Wednesday, 18 March 2009

Fun and Games with the New Site Wizard portlet

Using the IBM New Site Wizard portlet, I was seeing: -

An error occurred creating the new portal site:

An error occurred while trying to create users or groups within the user repository because of insufficient access permissions. This site template requires write access to the user repository.


This only started occurring AFTER I'd configured my portal server ( WebSphere Portal Express 6.1.0.1 ) to authenticate against my Domino LDAP ( Lotus Domino 8.5 ), which kinda indicated where things might have gone wrong.

When I checked the portal's SystemOut.log, I saw: -

com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name 'cn=MySite01Admins'; resolved object com.sun.jndi.ldap.LdapCtx@3a063a06' naming exception occurred during processing.

These two sets of messages indicated that the portal is not able to create new users/groups within the Domino Directory, which makes sense given that I have not enabled LDAP write-access ( "Allow LDAP users write access" = "Yes" ).

I'll dig around a little further, but this does make sense ... of a sort

4 comments:

Keith Brooks said...

usually it's CN=john lennon,O=Beatles if that helps in the LDAP.
One piece of advice is to test with your own ID or an admin ID.
Then create a special LDAP ID, I use LDAP as a last name and some thing for the first, company name or some other term which makes sense.
Once its in there use that always so you never get stuck with an old admins ID there.
Not that i expect you would, but for the newbies reading this.

Dave Hay said...

Thanks for the advice. The problem isn't really with the integration of Portal and Domino, which I've mostly mastered now (hubris), but the fact that the New Site Wizard requires write access to LDAP.

The reason is that the Wizard generates a new user ID and group for each new site, using the site name as the prefix.

As an example, creating a site called Foobar causes a user called FoobarUser and a group called FoobarGroup to be generated.

I did try manually creating the user and group, but there's some other write-access required.

Cheers, Dave

Anonymous said...

Good posting! more professional web templates at itemplatez.com... its a
easy download.

Justin's ISC3325 Blog said...

Dave,

We're you ever able to get the issue resolved?

We're trying to use the new site wizard here, with eDirectory providing LDAP, but running into the same problem.

I'm assuming that it's trying to create the user with the bind userid, which has no rights to create a user and group (for obvious reasons).

Have you found any workarounds?

Thanks,
Justin

TIL - read-only variables in Linux

 A co-worker was seeing an exception: -  line 8: TMOUT: readonly variable when trying to SCP a file from a remote Linux box. I did some digg...