Vivek Agarwal’s Portal/Java Blog

An IBM Gold Consultant’s weblog about IBM, Lotus, WebSphere, J2EE, IT Processes, and other IT technologies

WebSphere Portal v6 Global Deployment – Access Control Issue

Posted by Vivek Agarwal on April 10, 2007

Hey, I am impressing myself with how active I have been recently on my blog – hoping to continue it. Actually wrote this entry on my ~14-hour flight from USA to Africa.

Now onto the meat of this entry which deals with a Portal Access Control related issue we ran into on our Portal Mirror project. Note that even though we ran into this issue in context of our rather esoteric global deployment scenario, it might be applicable if you use multiple LDAP servers with a WebSphere Portal install.

In testing the Portal Mirror, we found that if we set access control on a Portal page (or portlet or PDM document or …) on one site, and then attempted to view the access control settings for that Portal artifact on the second site, then we would see a blank line in the access control settings on the second site with a delete icon. And if we had given access to a particular user group, then on the second site, that user group would not have the expected access even after a Portal restart.

We initially suspected that we might have an issue with our database replication configuration and after monkeying around a bit with data comparisons between the two sites, we just switched site 2 to point to the database on site 1. Even after that change, we could not see the expected access control configuration on site 2. This was obviously interesting and perplexing at the same time. We next did file system comparisons between the corresponding WP servers on the 2 sites and found nothing of note that could explain the issue. Now we were even more flummoxed. At this point, we turned to our old friend “logging and tracing” for troubleshooting this issue. We turned on access control and authentication related tracing and voila, here was an exception of interest –

[4/3/07 12:26:11:766 CDT] 00000056 DefaultURMana > findPrincipalByIdentifier

ENTRY [null / a413b872-7597-4260-b961-c6490b00aa2d]
[4/3/07 12:26:11:781 CDT] 00000056 ExceptionHelp W rethrow1

EJPFB0005E: An unexpected exception occurred.

External Id "a413b872-7597-4260-b961-c6490b00aa2d" is not found.

When I saw “external Id” in the exception message, some light bulbs went on in my head! It suddenly dawned on me that this issue might actually be LDAP related. On googling for this exception, Keith (a colleague) actually found an IBM technote that confirmed my suspicion. The WebSphere Member Manager (WMM) component of WP has this concept when using an external LDAP repository of an external Id that enables it to map a WMM user/user group entity to the corresponding entity in the LDAP. By default, when using IBM Directory Server, this external Id is mapped to ibm-entryUUID. In our case, each site uses its own LDAP server and even though the directory tree and entries are identical between the two sites, each entry (for example, uid=jsmith,cn=people,dc=company,dc=com) has a different ibm-entryUUID on each LDAP server. As a result, when we were setting access control on one site, WMM would map the access control setting to a particular ibm-entryUUID which was NOT VALID on the second site. This in turn would result in the access control configuration not working as expected on the second site.

Once we had identified the root cause of the issue, resolving it was relatively straightforward. We decided to switch the external Id mapping in the WMM configuration from ibm-entryUUID to distinguishedName. Of course, the actual WMM config file update in a cluster is not a simple matter as Keith can attest to (and swear about) – I am talking about the WPSconfig check-out-wmm-cfg-files-from-dmgr and WPSconfig check-in-wmm-cfg-files-to-dmgr steps. Once we made the WMM configuration change, access control changes propagated successfully from the first site to the second site. We certainly experienced a significant sense of accomplishment on resolving this particular issue!

Please note that you may run into this issue in some other scenarios that I can envision –

  • If you have a primary LDAP server and a failover LDAP server in a single WebSphere Portal deployment
  • If you have a separate IBM Web Content Management authoring environment that uses one LDAP server and another rendering environment using a second LDAP server.

When we ran into this issue, IBM’s advice that “WP Release” schema replication is a bad idea was haunting me. I was dreading the idea of going back to my IBM contacts for help and having to hear some “I told you so” comments! Certainly relieved that this was not a killer issue and we could figure it out on our own. Now onto the next set of issues that our Portal Mirror testing will reveal.


17 Responses to “WebSphere Portal v6 Global Deployment – Access Control Issue”

  1. Idetrorce said

    very interesting, but I don’t agree with you

  2. Vivek Agarwal said

    Would you care to elaborate on what/why you don’t agree with me?

  3. sunil said

    Hi vivek, can u please help for a doubt….im struggling with this for past 1 month…..I have configured my websphere portal to pint to Domino ldap directory,where i want to make authentication… i can log in into the portal….no prob,,but when i tried to create a new project its saying its already used by some other s etc….i checked the log file systemOut.log file ….there an exception comes like “ Member[uid=wpsadmin,cn=users,dc=ibm,dc=com /null.null]”……can u help me?? how to resolve this??

  4. Vivek Agarwal said

    Sunil, could you clarify what you mean by “try to create a new project …”? Is this in a custom portlet? As for the exception I would check the obvious – can you find “wpsadmin” in the people finder portlet and the user management portlet. If not, then your WMM configuration is incorrect. Chances are either your user base is set incorrectly or you are not traversing the tree. You could post your main wmm config file and I will try to look it over (no promises though as I am swamped like most other people :-)).

  5. sunil said

    Hi vivek, presently what error coming in SystemOut.log file is createNew EJPSG0002E: Requested Member does not exist.uid=wpsadmin,o=ihost EJPSG0002E: Requested Member does not exist.uid=wpsadmin,o=ihost

    i checked domino….. their the administrator is cn=wpsadmin,o=ihost

    I am sure this exception is coming bcoz the portal is comparing “uid=wpsadmin,o=ihost”…….my doubt is from where the portal is picking up “uid” ???? i checked all configuration files in the portal no where uid=wpsadmin, i have configured in such a way that cn=wpsadmin,o=ihost……dont know from where this uid is picking??? any idea vivek???

  6. Vivek Agarwal said


    Have you updated your Portal’s LDAP configuration by running the relevant WPSConfig task? You need to set LdapUserPrefix=cn in in ${PortalServerRoot}\config and update the ldap config. You will run “WPSconfig.bat validate-ldap” and “WPSconfig.bat enable-security-ldap”. Read the “Configuring Security” section of the InfoCenter for more details on these tasks and ensuring that you have met the pre-requisites.

    All the best!

  7. sunil said

    yes vivek i have done all these tasks……..carefully…..still its picking up “uid=wpsadmin,o=ihost” but i need “cn=wpsadmin,o=ihost” no ideae, from where its picking up “uid” …..

    “WPSconfig.bat validate-ldap” and “WPSconfig.bat enable-security-ldap”.

    upon executing the above commands build was successful…….

  8. Vivek Agarwal said


    Are you having login issues for “wpsadmin”? And other users as well? If so, then your wmm configuration is not correct. You could check the wmm.xml file and the attributes file in ${Portal_Server_Root}\wmm.


  9. sunil said

    No,,i dont have any login issues for any user i was created…..login is fine…..even i can login “cn=wpsadmin, o=ihost”……..

  10. Vivek Agarwal said

    I just took a look at your exception stacktrace – are you getting this exception while attempting to work with composite applications in WebSphere Portal? If so, could it be an issue with the WMM configuration in the Process Server?

  11. TomB said

    when you link Portal to an LDAP directory, you need to specify the type of LDAP directory (Domino or other).

    One of the things which differenciates Domino from the other LDAP directories it the fact that Domino LDAP does not use UID. So when enabling security, you needed to modify the (default) config from uid= into cn=.

    This is set in the helpers file (of in the (the script and tasks you run are the same; the properties file you use as input are different though.

    So, disable security, modify config files and enable security again – using cn instead of uid – and that error will disappear.

  12. sunil said

    yes tom, i tried the same…..ok let me try once more…..thanks for ur help…and will let u inform….

  13. Suresh said

    I’m also facing the same issue.
    Please find below the exception that I’m getting. Any help would be appreciated.

    ExceptionHelp W rethrow1 EJPFB0005E: An unexpected exception occurred. Member “[uid=websphere,o=default organization / null, null]” is not found.
    at Code))
    at Compiled Code))
    at Code))
    at Code))
    at Compiled Code))

  14. Gokul said

    we have our own custom interceptor,I got the below error.Could be appreciated if anyone throw some light on it. getMemberTableData The following SQL Exception occured during processing: “java.sql.SQLException: Java exception: ‘: java.lang.NullPointerException’.DSRA0010E: SQL State = XJ001, Error Code = 0DSRA0010E: SQL State = XJ001, Error Code = 0
    at Source)
    at Source)
    at Source)
    at Source)

    WebSphere Dynamic Cache instance named ws/ initialized successfully.
    [5/8/08 9:43:04:541 EDT] 00000037 ConnectionEve A J2CA0056I: The Connection Manager received a fatal connection error from the Resource Adaptor for resource jdbc/wpdbDS. The exception which was received is Meta-data for Container db2j.y.s@92b7b35 could not be accessed
    [5/8/08 9:43:04:572 EDT] 00000037 MCWrapper E J2CA0081E: Method cleanup failed while trying to execute method cleanup on ManagedConnection WSRdbManagedConnectionImpl@11ef3b2e from resource No longer available. Caught exception: DSRA1130E: A fatal connection error occurred on another connection while this connection was active. This connection cannot be reset to a usable state.

  15. Srik said

    Hi All,
    When i am searching for user groups in portal its throwing exceptions. Does any one have any idea to solve this. u r help would be appreciated

    EJPAL4000E: Too many matches found. Please refine your search criteria. EJPAL4000E: Too many matches found. Please refine your search criteria. at at at at$200( at$Context.callPortlet( at at at at org.apache.jetspeed.portlet.Portlet.doGet(

    EJPAB0008E: Number of search results is over the maximum limit of search engine allowed items. EJPAB0008E: Number of search results is over the maximum limit of search engine allowed items. at at at at at at at at$200( at$Context.callPortlet(

    EJPSG0015E: Data Backend Problem javax.naming.SizeLimitExceededException: [LDAP: error code 4 – Sizelimit Exceeded]; remaining name ‘cn=groups,dc=hannaford,dc=com’ EJPSG0015E: Data Backend Problem javax.naming.SizeLimitExceededException: [LDAP: error code 4 – Sizelimit Exceeded]; remaining name ‘cn=groups,dc=hannaford,dc=com’ at at at at at at at at at javax.naming.SizeLimitExceededException: [LDAP: error code 4 – Sizelimit Exceeded]; remaining name ‘cn=groups,dc=hannaford,dc=com’ javax.naming.SizeLimitExceededException: [LDAP: error code 4 – Sizelimit Exceeded]; remaining name ‘cn=groups,dc=hannaford,dc=com’ at at at at at at at at Source) at

  16. Srik said

    Hi All
    And also i Modified the wmm.xml file by changing default value of Serachlimit to some number but it did not work for me. please give me suggestions.


  17. Vijaya said

    Hi Vivek,
    I found you blog intresting, and I thought probably you can guide me in one of my problem with websphere.
    I tried attributeloader to add custom user attributes to the wmmdb. and even if i fire a seach query like select * from db2admin.wmmdbatr where name = ‘newAttr’; it fetches and shows that attribute. But when i try to save those user attributes with the PUMA Api, then it says Attribute not defined for the member type ‘Person’.
    But when I add user-attributes to the portlet.xml[jsr168] will fetch the values that i stored manually in the database.

    I have been looking for the work around for the problem from a long time.
    Please help me on this.


Sorry, the comment form is closed at this time.

%d bloggers like this: