Table of Contents
Advertisement
If the bind user has the password problem with the LDAP server, the access to the LDAP
server might be prohibited and the authentication would also fail. In this case, you may see
LDAP error code: Insufficient Access Rights in the log.
Login failure
Imagine that the system was working fine. For some reason, the login suddenly fails. If there
is a known change in the configuration, the first thing to try is to revert the change and test
whether that resolves the problem. If it does, then the configuration change must be reviewed.
Sometimes some unknown changes not in your control disrupts the system, and a systematic
problem determination process is needed to try to isolate the problem, eliminate the potential
factors, and narrow down the possible paths to finally find the solution.
Step 1: Understand the problem
If this is a new system and the failed user is the administrator user, try to log in on both the
WebSphere Application Server console and the WebSphere Portal using the respective user
IDs. If only the portal login fails, then there may be a configuration issue in the single sign-on
configuration. If both fail, then the configuration settings should be closely reviewed.
If the user short name fails, but the full user DN can log in, then there may be a configuration
problem with the user filter or search base.
If only a few users have problems, and others are OK, find the differences between these few
users and others. When this problem is only intermittent, compare the success and failure
cases, such as the clients used, access URLs, time of the day, and so on.
If there are recent configuration changes on the portal server, the LDAP server, the database,
or network, try to revert the change back and see whether it resolves the issue. For example:
If a custom login portlet is used, try the Login portlet bundled with WebSphere Portal.
If a custom theme is used, try the default WebSphere them.
Try to find whether a temporary remedy exists, such as a server restart. Save the log files
before a restart.
Step 2: Review JVM runtime logs
Usually when a login problem occurs, the system log files give some indication. First, look for
exceptions and stacktraces. The exceptions should give some clues where to look for the
problem. The stacktrace can give information of detailed tracing next.
Step 3: Review the configuration changes if any
If the configuration has some simple change, revert the change and see whether it helps.
Sometimes, multiple changes might have all contributed to the problem. Try to revert the
changes one at a time to see whether the problem is gone or relieved.
Step 4: Enable traces
If you suspect the login failed during the WebSphere Application Server authentication phase,
you may want to add WebSphere Application Server security trace (com.ibm.ws.security.*) to
portal trace strings.
One related issue is that multiple persons log in with the same administrator user ID. If these
logins are not just for reading or viewing, but try to change some parts of the configuration, it
is not supported and potentially can make undesirable results. If multiple administrators are
required, add the individual users into the administrator group.
Chapter 4. WebSphere Portal security
123
Advertisement
Table of Contents
Troubleshooting
