Unable to login to WS Portal Express 6.1 after configuring standalone LDAP

[ian.hur...@bt.com]

I have followed the process in http://www-10.lotus.com/ldd/portalwiki.nsf/dx/understanding-the-websphere-portal-6.1-security-configuration-stand-alone-ldap-using-domino-8 (and the relevant info centre pages) to configures a standalone LDAP directory (Domino 8.0.2) on a clean install of WS Portal Express 6.1. All the config scripts and steps completed successfully and I can now login to the WAS console with the admin ID specified in the LDAP directory. I can't however login to Websphere Portal using http://localhost:10040/wps/portal (generates an http 404 error). This was working ok before LDAP security was enabled. Does anyone know if this is normal/how to resolve? Thanks

[ian.hur...@bt.com]

Here are the errors that are being thrown when WebSphere_Portal starts up:

[02/12/08 15:31:40:606 GMT] 00000027 Servlet E com.ibm.wps.engine.Servlet init EJPFD0016E: Initialization of service failed.
com.ibm.wps.ac.DomainAdministratorNotFoundException: EJPSB0107E: Exception occurred while retrieving the identity of the domain admin user/admingroup cn=wpsadmins.
at com.ibm.wps.ac.impl.AccessControlDataManagementServiceImpl.convertDNtoObjectID(AccessControlDataManagementServiceImpl.java:987)
at com.ibm.wps.ac.impl.AccessControlDataManagementServiceImpl.access$000(AccessControlDataManagementServiceImpl.java:74)
at com.ibm.wps.ac.impl.AccessControlDataManagementServiceImpl$1.run(AccessControlDataManagementServiceImpl.java:890)
at com.ibm.wps.um.PumaEngineHelper.runUnrestricted(PumaEngineHelper.java:1185)
at com.ibm.wps.um.PumaEnvironmentImpl.runUnrestricted(PumaEnvironmentImpl.java:141)
at com.ibm.wps.services.puma.PumaServiceImpl.executeWithoutACChecks(PumaServiceImpl.java:2495)
at com.ibm.wps.services.puma.Puma.executeWithoutACChecks(Puma.java:989)
at com.ibm.wps.ac.impl.AccessControlDataManagementServiceImpl.initializeDomainConfig(AccessControlDataManagementServiceImpl.java:897)
at com.ibm.wps.ac.impl.AccessControlDataManagementServiceImpl.reinit(AccessControlDataManagementServiceImpl.java:804)
at com.ibm.wps.ac.impl.AccessControlDataManagementServiceImpl.init(AccessControlDataManagementServiceImpl.java:449)
at com.ibm.wps.services.ServiceManager.createService(ServiceManager.java:391)
at com.ibm.wps.services.ServiceManager.initInternal(ServiceManager.java:285)
at com.ibm.wps.services.ServiceManager.init(ServiceManager.java:179)
at com.ibm.wps.services.ServiceManager.init(ServiceManager.java:114)
at com.ibm.wps.engine.Servlet.init(Servlet.java:239)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.init(ServletWrapper.java:192)
at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.init(ServletWrapper.java:319)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.initialize(ServletWrapper.java:1221)
at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.initialize(ServletWrapper.java:152)
at com.ibm.wsspi.webcontainer.extension.WebExtensionProcessor.createServletWrapper(WebExtensionProcessor.java:99)
at com.ibm.ws.webcontainer.webapp.WebApp.getServletWrapper(WebApp.java:831)
at com.ibm.ws.webcontainer.webapp.WebApp.initializeTargetMappings(WebApp.java:486)
at com.ibm.ws.webcontainer.webapp.WebApp.commonInitializationFinish(WebApp.java:323)
at com.ibm.ws.wswebcontainer.webapp.WebApp.initialize(WebApp.java:290)
at com.ibm.ws.wswebcontainer.webapp.WebGroup.addWebApplication(WebGroup.java:92)
at com.ibm.ws.wswebcontainer.VirtualHost.addWebApplication(VirtualHost.java:157)
at com.ibm.ws.wswebcontainer.WebContainer.addWebApp(WebContainer.java:665)
at com.ibm.ws.wswebcontainer.WebContainer.addWebApplication(WebContainer.java:618)
at com.ibm.ws.webcontainer.component.WebContainerImpl.install(WebContainerImpl.java:335)
at com.ibm.ws.webcontainer.component.WebContainerImpl.start(WebContainerImpl.java:551)
at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:1303)
at com.ibm.ws.runtime.component.DeployedApplicationImpl.fireDeployedObjectStart(DeployedApplicationImpl.java:1138)
at com.ibm.ws.runtime.component.DeployedModuleImpl.start(DeployedModuleImpl.java:569)
at com.ibm.ws.runtime.component.DeployedApplicationImpl.start(DeployedApplicationImpl.java:817)
at com.ibm.ws.runtime.component.ApplicationMgrImpl.startApplication(ApplicationMgrImpl.java:949)
at com.ibm.ws.runtime.component.ApplicationMgrImpl$AppInitializer.run(ApplicationMgrImpl.java:2122)
at com.ibm.wsspi.runtime.component.WsComponentImpl$_AsynchInitializer.run(WsComponentImpl.java:342)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1473)
Caused by: com.ibm.portal.puma.MemberNotFoundException: EJPSG0002E: Requested Member does not exist.cn=wpsadmins
at com.ibm.wps.services.puma.PumaServiceImpl.findGroupById(PumaServiceImpl.java:404)
at com.ibm.wps.services.puma.Puma.findGroupById(Puma.java:404)
at com.ibm.wps.ac.impl.AccessControlDataManagementServiceImpl.convertDNtoObjectID(AccessControlDataManagementServiceImpl.java:967)
... 37 more
Caused by: com.ibm.wps.um.exceptions.impl.MemberNotFoundExceptionImpl: com.ibm.portal.puma.MemberNotFoundException: EJPSG0002E: Requested Member does not exist.cn=wpsadmins/null
at com.ibm.wps.um.PumaEngineHelper.reload(PumaEngineHelper.java:798)
at com.ibm.wps.um.PumaEngineHelper.loadWithBaseAttributes(PumaEngineHelper.java:684)
at com.ibm.wps.um.PumaLocatorImpl.findGroupByIdentifier(PumaLocatorImpl.java:368)
at com.ibm.wps.services.puma.PumaServiceImpl$3.run(PumaServiceImpl.java:394)
at com.ibm.wps.services.puma.PumaServiceImpl$3.run(PumaServiceImpl.java:392)
at com.ibm.wps.um.PumaEngineHelper.runWithoutPAC(PumaEngineHelper.java:1222)
at com.ibm.wps.services.puma.PumaServiceImpl.executeWithoutPAC(PumaServiceImpl.java:2508)
at com.ibm.wps.services.puma.PumaServiceImpl.findGroupById(PumaServiceImpl.java:390)
... 39 more
Caused by: com.ibm.portal.puma.MemberNotFoundException: EJPSG0002E: Requested Member does not exist.cn=wpsadmins/null
... 47 more

and...

02/12/08 15:32:23:823 GMT] 00000046 LdapRegistryI E SECJ0361E: Authentication failed for portaladmin because user is not found in the registry.
[02/12/08 15:32:23:843 GMT] 00000046 ServiceLogger I com.ibm.ws.ffdc.IncidentStreamImpl initialize FFDC0009I: FFDC opened incident stream file F:\IBM\WebSphere\wp_profile\logs\ffdc\WebSphere_Portal_00000046_08.12.02_15.32.23_0.txt
[02/12/08 15:32:23:963 GMT] 00000046 ServiceLogger I com.ibm.ws.ffdc.IncidentStreamImpl resetIncidentStream FFDC0010I: FFDC closed incident stream file F:\IBM\WebSphere\wp_profile\logs\ffdc\WebSphere_Portal_00000046_08.12.02_15.32.23_0.txt
[02/12/08 15:32:23:963 GMT] 00000046 LdapRegistryI E SECJ0336E: Authentication failed for user portaladmin because of the following exception com.ibm.websphere.security.PasswordCheckFailedException: No user portaladmin found
[02/12/08 15:32:24:113 GMT] 00000027 ApplicationMg A WSVR0221I: Application started: Live_Object_Framework
[02/12/08 15:32:24:143 GMT] 00000046 ServiceLogger I com.ibm.ws.ffdc.IncidentStreamImpl open FFDC0009I: FFDC opened incident stream file F:\IBM\WebSphere\wp_profile\logs\ffdc\WebSphere_Portal_00000046_08.12.02_15.32.24_0.txt
[02/12/08 15:32:24:183 GMT] 00000046 ServiceLogger I com.ibm.ws.ffdc.IncidentStreamImpl resetIncidentStream FFDC0010I: FFDC closed incident stream file F:\IBM\WebSphere\wp_profile\logs\ffdc\WebSphere_Portal_00000046_08.12.02_15.32.24_0.txt
[02/12/08 15:32:24:193 GMT] 00000046 LTPAServerObj E SECJ0369E: Authentication failed when using LTPA. The exception is No user portaladmin found.

portaladmin is not configured anywhere as the admin user (its the local windows admin account used to install the software). The admin user is the default "wpsadmin" that has been created in the LDAP directory (member of wpsadmins group)

I have also seen some errors related to LDAP attribute configuration in configtrace:

[wplc-validate-ldap-attribute-config] found repository 1
[wplc-validate-ldap-attribute-config] Possible problems for PersonAccount:
[wplc-validate-ldap-attribute-config]
[wplc-validate-ldap-attribute-config] The following attribues are defined in Portal but not in LDAP - You should either flag them as unsupported or define an attribute mapping:
[wplc-validate-ldap-attribute-config] []
[wplc-validate-ldap-attribute-config]
[wplc-validate-ldap-attribute-config] The following attributes are flagged as required in LDAP but not in Portal - You should flag them as required in Portal, too:
[wplc-validate-ldap-attribute-config] [sn]
[wplc-validate-ldap-attribute-config]
[wplc-validate-ldap-attribute-config] FYI: The following attributes have a diffenrent type in Portal and in LDAP - No action is required:
[wplc-validate-ldap-attribute-config] jpegPhoto: Base64Binary 1.3.6.1.4.1.1466.115.121.1.28
[wplc-validate-ldap-attribute-config] homePostalAddress: String 1.3.6.1.4.1.1466.115.121.1.41
[wplc-validate-ldap-attribute-config] facsimileTelephoneNumber: String 1.3.6.1.4.1.1466.115.121.1.22
[wplc-validate-ldap-attribute-config] postalAddress: String 1.3.6.1.4.1.1466.115.121.1.41
[wplc-validate-ldap-attribute-config] Possible problems for Group:
[wplc-validate-ldap-attribute-config]
[wplc-validate-ldap-attribute-config] The following attribues are defined in Portal but not in LDAP - You should either flag them as unsupported or define an attribute mapping:
[wplc-validate-ldap-attribute-config] [displayName, cn]
[wplc-validate-ldap-attribute-config]
[wplc-validate-ldap-attribute-config] The following attributes are flagged as required in LDAP but not in Portal - You should flag them as required in Portal, too:
[wplc-validate-ldap-attribute-config] []
[wplc-validate-ldap-attribute-config]
[wplc-validate-ldap-attribute-config] FYI: The following attributes have a diffenrent type in Portal and in LDAP - No action is required:
[wplc-validate-ldap-attribute-config] Status = Complete
Target finished: wp-validate-standalone-ldap-attribute-config

I have set

user.attributes.required=sn

in wkplc.properties

and wp-validate-standalone-ldap-attribute-config returns

user.attributes.required=sn

and I already created mappings for displayName and cn:

[wplc-modify-ldap-attribute-config] UpdateAttMapping ibm-primaryEmail to mail in 1.
[wplc-modify-ldap-attribute-config] UpdateAttMapping ibm-jobTitle to title in 1.
[wplc-modify-ldap-attribute-config] UpdateAttMapping stateOrProvinceName to st in 1.
[wplc-modify-ldap-attribute-config] UpdateAttMapping countryName to c in 1.
[wplc-modify-ldap-attribute-config] UpdateAttMapping localityName to l in 1.
[wplc-modify-ldap-attribute-config] UpdateAttMapping street to OfficeStreetAddress in 1.
[wplc-modify-ldap-attribute-config] UpdateAttMapping employeeNumber to EmployeeID in 1.
[wplc-modify-ldap-attribute-config] UpdateAttMapping roomNumber to physicalDeliveryOfficeName in 1.
[wplc-modify-ldap-attribute-config] UpdateAttMapping departmentNumber to Department in 1.
[wplc-modify-ldap-attribute-config] UpdateAttMapping o to o in 1.
[wplc-modify-ldap-attribute-config] UpdateAttMapping preferredLanguage to preferredLanguage in 1.
[wplc-modify-ldap-attribute-config] UpdateAttMapping labeledURI to url in 1.
[wplc-modify-ldap-attribute-config] UpdateAttMapping ibm-personalTitle to personalTitle in 1.
[wplc-modify-ldap-attribute-config] UpdateAttMapping sn to sn in 1.
[wplc-modify-ldap-attribute-config] UpdateAttMapping displayName to displayName in 1.
[wplc-modify-ldap-attribute-config] UpdateAttMapping cn to cn in 1.

so the configtrace messages don't make much sense. As I have already configured all the things this script is telling me to do, some of which have taken effect, I don't know what to try next. Has anyone seen this issue(s) before and know how to resolve?

[ff...@us.ibm.com]

There may be an issue with the portal admin group or the bind user.

Is the bind user in ACL as Editor or above? Did you enter the bind user as full DN when configuring security? Did you give a baseDN in wkplc.properties?

-FF

The postings on this site are my own and do not necessarily represent the positions, strategies or opinions of IBM.

[ian.hur...@bt.com]

The admin group configured in portal "wpsadmins" is listed as an editor in the Domino names.nsf ACL, with the GroupCreator, GroupModifier, UserCreator and UserModifer roles assigned. The LDAP bind user (wpsbind) is a member of wpsadmins in the format wpsbind/ . wpsbind is not listed explicitly in the names.nsf ACL. In the person doc for wpsbind, username = wpsbind/ first + wpsbind second, shortname=wpsbind.

The bind user was entered into wkplc.properties as:

standalone.ldap.bindDN=cn=wpsbind,o=

BaseDN is null as specified in the documentation for Domino LDAP.

Thanks for your help

[ff...@us.ibm.com]

Please attach security.xml, wimconfig.xml and SystemOut.log.

[ian.hur...@bt.com]

requested docs attached

[ff...@us.ibm.com]

The configuration in VMM/WIM is not complete. There is no LDAP info in it. Also the WAS security is not enabled. Please try the following:
1. In wkplc.properties, set "ignoreDuplicateIDs" to true;
2. Rerun "ConfigEngine.sh wp-modify-ldap-security". If it fails, post ConfigTrace.log and wkplc.properties.

[ian.hur...@bt.com]

I disabled secuirty manually in security.xml to see if the portal server would start cleanly - I found fixpack 6.1.0.1 yesterday afternoon which the first fix listed is "WAS7BR: failed to enable-sec against Domino when basdDN is empty". It was not disabled when wp-modify-ldap-security was run. I will run the steps suggested before applying the upgrade.

[ff...@us.ibm.com]

Portal 6.1 would not work if the WAS global security is not enabled.

[ian.hur...@bt.com]

Security re-enabled. ignoreDuplicateIDs set to true. wp-modify-ldap-security completed "BUILD SUCCESSFUL". Startup portal throws following error in SystemOut.log:

[04/12/08 14:23:08:291 GMT] 00000025 exception E com.ibm.websphere.wim.security.authz.AccessException CWWIM2008E The principal 'AnonymousUser' is not authorized to perform the operation
'GET PersonAccount' on 'CN=wpsadmin,O=btshowcase'
[04/12/08 14:23:08:461 GMT] 00000025 exception E com.ibm.websphere.wim.security.authz.AccessException
com.ibm.websphere.wim.security.authz.AccessException: CWWIM2008E The principal 'AnonymousUser' is not authorized to perform the operation
'GET PersonAccount' on 'CN=wpsadmin,O=btshowcase'
at com.ibm.ws.wim.security.authz.ProfileSecurityManager.checkAccessResult(ProfileSecurityManager.java:1161)

[ff...@us.ibm.com]

Please send the same set of files asked before.

[ian.hur...@bt.com]

I have now resolved the Domino LDAP configuration issue, the steps I took are:

1. Re-install Windows 2003 Server standard SP1
2. Re-install WS Portal Express 6.1.0.0
3. Install Windows 2003 Server SP2
4. Install WAS FP19
5. Install WS Portal Express FP 6.1.0.1
6. Run the LDAP config wizard GUI

A long process but the Domino LDAP bug in 6.1.0.0 seems to have been fixed as per the release notes for 6.1.0.1.