Friday, 24 August 2012

WebSphere Portal 8 and Lotus Domino 8.5.1 Together - Can you say Doh! ?

I hit a problem earlier today that harks back to my very first experiences with WebSphere Portal 5 and Lotus Domino 6, back in the mid-noughties.

Having used the new(to me) web-based wizard to configure my newly installed WebSphere Portal 8 server to connect to a Lotus Domino 8.5.1 FP1 server for LDAP, I was surprised to see errors such as: -

[8/24/12 15:00:06:221 BST] 0000000c Servlet       E com.ibm.wps.engine.Servlet init EJPFD0016E: Initialization of service failed.
                                 com.ibm.wps.ac.DomainAdministratorNotFoundException: EJPSB0107E: Exception occurred while retrieving the identity of the domain admin user/admingroup cn=padmins.

Caused by: com.ibm.portal.puma.MemberNotFoundException: EJPSG0002E: Requested Member does not exist.cn=padmins
        at com.ibm.wps.services.puma.PumaServiceImpl.findGroupById(PumaServiceImpl.java:381)
        at com.ibm.wps.services.puma.Puma.findGroupById(Puma.java:406)
        at com.ibm.wps.ac.impl.AccessControlDataManagementServiceImpl.convertDNtoObjectID(AccessControlDataManagementServiceImpl.java:1143)
        ... 40 more
Caused by: com.ibm.wps.um.exceptions.impl.MemberNotFoundExceptionImpl: com.ibm.portal.puma.MemberNotFoundException: EJPSG0002E: Requested Member does not exist.cn=padmins/null
        at com.ibm.wps.um.VMMExceptionHelper.rethrowSystemMNF(VMMExceptionHelper.java:227)
        at com.ibm.wps.um.PumaEngineHelper.loadWithBaseAttributes(PumaEngineHelper.java:771)


[8/24/12 15:00:08:151 BST] 0000000b InitServlet   E   INI8504E:One or more initialization step failed. Please check the server log for details.
                                 javax.jcr.RepositoryException: RT7508E: Unable to initialize RepositoryFactory due to exception of type: java.lang.ExceptionInInitializerError with message: null.


etc.

I dug around, reviewing a whole bunch of IBM Technotes etc. and, eventually, realised my mistake.

Broadly put, Lotus Domino doesn't like / allow / support ( delete as appropriate ) groups to be suffixed with the organisation name. Therefore, whilst a user / person ID can be written as CN=padmin,O=ibm, group names are never suffixed, but are written as CN=padmins.

When I ran the wizard to hook WebSphere Portal up to Lotus Domino via LDAP, one of the attributes that the wizard requires is the Base Distinguished Name ( BaseDN ), which I entered as: -

standalone.ldap.baseDN=o=ibm

That was my mistake :-)

The solution ? Well, the hack :-)

Edit: -

/opt/IBM/WebSphere/wp_profile/config/cells/wp8cell/wim/config/wimconfig.xml

and change: -

      <config:baseEntries name="o=ibm" nameInRepository="o=ibm"/>
        <config:participatingBaseEntries name="o=ibm"/>

to: -

      <config:baseEntries name="" nameInRepository=""/>
        <config:participatingBaseEntries name=""/>

and then restart the portal.

Once I did that, Portal started without exceptions, and I was able to log in using the Domino user - padmin - which is now the primary admin. account.

For the record, hacking wimconfig.xml in this way is almost certainly NOT advisable, and would be a very bad thing in a federated repository environment ( where you have multiple directories in WIM, including LDAP, file system, database etc. ).

The better solution would be to fix the problem via the wizard ( or update wkplc.properties ), and re-run the Portal -> Domino configuration process again.

For the record, here's the rest of the properties, including the WRONGLY entered Base DN: -

standalone.ldap.baseDN=o=ibm
standalone.ldap.bindDN=cn=domino,o=ibm
standalone.ldap.bindPassword=passw0rd
standalone.ldap.et.group.objectClasses=groupOfUniqueNames
standalone.ldap.et.group.objectClassesForCreate=
standalone.ldap.et.group.searchBases=
standalone.ldap.et.personaccount.objectClasses=inetorgperson
standalone.ldap.et.personaccount.searchBases=
standalone.ldap.gm.dummyMember=uid=dummy
standalone.ldap.gm.groupMemberName=uniqueMember
standalone.ldap.gm.objectClass=groupOfUniqueNames
standalone.ldap.gm.scope=direct
standalone.ldap.groupFilter=(&(cn=%v)(|(objectclass=dominoGroup)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))
standalone.ldap.groupIdMap=*:cn
standalone.ldap.groupMemberIdMap=
standalone.ldap.groupParent=
standalone.ldap.groupRdnProperties=cn
standalone.ldap.host=wp8.uk.ibm.com
standalone.ldap.ldapServerType=DOMINO
standalone.ldap.personAccountParent=
standalone.ldap.personAccountRdnProperties=uid
standalone.ldap.port=389
standalone.ldap.primaryAdminId=cn=padmin,o=ibm
standalone.ldap.primaryAdminPassword=passw0rd
standalone.ldap.primaryPortalAdminGroup=cn=padmins
standalone.ldap.primaryPortalAdminId=cn=padmin,o=ibm
standalone.ldap.primaryPortalAdminPassword=passw0rd
standalone.ldap.realm=domino85
standalone.ldap.serverId=cn=domino,o=ibm
standalone.ldap.serverPassword=passw0rd
standalone.ldap.userFilter=(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))
standalone.ldap.userIdMap=*:cn
WasPassword=passw0rd


1 comment:

Jon Mell said...

There's a guide somewhere about Portal and Domino that can help you with that...