WebSphere Primary Admin Role - password changed
CLM 5.0
WebSphere 8.5.5
Hi,
We have installed successfully CLM 5.0 with WebSphere 8.5.5. The users/groups are managed via LDAP.
Our primary admin role named 'clmadmin'.
Everything worked well till we changed clmadmin password in LDAP. Since than, I can't login to the WebSphere admin console with clmadmin and the new password.
I've disabled the security settings to get in, updated the clmadmin password in the LDAP settings, verified the connection works and enabled the security again. Still, can't login with clmadmin.
Would appreciate your insights.
Liora
3 answers
Hello,
If the servers were restarted it is unlikely that this is the issue due to security cache timeout and objects only persisting for a short period of time.
Here is what you should do:
Turn off security like you have done before, go into WebSphere and change the clmadmin LDAP password for the LDAP. It might be easier to just remove the user and re-create it. Re-create this user with the new password and then turn security back on, restart and try again.
Why do that?
It's because when you create the LDAP Admin user who will search the LDAP in WebSphere. You specify userName and PSW. Say Ryan/Ryan. Now if I try to log in as jen/jen. jen/jen is passed to the LDAP. WebSphere uses Ryan/Ryan to auth with the LDAP and search for jen/jen. If jen/jen is there it works.
Now, you changed the LDAP password from Ryan/Ryan to say Ryan/Changed. Now even if I am an admin or any other user, the process is still the same. Because the LDAP admin user who searches the LDAP isn't always the admin user in WAS. WAS is taking Ryan/Changed and passing it to the LDAP and STILL trying to use the configured WebSphere LDAP creds to auth before searching the LDAP for Ryan/Changed. Except, we never changed it in WebSphere. So WebSphere is still sending Ryan/Ryan to the LDAP to log in and search for Ryan/Changed(the credentials I entered in the console. So by going into WAS, changing the LDAP user Password to the new one. It allows the LDAP DN assigned in WAS to properly auth to the LDAP before searching for the user it was given from the console login page.
Thanks!
Hola,
One thing to note is WebSphere caches security settings. Especially when using SSO for Network Deployments. It is possible that the password change in the LDAP has caused WebSphere to use say clmadmin with password hello that was cached. The LDAP sees this and says, nope not a match with what I have and fails. Typically restarting the server or servers will reset the cache or you can remove it manually.
That could be your problem.
Thanks!
Comments
Donald Nong
Oct 02 '14, 1:45 a.m.I do not see such problem in my own environment. I suggest you check the SystemOut.log file to see what's the underlying error for the failing login. I have the impression that you use the same "clmadmin" user the search the LDAP tree for users, is it true?
Arun K Sriramaiah
Oct 07 '14, 1:17 p.m.Hi Liora,
I would suspect the LDAP configuration in WAS, please check systemout.log.
dsquery for clmadmin user and cross verify the DN details with the was LDAP configuration.
Regards,
Arun.
Liora Milbaum
Oct 08 '14, 6:41 a.m.Donald, you are right. I am using the same user to do search the LDAP tree for users and to administer WAS.