Following on from my earlier post: -
Unable to configure Federated Repositories in Integrated Solutions Console with Domino LDAP
having completed the integration between WebSphere Application Server 7.0.0.21 and Lotus Domino 8.5.3, I was struggling to retrieve users from the Domino Directory via LDAP.
Using the Users and Groups -> Manage Users functionality within WAS' Integrated Solutions Console, I was surprised NOT to see any users returned from the Domino directory: -
After a lot of trial and even more error, I decided ( belatedly ) to enable debug tracing, using this IBM Technote as source: -
MustGather: Security problems for WebSphere Application Server
and enabled the following trace strings: -
*=info:com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all:com.ibm.websphere.wim.*=all:com.ibm.wsspi.wim.*=all:com.ibm.ws.wim.*=all
which, amongst many many other fine messages showed me this: -
[10/13/12 21:03:33:947 BST] 00000011 LdapConnectio > com.ibm.ws.wim.adapter.ldap.LdapConnection searchEntities ENTRY o=ibm (&(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))(uid=*)) null 2 [PersonAccount] [uid, cn, sn, mail] false false
[10/13/12 21:03:33:949 BST] 00000011 LdapConnectio 3 com.ibm.ws.wim.adapter.ldap.LdapConnection checkSearchCache Hit cache: o=ibm|(&(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))(uid=*))|2|101|600000|uid|mail|objectClass|sn|cn|dominounid
[10/13/12 21:05:17:340 BST] 00000018 LdapConnectio > com.ibm.ws.wim.adapter.ldap.LdapConnection searchEntities ENTRY o=ibm (&(|(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson))))(|(uid=wpadmin)(cn=wpadmin))) null 2 [LoginAccount, PersonAccount] [principalName] false false
[10/13/12 21:05:17:341 BST] 00000018 LdapConnectio 3 com.ibm.ws.wim.adapter.ldap.LdapConnection checkSearchCache Hit cache: o=ibm|(&(|(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson))))(|(uid=wpadmin)(cn=wpadmin)))|2|0|0|uid|objectClass|dominounid
[10/13/12 21:05:17:389 BST] 00000018 LdapConnectio > com.ibm.ws.wim.adapter.ldap.LdapConnection searchEntities ENTRY o=ibm (&(|(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson))))(|(uid=wpadmin)(cn=wpadmin))) null 2 [LoginAccount, PersonAccount] [] false false
[10/13/12 21:05:17:391 BST] 00000018 LdapConnectio 3 com.ibm.ws.wim.adapter.ldap.LdapConnection checkSearchCache Hit cache: o=ibm|(&(|(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson))))(|(uid=wpadmin)(cn=wpadmin)))|2|4501|600000|objectClass|dominounid
When I checked my LDAP search filters in: -
/opt/IBM/WebSphere/wp_profile/config/cells/wp7/wim/config/wimconfig.xml
I saw: -
...
<config:ldapEntityTypes name="PersonAccount" searchFilter="(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))">
<config:objectClasses>dominoPerson</config:objectClasses>
</config:ldapEntityTypes>
<config:ldapEntityTypes name="Group" searchFilter="(&(cn=%v)(|(objectclass=dominoGroup)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))">
<config:objectClasses>dominoGroup</config:objectClasses>
</config:ldapEntityTypes>
...
I read the PersonAccount search filter as: -
( ( cn=v% ) OR (uid=v%) ) AND ( (objectclasss=dominoPerson) OR (objectclass=inetOrgPerson) )
which is perfectly OK.
I'd previously validated the search filters ( as the notes user ): -
$ cd /local/notesdata
$ /opt/ibm/lotus/bin/ldapsearch -h wp7.uk.ibm.com -p 389 -D cn=notes -w passw0rd "(&(|(cn=padmin)(uid=padmin))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))"
CN=padmin,O=ibm
cn=padmin
displayname=padmin/ibm
mailsystem=100
objectclass=dominoPerson
objectclass=inetOrgPerson
objectclass=organizationalPerson
objectclass=person
objectclass=top
messagestorage=1
encryptincomingmail=0
roamcleansetting=0
roamcleanper=1
availablefordirsync=1
checkpassword=0
passwordchangeinterval=0
passwordgraceperiod=0
givenname=portal
sn=admin
uid=padmin
roaminguser=0
userpassword=(GIMrxir7cW6bC/nzWSgO)
so I knew that the search filter was OK.
However, in the interests of expediency, I stripped the search filters out, leaving me with: -
...
<config:ldapEntityTypes name="PersonAccount" searchFilter="">
<config:objectClasses>dominoPerson</config:objectClasses>
</config:ldapEntityTypes>
<config:ldapEntityTypes name="Group" searchFilter="">
<config:objectClasses>dominoGroup</config:objectClasses>
</config:ldapEntityTypes>
...
and all is now well.
I know that I've seen and cracked the problem of search filters before but ..... that'll do for now.
No comments:
Post a Comment