Saturday, 29 September 2018

WebSphere Liberty and OpenLDAP - CWIML4520E: The LDAP operation could not be completed.

I've spent most of a happy and sunny Saturday here in Helsinki trying to work out why WebSphere Liberty profiles was misbehaving with regard to LDAP.

For the record, I'm running WLP 17.0.0.4 on Ubuntu 18.04.1 LTS, using OpenLDAP.

Having setup LDAP, I'd amended my server.xml to include: -

        <feature>ldapRegistry-3.0</feature>

<ldapRegistry baseDN="dc=uk,dc=ibm,dc=com"
              bindDN="cn=admin,dc=uk,dc=ibm,dc=com"
              bindPassword="Qp455w0rd"
              host="ubuntu"
              id="OpenLDAPRealm"
              ignoreCase="true"
              ldapType="Custom"
              port="389"
              realm="OpenLDAPRealm"
              recursiveSearch="true">

              <customFilters
                  id="customFilters"
                  userFilter="&amp;(uid=%v)(objectClass=inetOrgPerson)"
                  groupFilter="(&amp;(cn=%v)(objectClass=groupOfNames))"
                  userIdMap="*:uid"
                  groupMemberIdMap="groupOfNames:member"/>
    </ldapRegistry>


and bounced the WLP server, although that isn't strictly necessary.

However, when I attempted to login to my application ( IBM Operational Decision Manager 8.9.2.1 ), which I'd previously setup as per this: -

via the Rule Execution Server (RES) login page: -


I saw this: -


[ERROR   ] com.ibm.wsspi.security.wim.exception.WIMSystemException: CWIML4520E: The LDAP operation could not be completed. The LDAP naming exception javax.naming.directory.InvalidSearchFilterException: invalid attribute description; remaining name 'dc=uk,dc=ibm,dc=com'; resolved object com.sun.jndi.ldap.LdapCtx@22fb5aa1 occurred during processing. 
                                                                                                               com.ibm.wsspi.security.wim.exception.WIMException: com.ibm.wsspi.security.wim.exception.WIMSystemException: CWIML4520E: The LDAP operation could not be completed. The LDAP naming exception javax.naming.directory.InvalidSearchFilterException: invalid attribute description; remaining name 'dc=uk,dc=ibm,dc=com'; resolved object com.sun.jndi.ldap.LdapCtx@22fb5aa1 occurred during processing.
at com.ibm.ws.security.wim.ProfileManager.loginImpl(ProfileManager.java:1773)
at [internal classes]
at ilog.rules.res.console.ResponseHeaderFilter.doFilter(ResponseHeaderFilter.java:76)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:201)
at [internal classes]
at ilog.rules.res.console.jsf.LoginFilter.doFilter(LoginFilter.java:49)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:201)
at [internal classes]
Caused by: com.ibm.wsspi.security.wim.exception.WIMSystemException: CWIML4520E: The LDAP operation could not be completed. The LDAP naming exception javax.naming.directory.InvalidSearchFilterException: invalid attribute description; remaining name 'dc=uk,dc=ibm,dc=com'; resolved object com.sun.jndi.ldap.LdapCtx@22fb5aa1 occurred during processing.
at com.ibm.ws.security.wim.adapter.ldap.LdapConnection.search(LdapConnection.java:1645)
... 7 more
Caused by: javax.naming.directory.InvalidSearchFilterException: invalid attribute description; remaining name 'dc=uk,dc=ibm,dc=com'
at com.sun.jndi.ldap.Filter.encodeSimpleFilter(Filter.java:446)
at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:171)
at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at org.apache.aries.jndi.DelegateContext.search(DelegateContext.java:360)
... 7 more

[AUDIT   ] CWWKS1100A: Authentication did not succeed for user ID hayd. An invalid user ID or password was specified.

in the console.log : -

tail -f /home/hayd/wlp/usr/servers/odm/logs/console.log

It's taken me a fair few hours of trial n' error, plus copious amounts of (a) coffee and (b) Google to realise where I'd gone wrong.

Yes, I'm at home to Captain Typo again ……

Specifically, in the <ldapRegistry></ldapRegistry> block, I have a <customFilter> section, which includes this snippet: -

                  userFilter="&amp;(uid=%v)(objectClass=inetOrgPerson)"

Can you see where I went wrong ??

Yes, although it's valid XML, it's actually rubbish :-)

In essence, the &amp; symbol ( which is a nice way of writing the ampersand (&) character ), is supposed to be a logical AND between the (uid=%v) and (objectClass=inetOrgPerson) statements.

However, I'd made the test pointless by NOT wrapping  the entire AND operation in brackets ….

Once I changed it to: -

                  userFilter="(&amp;(uid=%v)(objectClass=inetOrgPerson))"


it magically started working :-)

Funny that …..

Now isn't this better ?


No comments: