Migrate LDAP configurarions from Websphere to Liberty

Question

I'm starting with a new maven web jsf application in local development. I have already a correctly configured Websphere 8.5 application server with correct configurations to use ldap. The new project will use Liberty instead traditional Websphere.

I set up what I think I need in Liberty's server.xml and application's web.xml

Liberty's server.xml:

<ldapRegistry
id="ldap"
realm="LdapRegistry"
ldapType="Microsoft Active Directory"
host="host-copy-pasted-from-websphere-configuration"
port="port-copy-pasted-from-websphere-configuration"
baseDN="baseDN-copy-pasted-from-websphere-configuration"
searchTimeout="120"
reuseConnection="true"
ignoreCase="true"
bindDN="bindDN-copy-pasted-from-websphere-configuration"
bindPassword="bindDN-known-password"
sslEnabled="false">
<activedFilters
    userFilter="userFilter-copy-pasted-from-websphere-configuration"
    groupFilter="groupFilter-copy-pasted-from-websphere-configuration"
    groupIdMap="groupIdMap-copy-pasted-from-websphere-configuration"
    userIdMap="userIdMap-copy-pasted-from-websphere-configuration"
    groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember"
    >
</activedFilters>

application's web.xml (most of configuration copy-pasted from old other applications):

<security-role>
    <role-name>AllAuthenticated</role-name>
</security-role>
<security-constraint>
    <display-name>AllAuthenticated</display-name>
    <web-resource-collection>
        <web-resource-name>AllAuthenticated</web-resource-name>
        <url-pattern>/pages/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>PUT</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>AllAuthenticated</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>LdapRegistry</realm-name>
    <form-login-config>
        <form-login-page>/login.xhtml</form-login-page>
        <form-error-page>/error.xhtml</form-error-page>
    </form-login-config>
</login-config>

my login.xhtml:

    ...
<form id="login-form" action="j_security_check" class="shadow mx-auto" method="post">
    ...
    <input type="text" id="j_username" name="j_username" class="form-control form-control-lg" required="required" autofocus="autofocus" />
    ...
    <input type="password" id="j_password" name="j_password" class="form-control" required="required" />
    ...

ibm-application-bnd.xml:

<application-bnd ...>
<security-role name="AllAuthenticated">
    <special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>

I guess it's not far from good config because when I login with bad password I get console message "Ensure that both the principal name and the password are specified correctly. Ensure that the account is not locked and that the account is enabled."

When I type the right password the error message is not displayed, no message is displayed, anyway I'm redirected to error.xhtml page, and if I try to navigate to an application's page I'm redirected to login.xhtml

Be patient pls, I work on java just from few months...

What I can try? Since I have no error message to investigate...

EDIT

Using @J Van Hill instructions I added trace logging on the server.xml. What I find is that when I use right password I get in trace this entry:

[controls={com.ibm.wsspi.security.wim.model.LoginControl=
[countLimit=4501
returnSubType=true
searchLimit=0
timeLimit=0
]}
entities={com.ibm.wsspi.security.wim.model.LoginAccount=
[password=****
principalName=my-username
]}
validated=false
]

and after some rows this entry:

[entities={com.ibm.wsspi.security.wim.model.Entity=
[IdentifierType= {
    externalName=cn=my-username,ou=my-ou,o=my-o,c=my-c
    repositoryId=com.ibm.ws.security.registry.ldap.config[ldap]
    uniqueName=cn==my-username,ou=my-ou,o=my-o,c=my-c
}
]}
validated=false
]

I'm investigating on security roles... Any other point of view is appreciated.

EDIT 2

I'm analyzing better the trace. After some rows of above entries there are errors entries:

[13/04/20 19.39.59:317 CEST] 00000079 id=00000000 com.ibm.ws.security.registry.RegistryException               > <init> Entry  
                                                                                                                   null
                                                                                                                   java.lang.NullPointerException
        at com.ibm.ws.security.wim.adapter.ldap.LdapHelper.getOctetString(LdapHelper.java:66)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConfigManager.getExtIdFromAttributes(LdapConfigManager.java:2841)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConnection.getEntityByIdentifier(LdapConnection.java:815)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConnection.getEntityByIdentifier(LdapConnection.java:761)
        at com.ibm.ws.security.wim.adapter.ldap.LdapAdapter.get(LdapAdapter.java:342)
        .....
        .....
        .....
        .....
        .....
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1047)
        at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

    [13/04/20 19.39.59:318 CEST] 00000079 id=0e8ce458 com.ibm.ws.security.registry.RegistryException               < <init> Exit  
                                                                                                                   com.ibm.ws.security.registry.RegistryException
        at com.ibm.ws.security.wim.registry.WIMUserRegistry.getUserSecurityName(WIMUserRegistry.java:296)
        at com.ibm.ws.security.authentication.internal.jaas.modules.ServerCommonLoginModule.getSecurityName(ServerCommonLoginModule.java:113)
        at com.ibm.ws.security.authentication.jaas.modules.UsernameAndPasswordLoginModule.login(UsernameAndPasswordLoginModule.java:77)
        at com.ibm.ws.kernel.boot.security.LoginModuleProxy.login(LoginModuleProxy.java:51)
        at sun.reflect.GeneratedMethodAccessor1372.invoke(Unknown Source)
        .....
        .....
        .....
        .....
        .....
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1047)
        at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
    Caused by: java.lang.NullPointerException
        at com.ibm.ws.security.wim.adapter.ldap.LdapHelper.getOctetString(LdapHelper.java:66)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConfigManager.getExtIdFromAttributes(LdapConfigManager.java:2841)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConnection.getEntityByIdentifier(LdapConnection.java:815)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConnection.getEntityByIdentifier(LdapConnection.java:761)
        at com.ibm.ws.security.wim.adapter.ldap.LdapAdapter.get(LdapAdapter.java:342)
        .....
        .....
        .....
        .....
        .....
        at com.ibm.ws.security.wim.ProfileManager.genericProfileManagerMethod(ProfileManager.java:263)
        at com.ibm.ws.security.wim.ProfileManager.get(ProfileManager.java:207)
        at com.ibm.ws.security.wim.VMMService.get(VMMService.java:208)
        at com.ibm.ws.security.wim.registry.util.SecurityNameBridge.getUserSecurityName(SecurityNameBridge.java:182)
        at com.ibm.ws.security.wim.registry.WIMUserRegistry.getUserSecurityName(WIMUserRegistry.java:291)
        ... 49 more

    [13/04/20 19.39.59:344 CEST] 00000079 id=00000000 com.ibm.ws.logging.internal.impl.IncidentImpl                I FFDC1015I: Ƞstato creato un incidente FFDC: "com.ibm.ws.security.registry.RegistryException com.ibm.ws.security.authentication.jaas.modules.UsernameAndPasswordLoginModule 107" in ffdc_20.04.13_19.39.59.0.log
    [13/04/20 19.39.59:402 CEST] 00000079 id=00000000 com.ibm.ws.security.authentication.AuthenticationException   > <init> Entry  
                                                                                                                   null
                                                                                                                   com.ibm.ws.security.registry.RegistryException
        at com.ibm.ws.security.wim.registry.WIMUserRegistry.getUserSecurityName(WIMUserRegistry.java:296)
        at com.ibm.ws.security.authentication.internal.jaas.modules.ServerCommonLoginModule.getSecurityName(ServerCommonLoginModule.java:113)
        at com.ibm.ws.security.authentication.jaas.modules.UsernameAndPasswordLoginModule.login(UsernameAndPasswordLoginModule.java:77)
        at com.ibm.ws.kernel.boot.security.LoginModuleProxy.login(LoginModuleProxy.java:51)
        at sun.reflect.GeneratedMethodAccessor1372.invoke(Unknown Source)
        .....
        .....
        .....
        .....
        .....
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1047)
        at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
    Caused by: java.lang.NullPointerException
        at com.ibm.ws.security.wim.adapter.ldap.LdapHelper.getOctetString(LdapHelper.java:66)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConfigManager.getExtIdFromAttributes(LdapConfigManager.java:2841)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConnection.getEntityByIdentifier(LdapConnection.java:815)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConnection.getEntityByIdentifier(LdapConnection.java:761)
        at com.ibm.ws.security.wim.adapter.ldap.LdapAdapter.get(LdapAdapter.java:342)
        .....
        .....
        .....
        .....
        .....
        at com.ibm.ws.security.wim.ProfileManager.genericProfileManagerMethod(ProfileManager.java:263)
        at com.ibm.ws.security.wim.ProfileManager.get(ProfileManager.java:207)
        at com.ibm.ws.security.wim.VMMService.get(VMMService.java:208)
        at com.ibm.ws.security.wim.registry.util.SecurityNameBridge.getUserSecurityName(SecurityNameBridge.java:182)
        at com.ibm.ws.security.wim.registry.WIMUserRegistry.getUserSecurityName(WIMUserRegistry.java:291)
        ... 49 more

    [13/04/20 19.39.59:403 CEST] 00000079 id=5177825f com.ibm.ws.security.authentication.AuthenticationException   < <init> Exit  
                                                                                                                   com.ibm.ws.security.authentication.AuthenticationException
        at com.ibm.ws.security.authentication.jaas.modules.UsernameAndPasswordLoginModule.login(UsernameAndPasswordLoginModule.java:109)
        at com.ibm.ws.kernel.boot.security.LoginModuleProxy.login(LoginModuleProxy.java:51)
        at sun.reflect.GeneratedMethodAccessor1372.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
        .....
        .....
        .....
        .....
        .....
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1047)
        at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

EDIT 3

Some additional information from trace log (I had to cut some of previous edit's log because post can be max 30000 chars).

As requested here is exposed the JNDI_CALL entries in trace after login with right password before NPE.

...
...
...
[14/04/20 9.16.57:291 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.LdapHelper              < printSearchControls Exit  
                                                                                                               [searchScope: 2, timeLimit: 120, countLimit: 4501, returningObjFlag: false, returningAttributes: [objectguid, objectClass, cn, principalname]]
[14/04/20 9.16.57:291 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL search(Name,String,SearchControls) [ldap://XXXXXXXXXXXXX:XXX] 
                                                                                                               o=MY-O,c=,MY-C
                                                                                                               (&(cn=MY-USERNAME)(objectclass=inetOrgPerson))
                                                                                                               [searchScope: 2, timeLimit: 120, countLimit: 4501, returningObjFlag: false, returningAttributes: [objectguid, objectClass, cn, principalname]]
[14/04/20 9.16.57:305 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL search(Name,String,SearchControls) [14 ms] 
                                                                                                               com.sun.jndi.ldap.LdapSearchEnumeration@20e0d246
[14/04/20 9.16.57:305 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.LdapConnection          3 search(String, String, Object[], SearchControls) Received search results, looping through elements. May include referral chasing.
[14/04/20 9.16.57:306 CEST] 00000083 id=3a9c8114 com.ibm.ws.security.wim.adapter.ldap.LdapConnection          > supportRangeAttributes Entry  
                                                                                                               {objectclass=objectClass: top, person, organizationalPerson, inetOrgPerson, XXXXXOrgPerson, mdfPerson, cn=cn: MY-USERNAME}
                                                                                                               o=MY-O,c=,MY-C
                                                                                                               com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext@4d39fb26{iProviderURL=ldap://XXXXXXXXXXXXX:XXX, iCreateTimestampSeconds=1586848567, iPoolTimeStampSeconds=1586848567}
[14/04/20 9.16.57:307 CEST] 00000083 id=3a9c8114 com.ibm.ws.security.wim.adapter.ldap.LdapConnection          < supportRangeAttributes Exit 
[14/04/20 9.16.57:307 CEST] 00000083 id=427f3b80 com.ibm.ws.security.wim.adapter.ldap.CachedNamingEnumeration > add Entry  
                                                                                                               cn=MY-USERNAME,ou=MY-OU: null:null:{objectclass=objectClass: top, person, organizationalPerson, inetOrgPerson, XXXXXOrgPerson, mdfPerson, cn=cn: MY-USERNAME}
[14/04/20 9.16.57:307 CEST] 00000083 id=427f3b80 com.ibm.ws.security.wim.adapter.ldap.CachedNamingEnumeration < add Exit 
[14/04/20 9.16.57:307 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.LdapConnection          3 search(String, String, Object[], SearchControls) Received search results, looped through elements. Num of elements retrieved: 1
[14/04/20 9.16.57:307 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL getResponseControls() [ldap://XXXXXXXXXXXXX:XXX]
[14/04/20 9.16.57:307 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL getResponseControls() [0 ms]
[14/04/20 9.16.57:307 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL setRequestControls(Control[]) [ldap://XXXXXXXXXXXXX:XXX]
[14/04/20 9.16.57:307 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL setRequestControls(Control[]) [0 ms]
[14/04/20 9.16.57:307 CEST] 00000083 id=645bfd15 com.ibm.ws.security.wim.adapter.ldap.context.ContextManager  > releaseDirContext Entry  
                                                                                                               com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext@4d39fb26{iProviderURL=ldap://XXXXXXXXXXXXX:XXX, iCreateTimestampSeconds=1586848567, iPoolTimeStampSeconds=1586848567}
...
...
...
[14/04/20 9.16.57:376 CEST] 00000083 id=645bfd15 com.ibm.ws.security.wim.adapter.ldap.context.ContextManager  < createDirContext Exit  
                                                                                                               com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext@34fc1054{iProviderURL=ldap://XXXXXXXXXXXXX:XXX, iCreateTimestampSeconds=1586848617, iPoolTimeStampSeconds=1586848617}
[14/04/20 9.16.57:376 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL close() [ldap://XXXXXXXXXXXXX:XXX]
[14/04/20 9.16.57:376 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL close() [0 ms]
[14/04/20 9.16.57:376 CEST] 00000083 id=5a992031 com.ibm.ws.security.wim.adapter.ldap.LdapAdapter             < authenticateWithPassword Exit 
...
...
...
[14/04/20 9.16.57:618 CEST] 00000083 id=645bfd15 com.ibm.ws.security.wim.adapter.ldap.context.ContextManager  > checkPrimaryServer Entry  
                                                                                                               com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext@4d39fb26{iProviderURL=ldap://XXXXXXXXXXXXX:XXX, iCreateTimestampSeconds=1586848567, iPoolTimeStampSeconds=1586848567}
                                                                                                               ldap://XXXXXXXXXXXXX:XXX
                                                                                                               1586848618
[14/04/20 9.16.57:618 CEST] 00000083 id=645bfd15 com.ibm.ws.security.wim.adapter.ldap.context.ContextManager  < checkPrimaryServer Exit  
                                                                                                               com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext@4d39fb26{iProviderURL=ldap://XXXXXXXXXXXXX:XXX, iCreateTimestampSeconds=1586848567, iPoolTimeStampSeconds=1586848567}
[14/04/20 9.16.57:618 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.ContextManager  3 getDirContext ContextPool: total=1, poolSize=0, currentTime=1586848618, createTime=1586848567
[14/04/20 9.16.57:618 CEST] 00000083 id=645bfd15 com.ibm.ws.security.wim.adapter.ldap.context.ContextManager  < getDirContext Exit  
                                                                                                               com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext@4d39fb26{iProviderURL=ldap://XXXXXXXXXXXXX:XXX, iCreateTimestampSeconds=1586848567, iPoolTimeStampSeconds=1586848567}
[14/04/20 9.16.57:618 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL search(String,String,SearchControls) [ldap://XXXXXXXXXXXXX:XXX] 
                                                                                                               cn=MY-USERNAME,ou=MY-OU,o=MY-O,c=MY-C
                                                                                                               objectclass=*
                                                                                                               javax.naming.directory.SearchControls@562c6943
[14/04/20 9.16.57:621 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL search(String,String,SearchControls) [3 ms] 
                                                                                                               com.sun.jndi.ldap.LdapSearchEnumeration@61d24608
[14/04/20 9.16.57:621 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.LdapHelper              > prepareDN Entry  
                                                                                                               cn=-MY-USERNAME,ou=MY-OU,o=MY-O,c=MY-C
                                                                                                               null
[14/04/20 9.16.57:621 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.LdapHelper              > unescapeDoubleBackslash Entry  
                                                                                                               cn=MY-USERNAME,ou=MY-OU,o=MY-O,c=MY-C
...
...
...

And this is LdapConfigManager's method getExtIdFromAttributes(...) immediately prior to the NPE

...
...
...
[14/04/20 9.16.57:647 CEST] 00000083 id=3a9c8114 com.ibm.ws.security.wim.adapter.ldap.LdapConnection          < getUniqueName Exit  
                                                                                                               cn=MY-USERNAME,ou=MY-USERNAME,o=MY-O,c=MY-C
                                                                                                               [14/04/20 9.16.57:647 CEST] 00000083 id=6bbc56a3 com.ibm.ws.security.wim.adapter.ldap.LdapConfigManager       > getExtIdFromAttributes Entry  
                                                                                                               cn=MY-USERNAME,ou=MY-USERNAME,o=MY-O,c=MY-C
                                                                                                               Entity
                                                                                                               {objectguid=objectguid: null, objectclass=objectClass: top, person, organizationalPerson, inetOrgPerson, XXXXXOrgPerson, mdfPerson, principalname=principalname: null}
[14/04/20 9.16.57:647 CEST] 00000083 id=6bbc56a3 com.ibm.ws.security.wim.adapter.ldap.LdapConfigManager       > getExtId Entry  
                                                                                                               Entity
[14/04/20 9.16.57:647 CEST] 00000083 id=6bbc56a3 com.ibm.ws.security.wim.adapter.ldap.LdapConfigManager       > getLdapEntity Entry  
                                                                                                               Entity
[14/04/20 9.16.57:647 CEST] 00000083 id=00000000 com.ibm.wsspi.security.wim.model.Entity                      > getSubEntityTypes Entry  
                                                                                                               Entity
...
...
...

I'm very very beginner on this stuff, I noted some other configurations in original Websphere I did not set in Liberty. I don't know if I'm doing in the right way

1. In Websphere I have entry Global Security --> JAAS - J2C Authentication data, so I added in server.xml in futureManager branch:

<feature>jdbc-4.2</feature>

then added this authData entry:

<authData id="MY-IDENTIFICATION" user="MY-DB-USER" password="MY-DB-PASSWORD"/>

then in ibm-application-bnd.xml added

   <resource-ref name="jdbc/MY-JDBC" binding-name="jdbc/MY-JDBC">
     <authentication-alias name="MY-IDENTIFICATION"/>
   </resource-ref>

This attempt reported no result.

(N.B.: jdbc already correctly set up in server.xml since without authentication the web application can access db with mybatis)

2. There are also configurations about what's called "Federated Repositories", I'm trying to build the node on server.xml, but I have some difficulties. Is this mandatory and could be the cause?

Can you add filters you are actually using? At keast group filter in not correct for Active directory. Also check filters to what is shown here - https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_sec_ldap.html — Gas, Apr 14 '20 at 13:22
yeah ... this hint is the right direction... I can't believe how superficial I am, it was the wrong ldap type... I'm going to post the detailed explanation... — Falco, Apr 14 '20 at 14:24

score 1 · Answer 1 · answered Apr 13 '20 at 15:28

Assuming your user is an LDAP user, you should probably determine if your user is authenticating with LDAP first. The behavior you see leads me to believe you are, but it is good to check. With typical trace settings, unless there is a 'real' error we don't output authentication failures to the messages log.

To debug this, turn on trace for security by adding the following to your server.xml file (if it already exists, add the trace spec below to it):

<logging traceSpecification="*=info:com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all:com.ibm.wsspi.security.*=all" />

Rerun the scenario and you should see one or multiple trace*.log files. Search in those trace files for a LdapAdapter.login(...) call, it should look like this (note: principalName= should be the user you are authenticating with):

[4/13/20, 9:53:31:884 CDT] 0000003c id=9c608b7f com.ibm.ws.security.wim.adapter.ldap.LdapAdapter             > login Entry  
                                                                                                                com.ibm.wsspi.security.wim.model.Root=
[contexts={com.ibm.wsspi.security.wim.model.Context=
[key=realm
value=ADRealm
],com.ibm.wsspi.security.wim.model.Context=
[key=allowOperationIfReposDown
value=false
]}
controls={com.ibm.wsspi.security.wim.model.LoginControl=
[countLimit=0
properties={principalName}
returnSubType=true
searchBases={cn=users,dc=secfvt2,dc=austin,dc=ibm,dc=com}
searchLimit=0
timeLimit=0
]}
entities={com.ibm.wsspi.security.wim.model.LoginAccount=
[password=****
principalName=vmmtestuser
]}
validated=false
]

Typically at this point I search forward from this position for "login". A successful login contains an entity with properties for your user and looks like this:

[4/13/20, 9:53:31:911 CDT] 0000003c id=9c608b7f com.ibm.ws.security.wim.adapter.ldap.LdapAdapter             < login Exit  
                                                                                                               com.ibm.wsspi.security.wim.model.Root=
[entities={com.ibm.wsspi.security.wim.model.PersonAccount=
    cn=vmmtestuser
    dentifierType= {
    externalId=d577025f9f80f7cef25c99b722a68714
    externalName=cn=vmmtestuser,cn=users,dc=secfvt2,dc=austin,dc=ibm,dc=com
    repositoryId=com.ibm.ws.security.registry.ldap.config[LDAP]
    uniqueName=cn=vmmtestuser,cn=users,dc=secfvt2,dc=austin,dc=ibm,dc=com

    assword=****
    rincipalName=vmmtestuser
    }
validated=false
]

A failed login might look something like this (error code 49 is bad credentials):

[4/13/20, 9:53:33:084 CDT] 0000003f id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.ContextManager  > isConnectionException Entry  
                                                                                                               javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user cn=vmmtestuser,cn=users,dc=secfvt2,dc=austin,dc=ibm,dc=com]
    at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3158)
    at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3104)
    at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2890)
    at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2804)
    at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
    at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
    at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
    at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
    at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
    at org.apache.aries.jndi.ContextHelper.getInitialContextUsingBuilder(ContextHelper.java:244)
    at org.apache.aries.jndi.ContextHelper.getContextProvider(ContextHelper.java:208)
    at org.apache.aries.jndi.ContextHelper.getInitialContext(ContextHelper.java:141)
    at org.apache.aries.jndi.OSGiInitialContextFactoryBuilder.getInitialContext(OSGiInitialContextFactoryBuilder.java:51)
    at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
    at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
    at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
    at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
    at com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext.<init>(TimedDirContext.java:80)
    at com.ibm.ws.security.wim.adapter.ldap.context.ContextManager.createDirContext(ContextManager.java:542)
    at com.ibm.ws.security.wim.adapter.ldap.LdapAdapter.authenticateWithPassword(LdapAdapter.java:3025)
    at com.ibm.ws.security.wim.adapter.ldap.LdapAdapter.login(LdapAdapter.java:634)

If your user has authenticated, then it would appear you have a issue with the security roles in your application (your authenticated user does not possess the required role(s)).

Tnx it was very usefull tracing, "it seems" I'm logged since I found in my trace log file the entry stating "[entities={...externalName=cn=my-user-name...". I'm editing the question with exact information in just minutes, as far I can see you seem very experienced. Can you advice something else on checking security roles, even external link for documentation... — Falco, Apr 13 '20 at 17:03
Same trace will capture the authorization as well. I am not as experienced with that. I will bring this question to the attention of someone who is a bit more experienced with authorization. — J Van Hill, Apr 13 '20 at 17:43
Thx, very sorry, I'm analyzing the trace more, after what I found, there are some other errors... I'm editing the question.. thx in advance. — Falco, Apr 13 '20 at 17:47
Would you mind looking back for the JNDI_CALL that occurs immediately prior to the NPE you posted in edit 2? That looks like the culprit. The security code is getting the user's security name and we are looking up an attribute that apparently is causing this NPE. I would also like to see the entry trace for entering into the LdapConfigManager's method getExtIdFromAttributes(...) immediately prior to the NPE as well. It appears you have an external ID attribute we assume is an octet string that is not an octet string. — J Van Hill, Apr 13 '20 at 18:30
Thank you very much for your help! I learned a lot from your considerations... I tried also this https://www.ibm.com/mysupport/s/question/0D50z00005q4FzECAU/liberty-is-not-able-to-authenticate-user-even-after-backend-ldap-is-able-to-authenticate?language=it which i think is yours! ...but at the end was my superficial knowledge of ldap — Falco, Apr 14 '20 at 15:09

score 0 · Answer 2 · answered Apr 14 '20 at 14:45

Adding a new answer for edit 3. I think the issue is that your externalid is configured to be objectguid, which appears to be null (objectguid:objectguid=null). That should not result in an NPE. I have opened a git issue. If you are using the same LDAP server as tWAS, please check your wimconfig.xml file from the tWAS server and determine what your externalID attribute was. It may look something like this:

<config:externalIdAttributes name="entryUUID" syntax="octet_string"/>

Then configure the same in Liberty.

<ldapRegistry ... >
    <attributeConfiguration>
        <externalIdAttribute name="entryUUID" syntax="octet_string" entityType="PersonAccount" />
        <externalIdAttribute name="entryUUID" syntax="octet_string" entityType="Group" />
    </attributeConfiguration>
</ldapRegistry>

If you don't provide an 'entityType' attribute, it will apply it to all entity types. You can also configure it to be the entity's distinguished name by using 'distinguishedName' for the 'externalidAttribute' element's 'name' attribute.

I hope this helps.

score 0 · Accepted Answer · answered Apr 14 '20 at 15:01

I was very superficial. I started this implementation starting from this:

https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_sec_ldap.html

Reading with no atteintion I saw only two type of LDAP "IBM Directory Server" and "Microsoft Active Directory Server"

I was not really aware of what kind of LDAP I'm working with, since I was not able to find it in my working websphere configurations and since those configurations were made following some notes of collegues.

I copy-pasted the code from the link above, and since configs for IBM Directory Server did not work at all, I used Microsoft Active Directory Server which seemed to work and was giving me misleading behaviour as explained in the question...

Unfortunately my local websphere configs are a little confusing also, there are a lot of tests e configs maybe unnecessary.

So at the end it was not necessary, since is not used, federatedRepository settings, and even resource-ref entry in ibm-application-bnd is unnecessary.

The only thing I needed was to know in clear way what's ldap server used. After @Gas comment I checked the entries in server.xml about ldapType and filters. If I did not copy-pasted the code I would be aware that after typing ldapType=" eclipse suggest a lot of ldap types... so I remind my self that ldap is not Microsoft Active Directory Server. In my case LDAP was ODSEE, unfortunetely not listed, searched on google and found on wikipedia (https://en.wikipedia.org/wiki/Sun_Java_System_Directory_Server) that ODSEE was before named some years ago as Sun Java System Directory Server.

Now, for every ldapType you have to type the right filters entries, no config errors is given if you make a mistake, just not logged in with message which could be misleading.

So right Ldap config in my case is:

<ldapRegistry
id="ldap"
realm="LdapRegistry"
ldapType="Sun Java System Directory Server"
host="host-copy-pasted-from-websphere-configuration"
port="port-copy-pasted-from-websphere-configuration"
baseDN="baseDN-copy-pasted-from-websphere-configuration"
searchTimeout="120"
reuseConnection="true"
ignoreCase="true"
bindDN="bindDN-copy-pasted-from-websphere-configuration"
bindPassword="bindDN-known-password"
sslEnabled="false">
<iplanetFilters
    userFilter="userFilter-copy-pasted-from-websphere-configuration"
    groupFilter="groupFilter-copy-pasted-from-websphere-configuration"
    groupIdMap="groupIdMap-copy-pasted-from-websphere-configuration"
    userIdMap="userIdMap-copy-pasted-from-websphere-configuration"
    groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember"
    >
</iplanetFilters>

I found the right filter to use by exclusion... I guess this is the right association between ldapType and filters:

Custom=customFilters
IBM Lotus Domino=domino50Filters
IBM SecureWay Directory Server=securewayFilters
IBM Tivoli Directory Server=idsFilters
Microsoft Active Directory=activedFilters
Netscape Directory Server=netscapeFilters
Novell eDirectory=edirectoryFilters
Sun Java Directory Server=iplanetFilters

Now I'm able to log in, at least in HTTP (not yet in HTTPS, but this is another story and my work for this evening...)

Above considerations could be obvious, and the config error trivial, but I guess my this experience could be usefull for someone else.

Migrate LDAP configurarions from Websphere to Liberty

3 Answers3