Saturday, 13 October 2012

WebSphere Application Server 7 and Lotus Domino 8 - LDAP Not Playing Ball

In this article, I explain how LDAP search filters can make ALL the difference to a successful integration of WebSphere Application Server and Lotus Domino.

Following on from my earlier post: -

Unable to configure Federated Repositories in Integrated Solutions Console with Domino LDAP

having completed the integration between WebSphere Application Server 7.0.0.21 and Lotus Domino 8.5.3, I was struggling to retrieve users from the Domino Directory via LDAP.

Using the Users and Groups -> Manage Users functionality within WAS' Integrated Solutions Console, I was surprised NOT to see any users returned from the Domino directory: -



After a lot of trial and even more error, I decided ( belatedly ) to enable debug tracing, using this IBM Technote as source: -

MustGather: Security problems for WebSphere Application Server

and enabled the following trace strings: -

 *=info:com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all:com.ibm.websphere.wim.*=all:com.ibm.wsspi.wim.*=all:com.ibm.ws.wim.*=all

which, amongst many many other fine messages showed me this: -

[10/13/12 21:03:33:947 BST] 00000011 LdapConnectio > com.ibm.ws.wim.adapter.ldap.LdapConnection searchEntities ENTRY o=ibm (&(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))(uid=*)) null 2 [PersonAccount] [uid, cn, sn, mail] false false
[10/13/12 21:03:33:949 BST] 00000011 LdapConnectio 3 com.ibm.ws.wim.adapter.ldap.LdapConnection checkSearchCache Hit cache: o=ibm|(&(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))(uid=*))|2|101|600000|uid|mail|objectClass|sn|cn|dominounid
[10/13/12 21:05:17:340 BST] 00000018 LdapConnectio > com.ibm.ws.wim.adapter.ldap.LdapConnection searchEntities ENTRY o=ibm (&(|(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson))))(|(uid=wpadmin)(cn=wpadmin))) null 2 [LoginAccount, PersonAccount] [principalName] false false
[10/13/12 21:05:17:341 BST] 00000018 LdapConnectio 3 com.ibm.ws.wim.adapter.ldap.LdapConnection checkSearchCache Hit cache: o=ibm|(&(|(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson))))(|(uid=wpadmin)(cn=wpadmin)))|2|0|0|uid|objectClass|dominounid
[10/13/12 21:05:17:389 BST] 00000018 LdapConnectio > com.ibm.ws.wim.adapter.ldap.LdapConnection searchEntities ENTRY o=ibm (&(|(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson))))(|(uid=wpadmin)(cn=wpadmin))) null 2 [LoginAccount, PersonAccount] [] false false
[10/13/12 21:05:17:391 BST] 00000018 LdapConnectio 3 com.ibm.ws.wim.adapter.ldap.LdapConnection checkSearchCache Hit cache: o=ibm|(&(|(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))(&(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson))))(|(uid=wpadmin)(cn=wpadmin)))|2|4501|600000|objectClass|dominounid


When I checked my LDAP search filters in: -

/opt/IBM/WebSphere/wp_profile/config/cells/wp7/wim/config/wimconfig.xml

I saw: -

...
      <config:ldapEntityTypes name="PersonAccount" searchFilter="(&amp;(|(cn=%v)(uid=%v))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))">
        <config:objectClasses>dominoPerson</config:objectClasses>
      </config:ldapEntityTypes>
      <config:ldapEntityTypes name="Group" searchFilter="(&amp;(cn=%v)(|(objectclass=dominoGroup)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))">
        <config:objectClasses>dominoGroup</config:objectClasses>
      </config:ldapEntityTypes>

...

I read the PersonAccount search filter as: -

( ( cn=v% ) OR (uid=v%) ) AND ( (objectclasss=dominoPerson) OR (objectclass=inetOrgPerson) )

which is perfectly OK.

I'd previously validated the search filters ( as the notes user ): -

$ cd /local/notesdata
$ /opt/ibm/lotus/bin/ldapsearch -h wp7.uk.ibm.com -p 389 -D cn=notes -w passw0rd "(&(|(cn=padmin)(uid=padmin))(|(objectlass=dominoPerson)(objectclass=inetOrgPerson)))"

CN=padmin,O=ibm
cn=padmin
displayname=padmin/ibm
mailsystem=100
objectclass=dominoPerson
objectclass=inetOrgPerson
objectclass=organizationalPerson
objectclass=person
objectclass=top
messagestorage=1
encryptincomingmail=0
roamcleansetting=0
roamcleanper=1
availablefordirsync=1
checkpassword=0
passwordchangeinterval=0
passwordgraceperiod=0
givenname=portal
sn=admin
uid=padmin
roaminguser=0
userpassword=(GIMrxir7cW6bC/nzWSgO)


so I knew that the search filter was OK.

However, in the interests of expediency, I stripped the search filters out, leaving me with: -

...
      <config:ldapEntityTypes name="PersonAccount" searchFilter="">
        <config:objectClasses>dominoPerson</config:objectClasses>
      </config:ldapEntityTypes>
      <config:ldapEntityTypes name="Group" searchFilter="">
        <config:objectClasses>dominoGroup</config:objectClasses>
      </config:ldapEntityTypes>

...

and all is now well.



I know that I've seen and cracked the problem of search filters before but ..... that'll do for now.

No comments: