Download
Abstract
Mapping an LDAP User to an Administrative Role may not work if the user name has a comma in it.
Download Description
PK81423 resolves the following problem:
ERROR DESCRIPTION:
Mapping an LDAP User to an Administrative Role may not work if the user name has a comma in it. Users may see MalformedObjectNameException or NullPointerException FFDC entries.
LOCAL FIX:
n/a
PROBLEM SUMMARY
USERS AFFECTED:
All users of WebSphere Application Server V7.0
PROBLEM DESCRIPTION:
Mapping an LDAP User to an Administrative Role may not work if the user name has a comma in it.
RECOMMENDATION:
None
Mapping of LDAP users to Administrative roles fails because LDAP inserts a back slash in front of the comma in the user name. This LDAP behavior results in the user name in the configuration containing the \, sequence. This sequence cannot be present in an ObjectName key properties value string and when we try to create an ObjectName, we get a MalformedObjectNameException. This failure also results in a NullPointerException in a subsequent getAttribute ConfigService call.
The MalformedObjectNameException FFDC entry stack trace looks like the following:
FFDC Exception:javax.management.MalformedObjectNameException
SourceId:com.ibm.ws.management.configservice.WorkspaceHelper.cre
ateObjectName ProbeId:171
javax.management.MalformedObjectNameException: Invalid quoted
character sequence '\,'
at javax.management.ObjectName.parseValue(ObjectName.java:921)
at javax.management.ObjectName.checkValue(ObjectName.java:1001)
at javax.management.ObjectName.construct(ObjectName.java:720)
at javax.management.ObjectName.<init>(ObjectName.java:1448)
at
com.ibm.ws.management.configservice.WorkspaceHelper.createObject
Name(WorkspaceHelper.java:624)
at
com.ibm.ws.management.configservice.MOFUtil.createObjectName(MOF
Util.java:640)
at
com.ibm.ws.management.configservice.MOFUtil.getNodeProperties(MO
FUtil.java:1535)
at
com.ibm.ws.management.configservice.MOFUtil.isValidType(MOFUtil.
java:1425)
at
com.ibm.ws.management.configservice.MOFUtil.getAttribute(MOFUtil
.java:494)
at
com.ibm.ws.management.configservice.MOFUtil.getAttributes(MOFUti
l.java:430)
at
com.ibm.ws.management.configservice.DocAccessor.getAttributes(Do
cAccessor.java:766)
at
com.ibm.ws.management.configservice.ConfigServiceImpl.getAttribu
tesBasic(ConfigServiceImpl.java:1431)
at
com.ibm.ws.management.configservice.ConfigServiceImpl.getAttribu
tes(ConfigServiceImpl.java:1145)
at
com.ibm.ws.management.configservice.ConfigServiceServerProxy$20.
run(ConfigServiceServerProxy.java:813)
at
com.ibm.ws.security.util.AccessController.doPrivileged(AccessCon
troller.java:118)
at
com.ibm.ws.management.configservice.ConfigServiceServerProxy.get
Attributes(ConfigServiceServerProxy.java:804)
at
com.ibm.ws.management.configservice.ConfigServiceServerProxy.get
Attribute(ConfigServiceServerProxy.java:883)
at
com.ibm.ws.management.commands.authzgroup.AuthzGroupCommandsProv
ider.listIDsOfAuthozGroup(AuthzGroupCommandsProvider.java:894)
at
com.ibm.ws.management.commands.authzgroup.AuthzGroupCommandsProv
ider.listUserIDsOfAuthorizationGroup(AuthzGroupCommandsProvider.
java:840)
.
.
.
The NullPointerException FFDC entry stack trace looks like the following:
FFDC Exception:java.lang.NullPointerException
SourceId:com.ibm.ws.management.commands.authzgroup.mapUsersToAdm
inRole ProbeId:200
java.lang.NullPointerException
at
com.ibm.websphere.management.configservice.ConfigServiceHelper.g
etConfigDataType(ConfigServiceHelper.java:235)
at
com.ibm.ws.management.configservice.WorkspaceHelper.getType(Work
spaceHelper.java:549)
at
com.ibm.ws.management.configservice.WorkspaceHelper.getDelegator
(WorkspaceHelper.java:562)
at
com.ibm.ws.management.configservice.ConfigServiceImpl.getAttribu
tes(ConfigServiceImpl.java:1143)
at
com.ibm.ws.management.configservice.ConfigServiceServerProxy$20.
run(ConfigServiceServerProxy.java:813)
at
com.ibm.ws.security.util.AccessController.doPrivileged(AccessCon
troller.java:118)
at
com.ibm.ws.management.configservice.ConfigServiceServerProxy.get
Attributes(ConfigServiceServerProxy.java:804)
at
com.ibm.ws.management.configservice.ConfigServiceServerProxy.get
Attribute(ConfigServiceServerProxy.java:883)
at
com.ibm.ws.management.commands.authzgroup.AuthzGroupCommandsProv
ider.findRoleIDInAuthorization(AuthzGroupCommandsProvider.java:1
275)
at
com.ibm.ws.management.commands.authzgroup.AuthzGroupCommandsProv
ider.addRemoveRoleOrGroupID(AuthzGroupCommandsProvider.java:1096
)
at
com.ibm.ws.management.commands.authzgroup.AuthzGroupCommandsProv
ider.mapUsersToAdminRole(AuthzGroupCommandsProvider.java:263)
.
.
.
PROBLEM CONCLUSION:
The issue has been resolved by detecting cases where we have a \, sequence in the user names, and adding an additional backslash before the existing one. This changes the sequence to \\, which is a valid sequence for an ObjectName key properties value string.
The fix for this APAR is currently targeted for inclusion in
fixpack 7.0.0.5. Please refer to the Recommended Updates
page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Prerequisites
Please download the UpdateInstaller below to install this fix.
Installation Instructions
Please review the readme.txt for detailed installation instructions.
Technical Support
Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV(U.S. only).
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg24022712