LDAP not working correct with blue pages after migration from CLM 5.0.2 to CLM 6.0.2
Hi,
I have seen
https://jazz.net/wiki/bin/view/Deployment/EnableLibertyRTCServerDebugMode
https://www.ibm.com/support/knowledgecenter/was_beta_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_sec_ldap.html
...
After modifing the server.xml and conf/ldapUserRegistry.xml
...
<idsFilters
groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=posixGroup)))"
groupIdMap="*:cn"
groupMemberIdMap="*:uniquemember"
userFilter="(preferredIdentity=%v)"
userIdMap="*:preferredIdentity">
</idsFilters>
...
I am not able to login.
I tried log login with 1) an unknow user 2) a known user with worng password and 3) known user with correct password.
For me it looks that in the third case the user was correct identified.
Any idea ?
In all cases I see
See the log from
>>>> unknown user
[10/31/16 9:59:48:154 CET] 0000007f com.ibm.ws.session.WASSessionCore W Detected JSESSIONID with invalid length; expected length of 23, found 28, setting: 566EDA4000C1DC454D4422F34DC0 to null.
[10/31/16 9:59:48:354 CET] 0000007f com.ibm.ws.security.wim.registry.util.LoginBridge E CWIML4537E: The login operation could not be completed. The specified principal name twelk is not found in the back-end repository.
[10/31/16 9:59:48:354 CET] 0000007f y.authentication.jaas.modules.UsernameAndPasswordLoginModule A CWWKS1100A: Authentication did not succeed for user ID twelk. An invalid user ID or password was specified.
[10/31/16 9:59:48:363 CET] 000000e5 com.ibm.ws.session.WASSessionCore W Detected JSESSIONID with invalid length; expected length of 23, found 28, setting: 566EDA4000C1DC454D4422F34DC0 to null.
<<<< unknown user
>>>> known user with wrong password
[10/31/16 10:00:17:980 CET] 00000081 com.ibm.ws.session.WASSessionCore W Detected JSESSIONID with invalid length; expected length of 23, found 28, setting: 566EDA4000C1DC454D4422F34DC0 to null.
[10/31/16 10:00:18:557 CET] 00000081 com.ibm.ws.security.wim.registry.util.LoginBridge E CWIML4529E: The login operation could not be completed. The password verification for the Torsten.Welk@de.ibm.com principal name failed. Root cause: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; resolved object com.sun.jndi.ldap.LdapCtx@28019e01. Specify the principal name and the password correctly and check that the account is enabled and not locked.
[10/31/16 10:00:18:557 CET] 00000081 y.authentication.jaas.modules.UsernameAndPasswordLoginModule A CWWKS1100A: Authentication did not succeed for user ID Torsten.Welk@de.ibm.com. An invalid user ID or password was specified.
[10/31/16 10:00:18:564 CET] 0000003b com.ibm.ws.session.WASSessionCore W Detected JSESSIONID with invalid length; expected length of 23, found 28, setting: 566EDA4000C1DC454D4422F34DC0 to null.
<<<< known user with wrong password
>>>> known user with correct password
[10/31/16 10:00:48:633 CET] 0000009b com.ibm.ws.session.WASSessionCore W Detected JSESSIONID with invalid length; expected length of 23, found 28, setting: 566EDA4000C1DC454D4422F34DC0 to null.
[10/31/16 10:00:52:472 CET] 00000051 com.ibm.ws.session.WASSessionCore W Detected JSESSIONID with invalid length; expected length of 23, found 28, setting: 566EDA4000C1DC454D4422F34DC0 to null.
<<<< known user with correct password
I have seen
https://jazz.net/wiki/bin/view/Deployment/EnableLibertyRTCServerDebugMode
https://www.ibm.com/support/knowledgecenter/was_beta_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_sec_ldap.html
...
After modifing the server.xml and conf/ldapUserRegistry.xml
...
<idsFilters
groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=posixGroup)))"
groupIdMap="*:cn"
groupMemberIdMap="*:uniquemember"
userFilter="(preferredIdentity=%v)"
userIdMap="*:preferredIdentity">
</idsFilters>
...
I am not able to login.
I tried log login with 1) an unknow user 2) a known user with worng password and 3) known user with correct password.
For me it looks that in the third case the user was correct identified.
Any idea ?
In all cases I see
See the log from
>>>> unknown user
[10/31/16 9:59:48:154 CET] 0000007f com.ibm.ws.session.WASSessionCore W Detected JSESSIONID with invalid length; expected length of 23, found 28, setting: 566EDA4000C1DC454D4422F34DC0 to null.
[10/31/16 9:59:48:354 CET] 0000007f com.ibm.ws.security.wim.registry.util.LoginBridge E CWIML4537E: The login operation could not be completed. The specified principal name twelk is not found in the back-end repository.
[10/31/16 9:59:48:354 CET] 0000007f y.authentication.jaas.modules.UsernameAndPasswordLoginModule A CWWKS1100A: Authentication did not succeed for user ID twelk. An invalid user ID or password was specified.
[10/31/16 9:59:48:363 CET] 000000e5 com.ibm.ws.session.WASSessionCore W Detected JSESSIONID with invalid length; expected length of 23, found 28, setting: 566EDA4000C1DC454D4422F34DC0 to null.
<<<< unknown user
>>>> known user with wrong password
[10/31/16 10:00:17:980 CET] 00000081 com.ibm.ws.session.WASSessionCore W Detected JSESSIONID with invalid length; expected length of 23, found 28, setting: 566EDA4000C1DC454D4422F34DC0 to null.
[10/31/16 10:00:18:557 CET] 00000081 com.ibm.ws.security.wim.registry.util.LoginBridge E CWIML4529E: The login operation could not be completed. The password verification for the Torsten.Welk@de.ibm.com principal name failed. Root cause: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; resolved object com.sun.jndi.ldap.LdapCtx@28019e01. Specify the principal name and the password correctly and check that the account is enabled and not locked.
[10/31/16 10:00:18:557 CET] 00000081 y.authentication.jaas.modules.UsernameAndPasswordLoginModule A CWWKS1100A: Authentication did not succeed for user ID Torsten.Welk@de.ibm.com. An invalid user ID or password was specified.
[10/31/16 10:00:18:564 CET] 0000003b com.ibm.ws.session.WASSessionCore W Detected JSESSIONID with invalid length; expected length of 23, found 28, setting: 566EDA4000C1DC454D4422F34DC0 to null.
<<<< known user with wrong password
>>>> known user with correct password
[10/31/16 10:00:48:633 CET] 0000009b com.ibm.ws.session.WASSessionCore W Detected JSESSIONID with invalid length; expected length of 23, found 28, setting: 566EDA4000C1DC454D4422F34DC0 to null.
[10/31/16 10:00:52:472 CET] 00000051 com.ibm.ws.session.WASSessionCore W Detected JSESSIONID with invalid length; expected length of 23, found 28, setting: 566EDA4000C1DC454D4422F34DC0 to null.
<<<< known user with correct password
Accepted answer
One other answer
Found it.
userFilter should look like this for me
userFilter="(&(preferredidentity=%v)(objectclass=person))"
<ldapRegistry
id="bluepages.ibm.com:389"
baseDN="o=ibm.com"
host="bluepages.ibm.com"
ignoreCase="false"
ldapType="IBM Tivoli Directory Server"
port="389"
realm="bluepages.ibm.com:389"
recursiveSearch="true"
sslEnabled="false">
<idsFilters
groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))"
groupIdMap="*:cn"
groupMemberIdMap="*:uniquemember"
userFilter="(&(preferredidentity=%v)(objectclass=person))"
userIdMap="*:preferredidentity">
</idsFilters>
</ldapRegistry>
userFilter should look like this for me
userFilter="(&(preferredidentity=%v)(objectclass=person))"
<ldapRegistry
id="bluepages.ibm.com:389"
baseDN="o=ibm.com"
host="bluepages.ibm.com"
ignoreCase="false"
ldapType="IBM Tivoli Directory Server"
port="389"
realm="bluepages.ibm.com:389"
recursiveSearch="true"
sslEnabled="false">
<idsFilters
groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))"
groupIdMap="*:cn"
groupMemberIdMap="*:uniquemember"
userFilter="(&(preferredidentity=%v)(objectclass=person))"
userIdMap="*:preferredidentity">
</idsFilters>
</ldapRegistry>