Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Multiple LDAP configuration problem

60 views
Skip to first unread message

Miguel Segura Anaya

unread,
Oct 25, 2008, 3:26:42 PM10/25/08
to
Hello everybody

I'm trying to configure my Portal 6.1 with two different Ldap, one Tivoli directory and one Active Directory LDAP. If I configure only the Tivoli LDAP, it works fine but If I add the AD directory, the users can't login into the portal and the folowing exception is written in the log.

I attach my wimconfig.xml

I'm desesperate.

[25/10/08 20:58:00:531 CEST] 00000027 UserRegistryI E SECJ0363E: No se puede crear el credencial del usuario uid=wpsadmin,cn=users,dc=eic,dc=cat debido a la siguiente excepción com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E Se ha producido la excepción de denominación 'javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
ref 1: 'eic.cat'
]; remaining name 'uid=wpsadmin,cn=users,dc=eic,dc=cat'; resolved object com.sun.jndi.ldap.LdapCtx@26a026a' durante el proceso.
at com.ibm.ws.wim.adapter.ldap.LdapConnection.getRangeAttributes(LdapConnection.java:1034)
at com.ibm.ws.wim.adapter.ldap.LdapConnection.getAttributes(LdapConnection.java:869)
at com.ibm.ws.wim.adapter.ldap.LdapConnection.checkAttributesCache(LdapConnection.java:1239)
at com.ibm.ws.wim.adapter.ldap.LdapConnection.getEntityByIdentifier(LdapConnection.java:2359)
at com.ibm.ws.wim.adapter.ldap.LdapConnection.getEntityByIdentifier(LdapConnection.java:2276)
at com.ibm.ws.wim.adapter.ldap.LdapAdapter.get(LdapAdapter.java:1348)
at com.ibm.ws.wim.ProfileManager.getImpl(ProfileManager.java:1404)
at com.ibm.ws.wim.ProfileManager.genericProfileManagerMethod(ProfileManager.java:284)
at com.ibm.ws.wim.ProfileManager.get(ProfileManager.java:333)
at com.ibm.websphere.wim.ServiceProvider.get(ServiceProvider.java:345)
at com.ibm.ws.wim.registry.util.MembershipBridge.getUniqueGroupIds(MembershipBridge.java:561)
at com.ibm.ws.wim.registry.WIMUserRegistry$12.run(WIMUserRegistry.java:565)
at com.ibm.ws.security.auth.ContextManagerImpl.runAs(ContextManagerImpl.java:4076)
at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem(ContextManagerImpl.java:4173)
at com.ibm.ws.wim.security.authz.jacc.JACCSecurityManager.runAsSuperUser(JACCSecurityManager.java:484)
at com.ibm.ws.wim.security.authz.ProfileSecurityManager.runAsSuperUser(ProfileSecurityManager.java:961)
at com.ibm.ws.wim.registry.WIMUserRegistry.getUniqueGroupIds(WIMUserRegistry.java:551)
at com.ibm.ws.security.registry.UserRegistryImpl.createCredential(UserRegistryImpl.java:754)
at com.ibm.ws.security.ltpa.LTPAServerObject.authenticate(LTPAServerObject.java:776)
at com.ibm.ws.security.server.lm.ltpaLoginModule.login(ltpaLoginModule.java:453)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:795)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:209)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:709)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:706)
at javax.security.auth.login.LoginContext.login(LoginContext.java:603)
at com.ibm.ws.security.auth.JaasLoginHelper.jaas_login(JaasLoginHelper.java:475)
at com.ibm.ws.security.auth.ContextManagerImpl.login(ContextManagerImpl.java:3444)
at com.ibm.ws.security.auth.ContextManagerImpl.login(ContextManagerImpl.java:3237)
at com.ibm.ws.security.web.FormLoginExtensionProcessor$1.run(FormLoginExtensionProcessor.java:293)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
at com.ibm.ws.security.web.FormLoginExtensionProcessor.formLogin(FormLoginExtensionProcessor.java:301)
at com.ibm.ws.security.web.FormLoginExtensionProcessor.handleRequest(FormLoginExtensionProcessor.java:177)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:114)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:832)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:742)
at com.ibm.ws.webcontainer.webapp.WebApp.invokeFilters(WebApp.java:3498)
at com.ibm.ws.wswebcontainer.webapp.WebApp.invokeFilters(WebApp.java:360)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3406)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:267)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:815)
at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1461)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:118)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:458)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:387)
at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:102)
at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1818)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:195)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:743)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:873)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1473)

ff...@us.ibm.com

unread,
Oct 25, 2008, 8:31:09 PM10/25/08
to
Do you have multiple "wpsadmin" in different repositories? Try to rename your AD's "wpsadmin" to "adwpsadmin" and try again.

-FF

The postings on this site are my own and do not necessarily represent the positions, strategies or opinions of IBM.

Miguel Segura Anaya

unread,
Oct 26, 2008, 6:10:02 AM10/26/08
to
First of all thanks for your answer.

I have search any wpsadmin in the AD LDAP but I cann't find it. I've tried to login with other users of the Tivoli LDAP that I'm sure aren't registered in the AD LDAP and the result is the same :

[26/10/08 10:56:27:234 CET] 00000023 UserRegistryI E SECJ0363E: No se puede crear el credencial del usuario uid=msegura,cn=users,dc=eic,dc=cat debido a la siguiente excepción com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E Se ha producido la excepción de denominación 'javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
ref 1: 'eic.cat'
]; remaining name 'uid=msegura,cn=users,dc=eic,dc=cat'; resolved object com.sun.jndi.ldap.LdapCtx@4f564f56' durante el proceso.

So I don't think it is an user issue.

Any other idea ??

ff...@us.ibm.com

unread,
Oct 26, 2008, 9:11:30 AM10/26/08
to
LDAP error code 10 is referral. The error was from your MSAD. We can't tell why it was thrown out when you log in using user ID in ITDS. Not enough information is given.

Miguel Segura Anaya

unread,
Oct 26, 2008, 10:05:24 AM10/26/08
to
So, what do you recomend me? Opening and incident in IBM?

Miguel Segura Anaya

unread,
Oct 26, 2008, 10:47:32 AM10/26/08
to
It's true !!! I have the same error asking the AD LDAP directly, this is a very good clue, thank you very much.

Miguel Segura Anaya

unread,
Oct 26, 2008, 12:41:35 PM10/26/08
to
OK!! It's working now, I managed it setting allowOperationIfReposDown="true". Now I have error messages in my log but it works.

Thank you

brett_...@us.ibm.com

unread,
Oct 28, 2008, 10:13:45 AM10/28/08
to
When you say you are getting the error "directly", do you mean that you can reproduce via a simple LDAP client outside of WebSphere Portal? If so, I'd recommend working further with your LDAP admin for AD.

As for WP, you can edit the wimconfig.xml and look for the referal="ignore" for the AD entry and change it to referal="follow". Then restart WP and see if the error changes at all.

If you open a PMR with support, we won't be able to do much unless you can confirm the query works against AD when issued via a simple LDAP client.

-Brett Gordon (WebSphere Portal L2 Support)

IBM Certified System Administrator -- WebSphere Portal V6.0, V5.1, V5.0
IBM Certified Solution Developer -- WebSphere Portal V5.1, v6.0

The postings on this site are my own and do not necessarily represent the positions, strategies, or opinions of IBM.

0 new messages