Question & Answer
Question
LDAP Troubleshooting Multipart Document, part 7 of 11 What is the next step in the LDAP troubleshooting flow chart?
Cause
Enhanced documentation
Answer
| ||
LDAP Troubleshooting Multipart Document 6 of 11 - LDAP server authenticates user |
After:
- The user enters a URL to Maximo
- The JEE server is configured for JEE server security
- The requested resource is protected
- The JEE server requests security authentication
- The browser displays the authentication dialog
- The LDAP server authenticates the user
Once the LDAP server has authenticated the user, the role mapping set up in the JEE server is checked to confirm the user is a member of any groups authorized to use Maximo.
WebSphere
In WebSphere, if the user is authenticated but not a member of the group that is authorized to access Maximo, a browser 403 error will be displayed. In WebLogic, if the user is authenticated but not a member of the group that is authorized to access Maximo, the browser will display the login dialog again, in an attempt to obtain a valid user.
In WebSphere, role mapping is handled by five files, and one setting in the WebSphere console.
\maximo\applications\maximo\maximouiweb\webmodule\WEB-INF\web.xml
\maximo\applications\maximo\mboweb\webmodule\WEB-INF\web.xml
\maximo\applications\maximo\meaweb\webmodule\WEB-INF\web.xml
\maximo\applications\maximo\maxrestweb\webmodule\WEB-INF\web.xml
\maximo\applications\maximo\maximouiweb\webmodule\WEB-INF\web.xml
Each web.xml contains the following entry which defines the maximouser role:
- <security-role>
- <description>MAXIMO Application Users</description>
<role-name>maximouser</role-name>
There is more than one way to configure WebSphere role mapping. The next two screen shots show ways to map roles to groups during deployment and after deployment.
Note: The group name created in Active Directory and referenced by the Mapped Groups setting is maximousers (plural), while the role name that is created in the web.xml and referenced by the "Mapped Groups" setting is maximouser (singular).
The setting shown below configures the IBM WebSphere JEE server to roles to groups during the fifth step of the EAR deployment process.
The setting shown below configures the IBM WebSphere JEE server to map groups selected to the roles specified after the EAR has been deployed.
WebLogic
With Oracle WebLogic versions through 9.2, role mapping is also handled by four files, and one setting in the WebLogic console.
\maximo\applications\maximo\maximouiweb\webmodule\WEB-INF\weblogic.xml
\maximo\applications\maximo\META-INF\weblogic-application.xml
\maximo\applications\maximo\mboejb\ejbmodule\META-INF\weblogic-ejb-jar.xml
\maximo\applications\maximo\maximouiweb\webmodule\WEB-INF\web.xml
The files weblogic.xml, weblogic-application.xml, and weblogic-ejb-jar.xml all contain the following entry:
- <security-role-assignment>
- <role-name>maximouser</role-name>
<principal-name>maximousers</principal-name>
The file web.xml contains the following entry which defines the maximouser role:
- <security-role>
- <description>MAXIMO Application Users</description>
<role-name>maximouser</role-name>
Note: The group name created in Active Directory and referenced by the three WebLogic configuration files is maximousers (plural) while the role name that is created in the web.xml and referenced in the three WebLogic configuration files is maximouser (singular)
The setting shown below configures the Oracle WebLogic JEE server to find groups using the specified connection string. This should contain the Organizational Unit (OU) where the maximousers group configured in Active Directory can be found.
When these settings are correctly configured, the maximousers group will show up in the WebLogic console as a group under Security/Realms/myrealm/Groups as shown below.
If a user who is not a member of the authorized group mapped to the maximouser role is authenticated, the browser will redisplay the login dialog in step 5 of the login process.
LDAP Troubleshooting Multipart Document 6 of 11 - LDAP server authenticates user |
Was this topic helpful?
Document Information
Modified date:
13 April 2021
UID
swg21304205