CWWIM4537E No principal is found from the principal name Websphere

Question

I struggle to fix "No principal is found ..." issue. I read all articles but I have installed the ear file into WAS 8.5 successfully.

This application requires LDAP authentication for end user to login. My LDAP userId is correct. Because I can authenticate myself via another development environment with the same ear file deployed. SSL certificates for remote LDAP server are fine. What else to configure?

I meant may be you'll give me a clue what else to configure, for example JAAS?

Here is bottom line details from myprofile/log/ffcd/xxx.log files.

    [11/04/16 14:06:39:853 EDT]     FFDC 

        Exception:com.ibm.websphere.security.PasswordCheckFailedException SourceId:com.ibm.ws.security.ltpa.LTPAServerObject.authenticate ProbeId:1006 Reporter:com.ibm.ws.security.ltpa.LTPAServerObject@2be0e7c9
        com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4537E  No principal is found from the 'validLdapUserId' principal name.
            at com.ibm.ws.wim.ProfileManager.loginImpl(ProfileManager.java:3920)
            at com.ibm.ws.wim.ProfileManager.genericProfileManagerMethod(ProfileManager.java:348)
            at com.ibm.ws.wim.ProfileManager.login(ProfileManager.java:456)

        ==> Performing default dump from com.ibm.ws.security.core.SecurityDM
        com.ibm.ws.security.config.SecurityConfigImpl@3c12279c C:\devSoft\IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells/OND2C01266470Node01Cell/security.xml  (admin) :com.ibm.websphere.security.PasswordCheckFailedException: CWWIM4537E  No principal is found from the 'validLdapUserId' principal name.
        +Data for directive [defaultsecurityconfig] obtained.:
        The dynamic JAAS login configuration is:
        com.ibm.ws.security.auth.login.Configuration: Dumping JAAS Configuration
        JAAS file configuration data:
        system.RMI_OUTBOUND {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.server.lm.wsMapCSIv2OutboundLoginModule"   ;
        };
        system.wss.generate.sct {
            com.ibm.ws.wssecurity.wssapi.token.impl.SCTGenerateLoginModule  required   ;
        };
        DefaultPrincipalMapping {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.auth.j2c.WSPrincipalMappingLoginModule"   ;
        };
        system.wss.consume.ltpa {
            com.ibm.ws.wssecurity.wssapi.token.impl.LTPAConsumeLoginModule  required   ;
        };
        system.wss.consume.KRB5BST {
            com.ibm.ws.wssecurity.wssapi.token.impl.KRBConsumeLoginModule  required   ;
            com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule  required   ;
        };
        system.wss.consume.ltpaProp {
            com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagationConsumeLoginModule  required   ;
        };
        system.wss.consume.issuedToken {
            com.ibm.ws.wssecurity.wssapi.token.impl.GenericIssuedTokenConsumeLoginModule  required   ;
        };
        system.wss.generate.pkcs7 {
            com.ibm.ws.wssecurity.wssapi.token.impl.PKCS7GenerateLoginModule  required   ;
        };
        system.wssecurity.X509BST {
            com.ibm.wsspi.wssecurity.auth.module.X509LoginModule  required   ;
        };
        system.wss.consume.pkiPath {
            com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathConsumeLoginModule  required   ;
        };
        system.wss.consume.x509 {
            com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule  required   ;
        };
        system.WEB_INBOUND {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.server.lm.ltpaLoginModule"   ;
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule"   ;
        };
        system.WSS_OUTBOUND {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.server.lm.wsMapCSIv2OutboundLoginModule"   ;
        };
        system.wss.consume.sct {
            com.ibm.ws.wssecurity.wssapi.token.impl.SCTConsumeLoginModule  required   ;
        };
        system.wssecurity.Signature {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.wsspi.wssecurity.auth.module.SignatureLoginModule"   ;
        };
        system.wssecurity.IDAssertionUsernameToken {
            com.ibm.wsspi.wssecurity.auth.module.IDAssertionUsernameLoginModule  required   ;
        };
        system.wssecurity.UsernameToken {
            com.ibm.wsspi.wssecurity.auth.module.UsernameLoginModule  required   ;
        };
        system.wss.generate.saml {
            com.ibm.ws.wssecurity.wssapi.token.impl.SAMLGenerateLoginModule  required   ;
            com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule  required   ;
        };
        system.DESERIALIZE_ASYNCH_CONTEXT {
            com.ibm.ws.security.server.lm.ltpaLoginModule  required   ;
            com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule  required   ;
            com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.wssTokenPropagationInboundLoginModule  required   ;
        };
        system.wss.generate.ltpa {
            com.ibm.ws.wssecurity.wssapi.token.impl.LTPAGenerateLoginModule  required   ;
        };
        system.wss.generate.ltpaProp {
            com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagationGenerateLoginModule  required   ;
        };
        system.wssecurity.PkiPath {
            com.ibm.wsspi.wssecurity.auth.module.PkiPathLoginModule  required   ;
        };
        system.wss.inbound.propagation {
            com.ibm.ws.security.server.lm.ltpaLoginModule  required   ;
            com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule  required   ;
            com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.wssTokenPropagationInboundLoginModule  required   ;
        };
        system.wss.auth.sts {
            com.ibm.ws.wssecurity.impl.auth.module.STSDefaultLoginModule  required   ;
        };
        system.wss.generate.x509 {
            com.ibm.ws.wssecurity.wssapi.token.impl.X509GenerateLoginModule  required   ;
        };
        system.RMI_INBOUND {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.server.lm.ltpaLoginModule"   ;
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule"   ;
            com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.wssTokenPropagationInboundLoginModule  required   ;
        };
        system.WSS_INBOUND {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.server.lm.ltpaLoginModule"   ;
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule"   ;
        };
        JAASClient {
            com.ibm.security.auth.module.Krb5LoginModule  required
               noAddress="true"
               tryFirstPass="true"
               useDefaultCcache="false"
               forwardable="true"
               credsType="both"   ;
        };
        system.wssecurity.KRB5BST {
            com.ibm.wsspi.wssecurity.auth.module.KRBLoginModule  required   ;
        };
        system.wss.generate.unt {
            com.ibm.ws.wssecurity.wssapi.token.impl.UNTGenerateLoginModule  required   ;
        };
        system.LTPA {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.server.lm.ltpaLoginModule"   ;
        };
        system.wss.caller {
            com.ibm.ws.wssecurity.impl.auth.module.PreCallerLoginModule  required   ;
            com.ibm.ws.wssecurity.impl.auth.module.UNTCallerLoginModule  required   ;
            com.ibm.ws.wssecurity.impl.auth.module.X509CallerLoginModule  required   ;
            com.ibm.ws.wssecurity.impl.auth.module.LTPACallerLoginModule  required   ;
            com.ibm.ws.wssecurity.impl.auth.module.LTPAPropagationCallerLoginModule  required   ;
            com.ibm.ws.wssecurity.impl.auth.module.KRBCallerLoginModule  required   ;
            com.ibm.ws.wssecurity.impl.auth.module.SAMLCallerLoginModule  required   ;
            com.ibm.ws.wssecurity.impl.auth.module.GenericIssuedTokenCallerLoginModule  required   ;
            com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule  required   ;
            com.ibm.ws.security.server.lm.ltpaLoginModule  required   ;
            com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule  required   ;
        };
        system.DEFAULT {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.server.lm.ltpaLoginModule"   ;
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule"   ;
            com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.wssTokenPropagationInboundLoginModule  required   ;
        };
        system.wss.consume.pkcs7 {
            com.ibm.ws.wssecurity.wssapi.token.impl.PKCS7ConsumeLoginModule  required   ;
        };
        system.wss.generate.KRB5BST {
            com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule  required   ;
            com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule  required   ;
        };
        system.wss.generate.issuedToken {
            com.ibm.ws.wssecurity.wssapi.token.impl.GenericIssuedTokenGenerateLoginModule  required   ;
        };
        WSLogin {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.common.auth.module.WSLoginModuleImpl"
               use_realm_callback="false"
               use_appcontext_callback="false"   ;
        };
        system.SWAM {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.server.lm.swamLoginModule"   ;
        };
        system.wss.generate.pkiPath {
            com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathGenerateLoginModule  required   ;
        };
        system.wss.consume.unt {
            com.ibm.ws.wssecurity.wssapi.token.impl.UNTConsumeLoginModule  required   ;
        };
        JaasClient {
            com.ibm.security.auth.module.Krb5LoginModule  required
               noAddress="true"
               tryFirstPass="true"
               useDefaultCcache="false"
               forwardable="true"
               credsType="both"   ;
        };
        system.wssecurity.IDAssertion {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.wsspi.wssecurity.auth.module.IDAssertionLoginModule"   ;
        };
        system.wss.inbound.deserialize {
            com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.wssLtpaLoginModule  required   ;
            com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.wssMapDefaultInboundLoginModule  required   ;
            com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.wssTokenPropagationInboundLoginModule  required   ;
        };
        system.wss.consume.saml {
            com.ibm.ws.wssecurity.wssapi.token.impl.SAMLConsumeLoginModule  required   ;
            com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule  required   ;
        };
        system.wssecurity.PKCS7 {
            com.ibm.wsspi.wssecurity.auth.module.PKCS7LoginModule  required   ;
        };

        JAAS WCCM configuration data:
        system.RMI_OUTBOUND {
            com.ibm.ws.security.server.lm.wsMapCSIv2OutboundLoginModule  required   ;
        };
        DefaultPrincipalMapping {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.auth.j2c.WSPrincipalMappingLoginModule"   ;
        };
        system.wss.generate.sct {
            com.ibm.ws.wssecurity.wssapi.token.impl.SCTGenerateLoginModule  required   ;
            com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule  required   ;
        };
        system.wss.consume.ltpa {
            com.ibm.ws.wssecurity.wssapi.token.impl.LTPAConsumeLoginModule  required   ;
        };
        system.wss.consume.KRB5BST {
            com.ibm.ws.wssecurity.wssapi.token.impl.KRBConsumeLoginModule  required   ;
            com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule  required   ;
        };
        system.wss.consume.ltpaProp {
            com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagationConsumeLoginModule  required   ;
        };
        system.wss.consume.issuedToken {
            com.ibm.ws.wssecurity.wssapi.token.impl.GenericIssuedTokenConsumeLoginModule  required   ;
        };
        system.wss.generate.pkcs7 {
            com.ibm.ws.wssecurity.wssapi.token.impl.PKCS7GenerateLoginModule  required   ;
        };
        system.wssecurity.X509BST {
            com.ibm.wsspi.wssecurity.auth.module.X509LoginModule  required   ;
        };
        system.wss.consume.pkiPath {
            com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathConsumeLoginModule  required   ;
        };
        system.wss.consume.x509 {
            com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule  required   ;
        };
        system.WEB_INBOUND {
            com.ibm.ws.security.server.lm.ltpaLoginModule  required   ;
            com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule  required   ;
        };
        system.WSS_OUTBOUND {
            com.ibm.ws.security.server.lm.wsMapCSIv2OutboundLoginModule  required   ;
        };
        system.wss.consume.sct {
            com.ibm.ws.wssecurity.wssapi.token.impl.SCTConsumeLoginModule  required   ;
            com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule  required   ;
        };
        system.wssecurity.Signature {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.wsspi.wssecurity.auth.module.SignatureLoginModule"   ;
        };
        system.wssecurity.IDAssertionUsernameToken {
            com.ibm.wsspi.wssecurity.auth.module.IDAssertionUsernameLoginModule  required   ;
        };
        system.wssecurity.UsernameToken {
            com.ibm.wsspi.wssecurity.auth.module.UsernameLoginModule  required   ;
        };
        system.wss.generate.saml {
            com.ibm.ws.wssecurity.wssapi.token.impl.SAMLGenerateLoginModule  required   ;
            com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule  required   ;
        };
        system.KRB5 {
            com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper  required
               storeSharedStateCredentials="true"
               noAddress="true"
               tryFirstPass="true"
               renewable="true"
               refreshKrb5Config="true"
               forwardable="true"
               credsType="both"   ;
            com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule  required   ;
        };
        system.DESERIALIZE_ASYNCH_CONTEXT {
            com.ibm.ws.security.server.lm.ltpaLoginModule  required   ;
            com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule  required
               com.ibm.ws.security.context.renewToken="true"   ;
            com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.wssTokenPropagationInboundLoginModule  required   ;
        };
        system.wss.generate.ltpa {
            com.ibm.ws.wssecurity.wssapi.token.impl.LTPAGenerateLoginModule  required   ;
        };
        system.wss.generate.ltpaProp {
            com.ibm.ws.wssecurity.wssapi.token.impl.LTPAPropagationGenerateLoginModule  required   ;
        };
        system.wssecurity.PkiPath {
            com.ibm.wsspi.wssecurity.auth.module.PkiPathLoginModule  required   ;
        };
        system.wss.inbound.propagation {
            com.ibm.ws.security.server.lm.ltpaLoginModule  required   ;
            com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule  required   ;
            com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.wssTokenPropagationInboundLoginModule  required   ;
        };
        system.wss.auth.sts {
            com.ibm.ws.wssecurity.impl.auth.module.STSDefaultLoginModule  required   ;
        };
        system.wss.generate.x509 {
            com.ibm.ws.wssecurity.wssapi.token.impl.X509GenerateLoginModule  required   ;
        };
        system.RMI_INBOUND {
            com.ibm.ws.security.server.lm.ltpaLoginModule  required   ;
            com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule  required   ;
            com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.wssTokenPropagationInboundLoginModule  required   ;
        };
        system.LTPA_WEB {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.web.AuthenLoginModule"   ;
        };
        system.WSS_INBOUND {
            com.ibm.ws.security.server.lm.ltpaLoginModule  required   ;
            com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule  required   ;
        };
        WSKRB5Login {
            com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapperClient  required
               storeSharedStateCredentials="true"
               tryFirstPass="false"
               refreshKrb5Config="true"
               useFirstPass="true"
               credsType="INITIATOR"   ;
        };
        KerberosMapping {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.auth.j2c.WSPrincipalMappingLoginModule"   ;
        };
        ClientContainer {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.common.auth.module.WSClientLoginModuleImpl"   ;
        };
        system.wssecurity.KRB5BST {
            com.ibm.wsspi.wssecurity.auth.module.KRBLoginModule  required   ;
        };
        system.wss.generate.unt {
            com.ibm.ws.wssecurity.wssapi.token.impl.UNTGenerateLoginModule  required   ;
        };
        system.LTPA {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.server.lm.ltpaLoginModule"   ;
        };
        system.wss.caller {
            com.ibm.ws.wssecurity.impl.auth.module.PreCallerLoginModule  required   ;
            com.ibm.ws.wssecurity.impl.auth.module.UNTCallerLoginModule  required   ;
            com.ibm.ws.wssecurity.impl.auth.module.X509CallerLoginModule  required   ;
            com.ibm.ws.wssecurity.impl.auth.module.LTPACallerLoginModule  required   ;
            com.ibm.ws.wssecurity.impl.auth.module.LTPAPropagationCallerLoginModule  required   ;
            com.ibm.ws.wssecurity.impl.auth.module.KRBCallerLoginModule  required   ;
            com.ibm.ws.wssecurity.impl.auth.module.SAMLCallerLoginModule  required   ;
            com.ibm.ws.wssecurity.impl.auth.module.GenericIssuedTokenCallerLoginModule  required   ;
            com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule  required   ;
            com.ibm.ws.security.server.lm.ltpaLoginModule  required   ;
            com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule  required   ;
        };
        system.DEFAULT {
            com.ibm.ws.security.server.lm.ltpaLoginModule  required   ;
            com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule  required   ;
            com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.wssTokenPropagationInboundLoginModule  required   ;
        };
        system.wss.consume.pkcs7 {
            com.ibm.ws.wssecurity.wssapi.token.impl.PKCS7ConsumeLoginModule  required   ;
        };
        system.wss.generate.KRB5BST {
            com.ibm.ws.wssecurity.wssapi.token.impl.KRBGenerateLoginModule  required   ;
            com.ibm.ws.wssecurity.wssapi.token.impl.DKTGenerateLoginModule  required   ;
        };
        system.wss.generate.issuedToken {
            com.ibm.ws.wssecurity.wssapi.token.impl.GenericIssuedTokenGenerateLoginModule  required   ;
        };
        WSLogin {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.common.auth.module.WSLoginModuleImpl"
               use_realm_callback="false"
               use_appcontext_callback="false"   ;
        };
        system.SWAM {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.server.lm.swamLoginModule"   ;
        };
        system.wss.generate.pkiPath {
            com.ibm.ws.wssecurity.wssapi.token.impl.PkiPathGenerateLoginModule  required   ;
        };
        system.wss.consume.unt {
            com.ibm.ws.wssecurity.wssapi.token.impl.UNTConsumeLoginModule  required   ;
        };
        system.wssecurity.IDAssertion {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.wsspi.wssecurity.auth.module.IDAssertionLoginModule"   ;
        };
        system.wss.inbound.deserialize {
            com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.wssLtpaLoginModule  required   ;
            com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.wssMapDefaultInboundLoginModule  required   ;
            com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.wssTokenPropagationInboundLoginModule  required   ;
        };
        system.wss.consume.saml {
            com.ibm.ws.wssecurity.wssapi.token.impl.SAMLConsumeLoginModule  required   ;
            com.ibm.ws.wssecurity.wssapi.token.impl.DKTConsumeLoginModule  required   ;
        };
        TrustedConnectionMapping {
            com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy  required
               delegate="com.ibm.ws.security.auth.j2c.WSPrincipalMappingLoginModule"
               useTrustedConnection="true"   ;
        };
        system.wssecurity.PKCS7 {
            com.ibm.wsspi.wssecurity.auth.module.PKCS7LoginModule  required   ;
        };

        :com.ibm.websphere.security.PasswordCheckFailedException: CWWIM4537E  No principal is found from the 'validLdapUserId' principal name.
        +Data for directive [defaultjaasconfig] obtained.:
        ==> Dump complete for com.ibm.ws.security.core.SecurityDM :

Here is ldap configurations from wimconfig.xml

<config:repositories xsi:type="config:LdapRepositoryType" adapterClassName="com.ibm.ws.wim.adapter.ldap.LdapAdapter"  
    id="LDAP_dev" isExtIdUnique="true" supportAsyncMode="false" supportExternalName="false"  
    supportPaging="false" supportSorting="false" supportTransactions="false" supportChangeLog="none"  
    certificateFilter="" certificateMapMode="exactdn" ldapServerType="AD" translateRDN="false">  
    <config:baseEntries name="DC=dc5,DC=dc4,DC=dc3,DC=dc2,DC=dc1" nameInRepository="DC=dc5,DC=dc4,DC=dc3,DC=dc2,DC=dc1"/>  
    <config:loginProperties>uid  
    <config:ldapServerConfiguration primaryServerQueryTimeInterval="15" returnToPrimaryServer="true"  
      sslConfiguration="">  
    <config:ldapServers authentication="simple" bindDN="CN=validUser,OU=Users,OU=dc6,DC=dc5,DC=dc4,DC=dc3,DC=dc2,DC=dc1"  
        bindPassword="{xor}DCvalidPassword" connectionPool="false" connectTimeout="20"  
        derefAliases="always" referal="follow" sslEnabled="true">  
      <config:connections host="validHost" port="389"/>  

    <config:ldapEntityTypes name="Group" searchFilter="(ObjectCategory=Group)">  
    <config:objectClasses>group  

    <config:ldapEntityTypes name="OrgContainer">  
    <config:rdnAttributes name="o" objectClass="organization"/>  
    <config:rdnAttributes name="ou" objectClass="organizationalUnit"/>  
    <config:rdnAttributes name="dc" objectClass="domain"/>  
    <config:rdnAttributes name="cn" objectClass="container"/>  
    <config:objectClasses>organization  
    <config:objectClasses>organizationalUnit  
    <config:objectClasses>domain  
    <config:objectClasses>container  
    </config:ldapEntityTypes>  
    <config:ldapEntityTypes name="PersonAccount" searchFilter="(ObjectCategory=User)">  
    <config:objectClasses>user  
    </config:ldapEntityTypes>  
    <config:groupConfiguration>  
    <config:memberAttributes name="member" objectClass="group" scope="direct"/>  
    <config:membershipAttribute name="memberof" scope="direct"/>  
    </config:groupConfiguration>  
    <config:attributeConfiguration>  
    <config:attributes defaultAttribute="cn" name="cn">  
      <config:entityTypes>Group  
    <config:attributes defaultValue="8" name="groupType">  
      <config:entityTypes>Group  
    <config:attributes name="unicodePwd" propertyName="password" syntax="unicodePwd"/>  
    <config:attributes name="userprincipalname" propertyName="kerberosId">  
      <config:entityTypes>PersonAccount

did you compare the VMM configuration on the working and non working server? If a filter setting on the branch is incorrect configured VMM would not find the User in LDAP even that it is valid — Stefan Schmitt, Apr 12 '16 at 11:39
Probably the login properties, base dn or entity type might be incorrect, as it looks it cannot locate the user. You dont need any JAAS config, but provide more details about your configuration. Are you using Federated repos, how many you have, what is your LDAP, maybe ldap search result that shows the user... — Gas, Apr 12 '16 at 11:42
I've compared VMM settings. They look the same on both environments. Beside I successfully connected to the same ldap using ldap browser ( third party soft not related to WAS). Which specific settings should I look into? — Neptun, Apr 12 '16 at 14:14
Yes we have 1 federated repository defined. It seems configured properly because there are no exceptions in logs until I try to authenticate particular user. Those are pretty much default settings. searchFilter="(ObjectCategory=User)" is also defined. Is any log settings to turn on that I can see more info? — Neptun, Apr 12 '16 at 14:50
In our configuration we have generic User ( CN=validUser in above winconfig). We connect to ldap server with — Neptun, Apr 12 '16 at 14:58
In our configuration we have generic User ( CN=validUser in above winconfig). WAS connects to ldap server with this user. But when we run application we can't properly authenticate other valid Ldap users. Windows login goes through the same ldap instance for those users succesfully. — Neptun, Apr 12 '16 at 15:05
And I'm successfully authenticating the same user in other environment. So the problem is in my local ldap configuration. — Neptun, Apr 12 '16 at 15:19
I've modified my original post at the top. I've added a section with ldap configuration from wimconfig.xml — Neptun, Apr 12 '16 at 16:43
I'm new to this forum. And there is a limitation of 500 characters. So I have to post many replies. — Neptun, Apr 12 '16 at 21:19

score 1 · Answer 1 · answered Feb 21 '17 at 21:45

1

Do you have trust association interceptors enabled? If so, please do the following:

Go to the WAS configuration from the administrative console in Global security > Web and SIP security > General settings.

Then uncheck the check box "Use available authentication data when an unprotected URI is accessed."

answered Feb 21 '17 at 21:45

Ernani Joppert

503
5
12

Thanks Ernany for help. I've finished that contract. So I can't verify anything. – Neptun Feb 23 '17 at 01:22

CWWIM4537E No principal is found from the principal name Websphere

1 Answers1

Linked