APAR status
Closed as program error.
Error description
Its seen that the authorization may fail while using the LDAP authorization attribute, ie the attr_name of ldapAuthorizeUrl, as 'CN' or 'samAccountName' connecting to Active Directory LDAP server. In the failure cases, its seen that ACE is unable to do a valid mapping defined LdapAuthorizeAttributeToRoleMap even though the configurations are right.
Local fix
One can use 'DN' of group or memberOf attribute of user as LDAP authorization attribute. . eg : ldap://localhost:363/<user baseDN>?memberOf?sub?(samAccountName={{username}}) => using memberOf attribute of user ldap://localhost:363/<group baseDN>?dn?sub?(member={{dn}}) => using dn of group
Problem summary
**************************************************************** USERS AFFECTED: All users of IBM App Connect Enterprise V11 using administration security with LDAP authorization. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: Administration security authorization may fail when connecting to an Active Directory LDAP server and using the LDAP authorization attribute, ldapAuthorizeUrl, as 'CN' or 'samAccountName'. In the failure cases, it is seen that IBM App Connect Enterprise is unable to do a valid mapping defined in LdapAuthorizeAttributeToRoleMap even though the configuration is correct. An example of a valid <span style="background-color:rgb(255, 255, 255)">ldapAuthorizeUrl configuration that may fail is: </span> ldap://server:port/<basedn_of_group>?CN?sub?(member={{dn}}) A work-around in such a case is to use memberOf attribute of user object as below: <a href="ldap://coaldap.coacd.org:389/DC=coacd,DC=org?memberOf?sub? (samAccountName={{username}})">ldap://server:port/<basedn_of_use r>?memberOf?sub?(samAccountName={{username}})</a><span style="background-color:rgb(255, 255, 255)"> </span>
Problem conclusion
The product no longer fails to do the LDAP authorization role mapping when the group attribute name is 'CN' or '<span style="background-color:rgb(255, 255, 255)">samAccountName'.</span> --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v11.0 11.0.0.11 The latest available maintenance can be obtained from: http://www-01.ibm.com/support/docview.wss?rs=849&uid=swg27006041 If the maintenance level is not yet available,information on its planned availability can be found on: http://www-1.ibm.com/support/docview.wss?rs=849&uid=swg27006308 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT33698
Reported component name
APP CONNECT ENT
Reported component ID
5724J0550
Reported release
B00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-07-27
Closed date
2020-12-15
Last modified date
2020-12-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
APP CONNECT ENT
Fixed component ID
5724J0550
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSDR5J","label":"IBM App Connect Enterprise"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"B00"}]
Document Information
Modified date:
16 December 2020