeted for inclusion in
fixpack 7.0.0.5. Please refer to the Recommended Updates
page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"10119","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK81423/readme.txt"}]
On
[{"DNLabel":"7.0.0.0-WS-WAS-IFPK81423","DNDate":"3/16/2009","DNLang":"US English","DNSize":"16807","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.0-WS-WAS-IFPK81423&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK81423/7.0.0.0-WS-WAS-IFPK81423.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK81423/7.0.0.0-WS-WAS-IFPK81423.pak"},{"DNLabel":"7.0.0.3-WS-WAS-IFPK81423","DNDate":"4/13/2009","DNLang":"US English","DNSize":"16807","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.3-WS-WAS-IFPK81423&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK81423/7.0.0.3-WS-WAS-IFPK81423.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK81423/7.0.0.3-WS-WAS-IFPK81423.pak"}]

Technical Support

Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV(U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"System Management\/Repository","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0.0.3;7.0.0.1;7.0","Edition":"Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24022712

Page Feedback