502->601 Tomcat->WAS LDAP issues.
All,
I did a successful upgrade in the test environment, which included the migration of tomcat->WAS Liberty. After the migration, I need to finish the last few steps, but I cannot login. It seems that there may be an issue with the "copied" bindPassword, as it's failing authentication. (so, before it even tried to look up the user that logged in, it fails to bind to ldap with the "bind" user)
I know the password of the "binding" user and it works. I can't reset everything, because production is using it. What are my next steps to resolve the ldapUserRegistry.xml file? I there a way to produce another "generated" password to copy and paste in here?
If not how do I "reset" so I can login and connect to LDAP without "corrupting" the 601 upgrade?
thanks
Accepted answer
Hi sterlin,
Here are the steps I would take.
1. stop the server
2. Go to <CLM_Install_Root>/server/liberty/servers/clm
3. open server.xml in a text editor
4. Currently the server should be using the LDAP configuration file. Change it so it uses the basic authentication. After making the changes, server.xml should have the following configuration.
<include location="conf/basicUserRegistry.xml"/>
<!--include location="conf/ldapUserRegistry.xml"/-->
5. start up the server, and access jts/setup
6. I beleive step 6 is where the ldap settings can be updated.
7. Make sure the test connection succeeds
8. Select to generate the server files and hit next
9. Stop the server
10. Modify the server.xml that was modified in step 4, so that it now uses the ldap configuration file.
11. start the server and attempt to log in.
12. If there are still issues logging into jts, then follow the steps in the following wiki article.
https://jazz.net/wiki/bin/view/Deployment/ConfigureLDAPforLibertyProfile#Novell_Active_Directory
-Abraham
Here are the steps I would take.
1. stop the server
2. Go to <CLM_Install_Root>/server/liberty/servers/clm
3. open server.xml in a text editor
4. Currently the server should be using the LDAP configuration file. Change it so it uses the basic authentication. After making the changes, server.xml should have the following configuration.
<include location="conf/basicUserRegistry.xml"/>
<!--include location="conf/ldapUserRegistry.xml"/-->
5. start up the server, and access jts/setup
6. I beleive step 6 is where the ldap settings can be updated.
7. Make sure the test connection succeeds
8. Select to generate the server files and hit next
9. Stop the server
10. Modify the server.xml that was modified in step 4, so that it now uses the ldap configuration file.
11. start the server and attempt to log in.
12. If there are still issues logging into jts, then follow the steps in the following wiki article.
https://jazz.net/wiki/bin/view/Deployment/ConfigureLDAPforLibertyProfile#Novell_Active_Directory
-Abraham
Comments
This is not turning out good at all.
I have spent day two on this and the settings in the LDAP setup are the EXACT settings used to set up tomcat. Still can't get in. Wireshark says I'm in, but I get this new error similar to here:
There must be something that WAS Liberty uses that does not work with this M$ AD Implementation. We have grabbed all settings out of Softerra...We will have to escalate the PMR...
:-(
2 other answers
I only have a vague recollection of running into this myself....
I remember fiddling about with this:
<JazzInstallRoot>/server/liberty/wlp/bin/securityUtility
If you type
it should help you.
I think that this is how I got it working. I then ran into trouble with the Filters which are dependant on which ldap implementation you are using ...
HTH,
Robin
I remember fiddling about with this:
<JazzInstallRoot>/server/liberty/wlp/bin/securityUtility
If you type
./securityUtility help encode
it should help you.
I think that this is how I got it working. I then ran into trouble with the Filters which are dependant on which ldap implementation you are using ...
HTH,
Robin
hi sterlin,
I ran into the same issue you are running into. The issue is that the same configuration that Tomcat uses does not work in Liberty. The wiki article I posted has detailed instructions on what needs to be manually modified in the Liberty LDAp configuration file. The issue is with how the filters are set up.
-Abraham
I ran into the same issue you are running into. The issue is that the same configuration that Tomcat uses does not work in Liberty. The wiki article I posted has detailed instructions on what needs to be manually modified in the Liberty LDAp configuration file. The issue is with how the filters are set up.
-Abraham
Comments
Hey,
Thanks for responding. Yeah, we have about a dozen different ldapUserRegistry.xml files now, :-)
We have followed the instructions, and we believe we have what is needed. (There are only so many answers for questions like BaseGroupDN) The tests are successful (with the warning of the email for a user or two). We're clicking "Next"...all the important stuff.