Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

WebSphere Primary Admin Role - password changed

CLM 5.0
WebSphere 8.5.5

Hi,

We have installed successfully CLM 5.0 with WebSphere 8.5.5. The users/groups are managed via LDAP.
Our primary admin role named 'clmadmin'.
Everything worked well till we changed clmadmin password in LDAP. Since than, I can't login to the WebSphere admin console with clmadmin and the new password.
I've disabled the security settings to get in, updated the clmadmin password in the LDAP settings, verified the connection works and enabled the security again. Still, can't login with clmadmin.

Would appreciate your insights.
Liora


0 votes

Comments

I do not see such problem in my own environment. I suggest you check the SystemOut.log file to see what's the underlying error for the failing login. I have the impression that you use the same "clmadmin" user the search the LDAP tree for users, is it true?

Hi Liora,

I would suspect the LDAP configuration in WAS, please check systemout.log.

dsquery for clmadmin user and cross verify the DN details with the was LDAP configuration.

Regards,

Arun.

Donald,  you are right. I am using the same user to do search the LDAP tree for users and to administer WAS. 

Do you think different users will solve my problem?

Arun, I will. Thanks.



3 answers

Permanent link
 Hello,

If the servers were restarted it is unlikely that this is the issue due to security cache timeout and objects only persisting for a short period of time. 

Here is what you should do:

Turn off security like you have done before, go into WebSphere and change the clmadmin LDAP password for the LDAP. It might be easier to just remove the user and re-create it. Re-create this user with the new password and then turn security back on, restart and try again. 

Why do that? 

It's because when you create the LDAP Admin user who will search the LDAP in WebSphere. You specify userName and PSW. Say Ryan/Ryan. Now if I try to log in as jen/jen. jen/jen is passed to the LDAP. WebSphere uses Ryan/Ryan to auth with the LDAP and search for jen/jen. If jen/jen is there it works. 

Now, you changed the LDAP password from Ryan/Ryan to say Ryan/Changed. Now even if I am an admin or any other user, the process is still the same. Because the LDAP admin user who searches the LDAP isn't always the admin user in WAS. WAS is taking Ryan/Changed and passing it to the LDAP and STILL trying to use the configured WebSphere LDAP creds to auth before searching the LDAP for Ryan/Changed. Except, we never changed it in WebSphere. So WebSphere is still sending Ryan/Ryan to the LDAP to log in and search for Ryan/Changed(the credentials I entered in the console. So by going into WAS, changing the LDAP user Password to the new one. It allows the LDAP DN assigned in WAS to properly auth to the LDAP before searching for the user it was given from the console login page. 

Thanks!

1 vote


Permanent link
 Hey, 

Just following up to see if this had worked for you? If it did not, did you find another way? Thanks!

1 vote

Comments

Not yet. Maybe, next week, after our holidays. 


Permanent link
Hola,

One thing to note is WebSphere caches security settings. Especially when using SSO for Network Deployments. It is possible that the password change in the LDAP has caused WebSphere to use say clmadmin with password hello that was cached. The LDAP sees this and says, nope not a match with what I have and fails. Typically restarting the server or servers will reset the cache or you can remove it manually.

That could be your problem. 

Thanks!

0 votes

Comments

The WebSphere server was restarted several times, with no avail.  Where is the cache placed?

I will try to remove it manually and see if it works. 

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details

Question asked: Oct 01 '14, 10:35 p.m.

Question was seen: 8,516 times

Last updated: Oct 13 '14, 1:40 p.m.

Confirmation Cancel Confirm