Having used the new(to me) web-based wizard to configure my newly installed WebSphere Portal 8 server to connect to a Lotus Domino 8.5.1 FP1 server for LDAP, I was surprised to see errors such as: -
[8/24/12 15:00:06:221 BST] 0000000c Servlet E com.ibm.wps.engine.Servlet init EJPFD0016E: Initialization of service failed.
com.ibm.wps.ac.DomainAdministratorNotFoundException: EJPSB0107E: Exception occurred while retrieving the identity of the domain admin user/admingroup cn=padmins.
com.ibm.wps.ac.DomainAdministratorNotFoundException: EJPSB0107E: Exception occurred while retrieving the identity of the domain admin user/admingroup cn=padmins.
Caused by: com.ibm.portal.puma.MemberNotFoundException: EJPSG0002E: Requested Member does not exist.cn=padmins
at com.ibm.wps.services.puma.PumaServiceImpl.findGroupById(PumaServiceImpl.java:381)
at com.ibm.wps.services.puma.Puma.findGroupById(Puma.java:406)
at com.ibm.wps.ac.impl.AccessControlDataManagementServiceImpl.convertDNtoObjectID(AccessControlDataManagementServiceImpl.java:1143)
... 40 more
Caused by: com.ibm.wps.um.exceptions.impl.MemberNotFoundExceptionImpl: com.ibm.portal.puma.MemberNotFoundException: EJPSG0002E: Requested Member does not exist.cn=padmins/null
at com.ibm.wps.um.VMMExceptionHelper.rethrowSystemMNF(VMMExceptionHelper.java:227)
at com.ibm.wps.um.PumaEngineHelper.loadWithBaseAttributes(PumaEngineHelper.java:771)
at com.ibm.wps.services.puma.PumaServiceImpl.findGroupById(PumaServiceImpl.java:381)
at com.ibm.wps.services.puma.Puma.findGroupById(Puma.java:406)
at com.ibm.wps.ac.impl.AccessControlDataManagementServiceImpl.convertDNtoObjectID(AccessControlDataManagementServiceImpl.java:1143)
... 40 more
Caused by: com.ibm.wps.um.exceptions.impl.MemberNotFoundExceptionImpl: com.ibm.portal.puma.MemberNotFoundException: EJPSG0002E: Requested Member does not exist.cn=padmins/null
at com.ibm.wps.um.VMMExceptionHelper.rethrowSystemMNF(VMMExceptionHelper.java:227)
at com.ibm.wps.um.PumaEngineHelper.loadWithBaseAttributes(PumaEngineHelper.java:771)
[8/24/12 15:00:08:151 BST] 0000000b InitServlet E INI8504E:One or more initialization step failed. Please check the server log for details.
javax.jcr.RepositoryException: RT7508E: Unable to initialize RepositoryFactory due to exception of type: java.lang.ExceptionInInitializerError with message: null.
javax.jcr.RepositoryException: RT7508E: Unable to initialize RepositoryFactory due to exception of type: java.lang.ExceptionInInitializerError with message: null.
etc.
I dug around, reviewing a whole bunch of IBM Technotes etc. and, eventually, realised my mistake.
Broadly put, Lotus Domino doesn't like / allow / support ( delete as appropriate ) groups to be suffixed with the organisation name. Therefore, whilst a user / person ID can be written as CN=padmin,O=ibm, group names are never suffixed, but are written as CN=padmins.
When I ran the wizard to hook WebSphere Portal up to Lotus Domino via LDAP, one of the attributes that the wizard requires is the Base Distinguished Name ( BaseDN ), which I entered as: -
standalone.ldap.baseDN=o=ibm
That was my mistake :-)
The solution ? Well, the hack :-)
Edit: -
/opt/IBM/WebSphere/wp_profile/config/cells/wp8cell/wim/config/wimconfig.xml
and change: -
<config:baseEntries name="o=ibm" nameInRepository="o=ibm"/>
<config:participatingBaseEntries name="o=ibm"/>
<config:participatingBaseEntries name="o=ibm"/>
to: -
<config:baseEntries name="" nameInRepository=""/>
<config:participatingBaseEntries name=""/>
<config:participatingBaseEntries name=""/>
and then restart the portal.
Once I did that, Portal started without exceptions, and I was able to log in using the Domino user - padmin - which is now the primary admin. account.
For the record, hacking wimconfig.xml in this way is almost certainly NOT advisable, and would be a very bad thing in a federated repository environment ( where you have multiple directories in WIM, including LDAP, file system, database etc. ).
The better solution would be to fix the problem via the wizard ( or update wkplc.properties ), and re-run the Portal -> Domino configuration process again.
For the record, here's the rest of the properties, including the WRONGLY entered Base DN: -
standalone.ldap.baseDN=o=ibm
standalone.ldap.bindDN=cn=domino,o=ibm
standalone.ldap.bindPassword=passw0rd
standalone.ldap.et.group.objectClasses=groupOfUniqueNames
standalone.ldap.et.group.objectClassesForCreate=
standalone.ldap.et.group.searchBases=
standalone.ldap.et.personaccount.objectClasses=inetorgperson
standalone.ldap.et.personaccount.searchBases=
standalone.ldap.gm.dummyMember=uid=dummy
standalone.ldap.gm.groupMemberName=uniqueMember
standalone.ldap.gm.objectClass=groupOfUniqueNames
standalone.ldap.gm.scope=direct
standalone.ldap.groupFilter=(&(cn=%v)(|(objectclass=dominoGroup)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))
standalone.ldap.groupIdMap=*:cn
standalone.ldap.groupMemberIdMap=
standalone.ldap.groupParent=
standalone.ldap.groupRdnProperties=cn
standalone.ldap.host=wp8.uk.ibm.com
standalone.ldap.ldapServerType=DOMINO
standalone.ldap.personAccountParent=
standalone.ldap.personAccountRdnProperties=uid
standalone.ldap.port=389
standalone.ldap.primaryAdminId=cn=padmin,o=ibm
standalone.ldap.primaryAdminPassword=passw0rd
standalone.ldap.primaryPortalAdminGroup=cn=padmins
standalone.ldap.primaryPortalAdminId=cn=padmin,o=ibm
standalone.ldap.primaryPortalAdminPassword=passw0rd
standalone.ldap.realm=domino85
standalone.ldap.serverId=cn=domino,o=ibm
standalone.ldap.serverPassword=passw0rd
standalone.ldap.userFilter=(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))
standalone.ldap.userIdMap=*:cn
WasPassword=passw0rd
standalone.ldap.bindDN=cn=domino,o=ibm
standalone.ldap.bindPassword=passw0rd
standalone.ldap.et.group.objectClasses=groupOfUniqueNames
standalone.ldap.et.group.objectClassesForCreate=
standalone.ldap.et.group.searchBases=
standalone.ldap.et.personaccount.objectClasses=inetorgperson
standalone.ldap.et.personaccount.searchBases=
standalone.ldap.gm.dummyMember=uid=dummy
standalone.ldap.gm.groupMemberName=uniqueMember
standalone.ldap.gm.objectClass=groupOfUniqueNames
standalone.ldap.gm.scope=direct
standalone.ldap.groupFilter=(&(cn=%v)(|(objectclass=dominoGroup)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))
standalone.ldap.groupIdMap=*:cn
standalone.ldap.groupMemberIdMap=
standalone.ldap.groupParent=
standalone.ldap.groupRdnProperties=cn
standalone.ldap.host=wp8.uk.ibm.com
standalone.ldap.ldapServerType=DOMINO
standalone.ldap.personAccountParent=
standalone.ldap.personAccountRdnProperties=uid
standalone.ldap.port=389
standalone.ldap.primaryAdminId=cn=padmin,o=ibm
standalone.ldap.primaryAdminPassword=passw0rd
standalone.ldap.primaryPortalAdminGroup=cn=padmins
standalone.ldap.primaryPortalAdminId=cn=padmin,o=ibm
standalone.ldap.primaryPortalAdminPassword=passw0rd
standalone.ldap.realm=domino85
standalone.ldap.serverId=cn=domino,o=ibm
standalone.ldap.serverPassword=passw0rd
standalone.ldap.userFilter=(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))
standalone.ldap.userIdMap=*:cn
WasPassword=passw0rd
1 comment:
There's a guide somewhere about Portal and Domino that can help you with that...
Post a Comment