Table of Contents
Advertisement
the search base to verify whether the user is in every one of them. When configuring
WebSphere Application Server security, you can take advantage of this feature if the
underlying LDAP has such an attribute. For example, in the case of IBM Tivoli Directory
Server, you can specify "ibm-allGroups:uniqueMember;ibm-allGroups:member". In the
case of Microsoft Active Directory, you can specify "mmeberOf:member".
In WebSphere Application Server V6.0.2.13 or later, a different baseDN can be specified for
group search. You can add a custom property under the LDAP Advanced settings:
com.ibm.websphere.security.ldap.groupBaseDn
This should give you narrower search space in order to locate the groups faster.
When the security is enabled with realm support, then the search of users and groups is
entirely controlled by WMM configurations. So you can set similar configurations in wmm.xml.
The configuration fields are:
groupMemberAttributeMap: This is similar to the first case in "group member id map". A
example is "groupOfUniqueMembers:uniqueMember".
groupMembershipAttributeMap: This is similar to the second case for the group
membership attribute defined in user record. Examples are
"ibm-allGroups:uniqueMember" for IBM Tivoli Directory Server and "memberOf:member"
for Microsoft Active Directory.
groupDynamicMemberAttributeMap: WMM added this parameter for dynamic group
support. An example is "groupOfURLs:memberURL".
Another common cause of the search problem is SizeLimitExceededException. In wmm.xml,
a default maxSearchResults is defined to be 200. You can manually change the value by
directly editing the file, if you anticipate that the returned results will be larger. However, if the
sizelimit has to be set very large to accommodate the search result, you may want to consider
refining the search or redesigning the LDAP structure.
To debug the problems in searching users or groups, it is always a good idea to generate the
LDIF of the branch of the LDAP tree to verify the users and groups and compare the
configurations in WMM.
TAM configuration failed
Most of problems of the integration of WebSphere Portal and TAM occur in the configuration
phase. As we stated earlier in this chapter, the configuration tasks are intended to run in fairly
general scenarios. If your configuration deviates from those presented in the WebSphere
Portal Information Center, you may encounter problems. Usually, manual configurations
through the TAM admin utility pdadmin are likely required.
Check wpconfig.properties
Make sure the entries in the file are entered correctly. The TAM administrator user ID and
password must be validated before trying the configuration tasks.
Connection to TAM Policy Server
The task validate-pdamin-connection was designed to verify the connection. This is to make
sure the portal server can correctly communicate with the TAM Policy Server. If the TAM
runtime was set up on the portal correctly, this task should be successful.
Chapter 4. WebSphere Portal security
131
Advertisement
Table of Contents
Troubleshooting
