It's all about the answers!

Ask a question

502->601 Tomcat->WAS LDAP issues.


Sterling Ferguson-II (1.6k7244253) | asked Mar 02 '16, 6:42 a.m.
All,

I did a successful upgrade in the test environment, which included the migration of tomcat->WAS Liberty. After the migration, I need to finish the last few steps, but I cannot login. It seems that there may be an issue with the "copied" bindPassword, as it's failing authentication. (so, before it even tried to look up the user that logged in, it fails to bind to ldap with the "bind" user)

I know the password of the "binding" user and it works. I can't reset everything, because production is using it. What are my next steps to resolve the ldapUserRegistry.xml file? I there a way to produce another "generated" password to copy and paste in here?

If not how do I "reset" so I can login and connect to LDAP without "corrupting" the 601 upgrade?

thanks

Accepted answer


permanent link
Abraham Sweiss (2.4k830) | answered Mar 02 '16, 8:58 a.m.
Hi sterlin,

Here are the steps I would take.

1. stop the server
2. Go to <CLM_Install_Root>/server/liberty/servers/clm
3. open server.xml in a text editor
4. Currently the server should be using the LDAP configuration file.  Change it so it uses the basic authentication.  After making the changes, server.xml should have the following configuration.

<include location="conf/basicUserRegistry.xml"/>
    <!--include location="conf/ldapUserRegistry.xml"/-->

5. start up the server, and access jts/setup
6. I beleive step 6 is where the ldap settings can be updated.
7. Make sure the test connection succeeds
8. Select to generate the server files and hit next
9. Stop the server
10. Modify the server.xml that was modified in step 4, so that it now uses the ldap configuration file.
11. start the server and attempt to log in.
12. If there are still issues logging  into jts, then follow the steps in the following wiki article.
https://jazz.net/wiki/bin/view/Deployment/ConfigureLDAPforLibertyProfile#Novell_Active_Directory

-Abraham

Sterling Ferguson-II selected this answer as the correct answer

Comments
Sterling Ferguson-II commented Mar 02 '16, 2:40 p.m.

This is not turning out good at all.


I have spent day two on this and the settings in the LDAP setup are the EXACT settings used to set up tomcat. Still can't get in. Wireshark says I'm in, but I get this new error similar to here:


There must be something that WAS Liberty uses that does not work with this M$ AD Implementation. We have grabbed all settings out of Softerra...We will have to escalate the PMR...

:-(

2 other answers



permanent link
Robin Parker (32633238) | answered Mar 02 '16, 9:54 a.m.
I only have a vague recollection of running into this myself....

I remember fiddling about with this:
<JazzInstallRoot>/server/liberty/wlp/bin/securityUtility

If you type
./securityUtility help encode 

it should help you.

I think that this is how I got it working.  I then ran into trouble with the Filters which are dependant on which ldap implementation you are using ...

HTH,

Robin

permanent link
Abraham Sweiss (2.4k830) | answered Mar 02 '16, 2:55 p.m.
hi sterlin,
I ran into the same issue you are running into.  The issue is that the same configuration that Tomcat uses does not work in Liberty.  The wiki article I posted has detailed instructions on what needs to be manually modified in the Liberty LDAp configuration file.  The issue is with how the filters are set up.   
-Abraham

Comments
Sterling Ferguson-II commented Mar 02 '16, 3:15 p.m.

Hey,


Thanks for responding. Yeah, we have about a dozen different ldapUserRegistry.xml files now, :-)

We have followed the instructions, and we believe we have what is needed. (There are only so many answers for questions like BaseGroupDN) The tests are successful (with the warning of the email for a user or two). We're clicking "Next"...all the important stuff.

Your answer


Register or to post your answer.