Ldap – Websphere federated repository for Active Directory

active-directoryldapwebsphere

What I am trying to achieve is to have Websphere 6.1 use Active Directory users authentication.

Websphere is running on Windows 2008 R2.

What I've done already:

Succesfully setup a federated repository for Windows Active Directory (LDAP);
Create a realm definition for the federated repository previously defined;
Set the realm definition as the current real definition.
Stop the Websphere service.

When I attempt to start the Websphere service again, it crashes with the following stacktrace:

——Start of DE processing—— = [9/3/10 2:36:14:133 PDT] , key = com.ibm.websphere.security.EntryNotFoundException com.ibm.ws.security.registry.UserRegistryImpl.createCredential 824
Exception = com.ibm.websphere.security.EntryNotFoundException
Source = com.ibm.ws.security.registry.UserRegistryImpl.createCredential
probeid = 824
Stack Dump = com.ibm.websphere.wim.exception.EntityNotFoundException: CWWIM4001E The 'null' entity was not found.
at com.ibm.ws.wim.registry.util.UniqueIdBridge.getUniqueUserId(UniqueIdBridge.java:233)
at com.ibm.ws.wim.registry.WIMUserRegistry$6.run(WIMUserRegistry.java:351)
at com.ibm.ws.wim.security.authz.jacc.JACCSecurityManager.runAsSuperUser(JACCSecurityManager.java:500)
at com.ibm.ws.wim.security.authz.ProfileSecurityManager.runAsSuperUser(ProfileSecurityManager.java:964)
at com.ibm.ws.wim.registry.WIMUserRegistry.getUniqueUserId(WIMUserRegistry.java:340)
at com.ibm.ws.security.registry.UserRegistryImpl.createCredential(UserRegistryImpl.java:750)
at com.ibm.ws.security.ltpa.LTPAServerObject.authenticate(LTPAServerObject.java:776)
at com.ibm.ws.security.server.lm.ltpaLoginModule.login(ltpaLoginModule.java:453)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:795)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:209)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:709)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:706)
at javax.security.auth.login.LoginContext.login(LoginContext.java:603)
at com.ibm.ws.security.auth.JaasLoginHelper.jaas_login(JaasLoginHelper.java:376)
at com.ibm.ws.security.auth.ContextManagerImpl.login(ContextManagerImpl.java:3513)
at com.ibm.ws.security.auth.ContextManagerImpl.login(ContextManagerImpl.java:3306)
at com.ibm.ws.security.auth.ContextManagerImpl.login(ContextManagerImpl.java:3086)
at com.ibm.ws.security.auth.ContextManagerImpl.getServerSubjectInternal(ContextManagerImpl.java:2180)
at com.ibm.ws.security.auth.ContextManagerImpl.getServerSubjectInternal(ContextManagerImpl.java:1972)
at com.ibm.ws.security.auth.ContextManagerImpl.initialize(ContextManagerImpl.java:2530)
at com.ibm.ws.security.auth.ContextManagerImpl.initialize(ContextManagerImpl.java:2560)
at com.ibm.ws.security.core.SecurityContext.enable(SecurityContext.java:83)
at com.ibm.ws.security.core.distSecurityComponentImpl.initialize(distSecurityComponentImpl.java:379)
at com.ibm.ws.security.core.distSecurityComponentImpl.startSecurity(distSecurityComponentImpl.java:336)
at com.ibm.ws.security.core.SecurityComponentImpl.startSecurity(SecurityComponentImpl.java:105)
at com.ibm.ws.security.core.ServerSecurityComponentImpl.start(ServerSecurityComponentImpl.java:283)
at com.ibm.ws.runtime.component.ContainerImpl.startComponents(ContainerImpl.java:977)
at com.ibm.ws.runtime.component.ContainerImpl.start(ContainerImpl.java:673)
at com.ibm.ws.runtime.component.ApplicationServerImpl.start(ApplicationServerImpl.java:197)
at com.ibm.ws.runtime.component.ContainerImpl.startComponents(ContainerImpl.java:977)
at com.ibm.ws.runtime.component.ContainerImpl.start(ContainerImpl.java:673)
at com.ibm.ws.runtime.component.ServerImpl.start(ServerImpl.java:526)
at com.ibm.ws.runtime.WsServerImpl.bootServerContainer(WsServerImpl.java:192)
at com.ibm.ws.runtime.WsServerImpl.start(WsServerImpl.java:140)
at com.ibm.ws.runtime.WsServerImpl.main(WsServerImpl.java:461)
at com.ibm.ws.runtime.WsServer.main(WsServer.java:59)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at com.ibm.wsspi.bootstrap.WSLauncher.launchMain(WSLauncher.java:183)
at com.ibm.wsspi.bootstrap.WSLauncher.main(WSLauncher.java:90)
at com.ibm.wsspi.bootstrap.WSLauncher.run(WSLauncher.java:72)
at org.eclipse.core.internal.runtime.PlatformActivator$1.run(PlatformActivator.java:78)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:92)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:68)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:400)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:177)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at org.eclipse.core.launcher.Main.invokeFramework(Main.java:336)
at org.eclipse.core.launcher.Main.basicRun(Main.java:280)
at org.eclipse.core.launcher.Main.run(Main.java:977)
at com.ibm.wsspi.bootstrap.WSPreLauncher.launchEclipse(WSPreLauncher.java:329)
at com.ibm.wsspi.bootstrap.WSPreLauncher.main(WSPreLauncher.java:92)

Dump of callerThis =
Object type = com.ibm.ws.security.registry.UserRegistryImpl
com.ibm.ws.security.registry.UserRegistryImpl@68a068a0

Anybody maybe has a hint on this?

I followed the exact steps described in the IBM Infocenter for setting this up.

Thanks in advance for the help.

Best Answer

This element of one of the first lines: .UserRegistryImpl.createCredential makes me wonder if either you have an SSL/clear text issue, or else a password issue with your account. The usual LDAP suspects.

Related Solutions

Active Directory – Comprehensive Explanation

I'm glossing over quite a bit here, of course, but it's a decent semi-technical summary that would be suitable for communicating to others who are not familiar with Active Directory itself, but generally familiar with computers and the issues associated with authentication and authorization.

Active Directory is, at its heart, a database management system. This database can be replicated amongst an arbitrary number of server computers (called Domain Controllers) in a multi-master manner (meaning that changes can be made to each independent copy, and eventually they'll be replicated to all the other copies).

The Active Directory database in an enterprise can be broken up into units of replication called "Domains". The system of replication between server computers can be configured in a very flexible manner to permit replication even in the face of failures of connectivity between domain controller computers, and to replicate efficiently between locations that might be connected with low-bandwidth WAN connectivity.

Windows uses the Active Directory as a repository for configuration information. Chief amongst these uses is the storage of user logon credentials (usernames / password hashes) such that computers can be configured to refer to this database to provide a centralized single sign-on capability for large numbers of machines (called "members" of the "Domain").

Permissions to access resources hosted by servers that are members of an Active Directory domain can be controlled through explicit naming of user accounts from the Active Directory domain in permissions called Access Control Lists (ACLs), or by creating logical groupings of user accounts into Security Groups. The information about the names and membership of these security groups are stored in the Active Directory.

The ability to modify records stored in the Active Directory database is controlled through security permissions that, themselves, refer to the Active Directory database. In this way, enterprises can provide "Delegation of Control" functionality to allow certain authorized users (or members of security groups) to perform administrative functions on the Active Directory of a limited and defined scope. This would allow, for example, a helpdesk employee to change the password of another user, but not to place his own account into security groups that might grant him permission to access sensitive resources.

Versions of the Windows operating system also can perform installations of software, make modifications to the user's environment (desktop, Start menu, behaviour of application programs, etc) by using the Group Policy. The back-end storage of the data that drives this Group Policy system is stored in Active Directory, and thus is given replication and security functionality.

Finally, other software applications, both from Microsoft and from third-parties, store additional configuration information in the Active Directory database. Microsoft Exchange Server, for example, makes heavy use of the Active Directory. Applications use Active Directory to gain the benefits of replication, security, and delegation of control described above.

Whew! Not too bad, I don't think, for a stream of consciousness!

Super short answer: AD is a database to store user logon and group information, and configuration information that drives group policy and other application software.

Windows Active Directory – Command Line to List Users in a Group

try

dsget group "CN=GroupName,DC=domain,DC=name,DC=com" -members

Best Answer

Related Solutions

Active Directory – Comprehensive Explanation

Windows Active Directory – Command Line to List Users in a Group

Related Topic