It's all about the answers!

Ask a question

Help with Tomcat to Liberty Profile LDAP Migration


Robert Carter (42926683) | asked Dec 21 '15, 11:21 a.m.
 I have successfully gone through an upgrade from 5.0.2 to 6.0.1.  I am migrating from Tomcat to Liberty profile during the process.  I am now verifying my upgrade and I am unable to login.  It seems to be a problem with the LDAP config settings.

I get the error saying:
[12/21/15 11:14:26:550 EST] 00000069 com.ibm.ws.security.wim.registry.util.LoginBridge            E CWIML4537E: The login operation could not be completed. The specified principal name rjcar
ter is not found in the back-end repository.
[12/21/15 11:14:26:550 EST] 00000069 y.authentication.jaas.modules.UsernameAndPasswordLoginModule A CWWKS1100A: Authentication did not succeed for user ID rjcarter. An invalid user ID or pas
sword was specified.
I need assistance in checking the LDAP setting.

Original Tomcat Settings:
<Realm className="org.apache.catalina.realm.JNDIRealm"
roleBase="ou=groups,dc=company,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
roleSubtree="true"
userBase="ou=people,dc=company,dc=com"
userSearch="(cn={0})"
userSubtree="true"
/>
Liberty Profile Settings:

<ldapRegistry baseDN="dc=company,dc=com"
                  ldapType="Custom"
                  recursiveSearch="true"">  
        <idsFilters groupFilter="(cn=%v)"
                    groupIdMap="*:cn"
                    groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember"
                    userFilter="(cn=%v)"
                    userIdMap="*:cn">
        </idsFilters>
    <customFilters groupIdMap="*:cn"
                   groupMemberIdMap="*:uniqueMember"
                   userIdMap="*:cn"/>
    </ldapRegistry>

Any ideas?

Comments
Robert Carter commented Dec 21 '15, 12:02 p.m.

I was able to use the IBM ldapsearch utility and get a hit back from from LDAP server.

ldapsearch -b "dc=company,dc=com" -h "ldap.company.com" -p 389 -D "uid=ldapuser,ou=system" -w password "(&(cn=rjcarter)(objectclass=InetOrgPerson))" cn

Accepted answer


permanent link
Robert Carter (42926683) | answered Dec 21 '15, 12:58 p.m.
I fixed this by moving the idsfilters section contents into my customfilter section.
Ralph Schoon selected this answer as the correct answer

2 other answers



permanent link
Mike Delargy (211) | answered Jan 12 '16, 6:51 p.m.
 Christopher, I was able to get this up over the weekend
https://jazz.net/wiki/bin/view/Deployment/ConfigureLDAPforLibertyProfile
Perhaps it could offer you some guidance.
Mike

permanent link
Christopher Starr (4418) | answered Jan 07 '16, 7:15 p.m.
Robert, I am having the exact same problem as you had with this question. 
Can you provide more details about what you did, including exactly how you moved the contents of the idsfilters section into your customfilter section? Thanks.

Comments
Robert Carter commented Jan 13 '16, 9:47 a.m.

Look to Mike's answer for some examples. 

Your answer


Register or to post your answer.