It's all about the answers!

Ask a question

502->601 Tomcat->WAS LDAP issues.

Sterling Ferguson-II (1.6k9283269) | asked Mar 02 '16, 6:42 a.m.

I did a successful upgrade in the test environment, which included the migration of tomcat->WAS Liberty. After the migration, I need to finish the last few steps, but I cannot login. It seems that there may be an issue with the "copied" bindPassword, as it's failing authentication. (so, before it even tried to look up the user that logged in, it fails to bind to ldap with the "bind" user)

I know the password of the "binding" user and it works. I can't reset everything, because production is using it. What are my next steps to resolve the ldapUserRegistry.xml file? I there a way to produce another "generated" password to copy and paste in here?

If not how do I "reset" so I can login and connect to LDAP without "corrupting" the 601 upgrade?


Accepted answer

permanent link
Abraham Sweiss (2.4k1331) | answered Mar 02 '16, 8:58 a.m.
Hi sterlin,

Here are the steps I would take.

1. stop the server
2. Go to <CLM_Install_Root>/server/liberty/servers/clm
3. open server.xml in a text editor
4. Currently the server should be using the LDAP configuration file.  Change it so it uses the basic authentication.  After making the changes, server.xml should have the following configuration.

<include location="conf/basicUserRegistry.xml"/>
    <!--include location="conf/ldapUserRegistry.xml"/-->

5. start up the server, and access jts/setup
6. I beleive step 6 is where the ldap settings can be updated.
7. Make sure the test connection succeeds
8. Select to generate the server files and hit next
9. Stop the server
10. Modify the server.xml that was modified in step 4, so that it now uses the ldap configuration file.
11. start the server and attempt to log in.
12. If there are still issues logging  into jts, then follow the steps in the following wiki article.


Sterling Ferguson-II selected this answer as the correct answer

Sterling Ferguson-II commented Mar 02 '16, 2:40 p.m.

This is not turning out good at all.

I have spent day two on this and the settings in the LDAP setup are the EXACT settings used to set up tomcat. Still can't get in. Wireshark says I'm in, but I get this new error similar to here:

There must be something that WAS Liberty uses that does not work with this M$ AD Implementation. We have grabbed all settings out of Softerra...We will have to escalate the PMR...


2 other answers

permanent link
Robin Parker (32633738) | answered Mar 02 '16, 9:54 a.m.
I only have a vague recollection of running into this myself....

I remember fiddling about with this:

If you type
./securityUtility help encode 

it should help you.

I think that this is how I got it working.  I then ran into trouble with the Filters which are dependant on which ldap implementation you are using ...



permanent link
Abraham Sweiss (2.4k1331) | answered Mar 02 '16, 2:55 p.m.
hi sterlin,
I ran into the same issue you are running into.  The issue is that the same configuration that Tomcat uses does not work in Liberty.  The wiki article I posted has detailed instructions on what needs to be manually modified in the Liberty LDAp configuration file.  The issue is with how the filters are set up.   

Sterling Ferguson-II commented Mar 02 '16, 3:15 p.m.


Thanks for responding. Yeah, we have about a dozen different ldapUserRegistry.xml files now, :-)

We have followed the instructions, and we believe we have what is needed. (There are only so many answers for questions like BaseGroupDN) The tests are successful (with the warning of the email for a user or two). We're clicking "Next"...all the important stuff.

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.