IBM Connections using Active Directory and Nested Groups

Posted by:

Case:
Customer wants to use nested groups in Access control for Communities, also it should be reflected in I'm a Member when user is looking for their communitys and so on. Connections was 4.5CRx

Google search Links that where tried, but did not work for me (for some reason unknown).
https://www.lbenitez.com/2015/11/how-to-enable-nested-ldap-groups-in-ibm.html
https://www-01.ibm.com/support/docview.wss?uid=swg21321308
https://www-10.lotus.com/ldd/lcforum.nsf/869c7412fe5d56b7852569fa007826e3/4aa9a40d4818785f85257b3b004e3240?OpenDocument
https://www.communardo.de/home/techblog/2014/06/04/nested-groups-ibm-connections/

Found something that worked for me (seems logical looking at the description).
https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
coming from thread
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/f238d2b0-a1d7-48e8-8a60-542e7ccfa2e8/recursive-retrieval-of-all-ad-group-memberships-of-a-user?forum=ITCG

Description:
All groups specified user belongs to, including due to group nesting (Notes 10, 19)
eg. (member:1.2.840.113556.1.4.1941:=cn=Jim Smith,ou=West,dc=Domain,dc=com)
All members of specified group, including  due to group nesting (Note 10)
eg. (memberOf:1.2.840.113556.1.4.1941:=  cn=Test,ou=East,dc=Domain,dc=com) 
Note 10.
The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN. This applies only to DN attributes. This is an extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match. This reveals group nesting. It is available only on domain controllers with Windows Server 2003 SP2 or Windows Server 2008 (or above).

NOTE: 
All of this is of course done in the context of Deployment Manager.
After doing the changes a full resynch needs to be done with all nodes in the cluster (sometimes also take down node and use synchNode from the node) and restart the node.

Solution is to change my setting in Websphere to reflect this:
nestgroup1
nestgroup2
nestgroup3

Also changed for performance reasons the following (optional):
Reason:
https://www.ibm.com/support/knowledgecenter/SSAW57_8.0.0/com.ibm.websphere.wim.doc/disablingnestedgroupsearches.html
Solution is to change according to instructions

How does it look in the files before and after the change, here are snippets of this:

wimconfig.xml before the change:
      <config:groupConfiguration>
        <config:memberAttributes name="member" objectClass="group" scope="nested"/>
        <config:membershipAttribute name="memberof" scope="nested"/>
      </config:groupConfiguration>

wimconfig.xml after the change:
      <config:groupConfiguration>
        <config:memberAttributes name="member:1.2.840.113556.1.4.1941:" objectClass="group" scope="nested"/>
        <config:membershipAttribute name="memberOf:1.2.840.113556.1.4.1941:" scope="nested"/>
      </config:groupConfiguration>

security.xml before the change (you can not cut and paste any of these because some parameters are unique to your environment):
  <userRegistries xmi:type="security:WIMUserRegistry" xmi:id="WIMUserRegistry_1" serverId="" serverPassword="{xor}" realm="defaultWIMFileBasedRealm" ignoreCase="true" useRegistryServerId="false" primaryAdminId="wasadmin" registryClassName="com.ibm.ws.wim.registry.WIMUserRegistry"/>

security.xml after the change (you can not cut and paste any of these because some parameters are unique to your environment):
  <userRegistries xmi:type="security:WIMUserRegistry" xmi:id="WIMUserRegistry_1" serverId="" serverPassword="{xor}" realm="defaultWIMFileBasedRealm" ignoreCase="true" useRegistryServerId="false" primaryAdminId="wasadmin" registryClassName="com.ibm.ws.wim.registry.WIMUserRegistry">
    <properties xmi:id="VMMURProperty_1" name="com.ibm.ws.wim.registry.grouplevel" value="1"/>
  </userRegistries>

 

Shortcut to this document: https:// https://https://infoware.com/?p=7180
Thats all folks

0

Error when installing IBM Connections 5.5 with CCM!

Posted by:

Last week I started to install IBM Connections 5.5 in our lab to prepare my self for upcoming customer projects with installation or upgrading customers' sites to Connections 5.5. This first install was done on a single Windows server but I used LDAP from a current Sametime environment (so I can integrate Sametime and Connections later on).

Windows Server Configuration
———————————————-
4 CPU, 16 GB RAM
C:\ 50 GB, D:\ 100 GB

I used IBM Connections Wiki Documentation (https://www-01.ibm.com/support/knowledgecenter/SSYGQH_5.5.0/welcome/welcome_admin.html)  but also the great "step-by-step" document written by IBM Connections Support Engineer Charlie Price (https://alturl.com/a3if4). "Step-by-step" guides can be great but do NOT trust them all the way, ALWAYS read the official wiki/technote documentation from IBM!

I installed the following software on a Windows 2008 R2 Server.
– WAS 8.5.5.7
– IBM HTTP Server 8.5.5.7
– DB2 10.5 FP6
– TDI 7.1.1 FP3
– Installation Manager 1.8.3

After installing all the above, creating WAS cell and profiles, configuring LDAP, creating DB2 databases, populate profiles and configuring IBM HTTP Server,  is it was time to do the actual Connections install. As this test environment will be used to evaluate all the features in version 5.5, I also chose to install IBM Connections Content Manager (CCM). To be able to install CCM you have to specify a folder that contains the correct FileNet installation software. For Windows you need to download these files and add them to the folder:

– 5.2.1-P8CPE-WIN.EXE
– 5.2.1.2-P8CPE-WIN-FP002.EXE
– 5.2.1.2-P8CPE-CLIENT-WIN-FP002.EXE
– IBM_CONTENT_NAVIGATOR-2.0.3.EXE
– IBM_CONTENT_NAVIGATOR-2.0.3.5-FP005.EXE

After answering all the Connections Installation Wizard questions and settings, I could finally click on the "Install" button 🙂
But unfortunately the installation ended with an error message…. 🙁

The IBM Installation Manager logs indicated that the Connections Installation Wizard where unable to finish some of its "post-install task". After a closer look in the IM logs I could see that the installation wizard where trying to uninstall Connections. OK, I then opened the install.log in the Connections install folder, in my case D:\IBM\Connections. This log contains information about all WAS configuration and Connections application installations that is done during installing Connections. I soon found this in the log:

Create CCM data directory: [D:\IBM\Connections\data\shared\ccm]
Replace place holders in template file [D:\IBM\Connections\lib\filenet\ce_silent_install_windows.txt] to new file [D:\IBM\Connections\tmp\ce_silent_install_windows.txt].
RUN: "D:\Download\CCM\FileNet\5.2.1-P8CPE-WIN.EXE" -i silent -f "D:\IBM\Connections\tmp\ce_silent_install_windows.txt"

D:\IBM\Connections>"D:\Download\CCM\FileNet\5.2.1-P8CPE-WIN.EXE" -i silent -f "D:\IBM\Connections\tmp\ce_silent_install_windows.txt"
Exit code: 0
RUN: "D:\Download\CCM\FileNet\5.2.1.2-P8CPE-WIN-FP002.EXE" -i silent -f "D:\IBM\Connections\tmp\ce_silent_install_windows.txt"

D:\IBM\Connections>"D:\Download\CCM\FileNet\5.2.1.2-P8CPE-WIN-FP002.EXE" -i silent -f "D:\IBM\Connections\tmp\ce_silent_install_windows.txt"
Exit code: -1
ERROR:  FileNet [ce] installer [5.2.1.2-P8CPE-WIN-FP002.EXE] failed, exit code [-1]:
Traceback (most recent call last):
File "D:\IBM\Connections\lib\ccm.py", line 318, in do_install
self.install_filenet_software()
File "D:\IBM\Connections\lib\ccm.py", line 371, in install_filenet_software
self.install_fn_component(c)
File "D:\IBM\Connections\lib\ccm.py", line 413, in install_fn_component
raise Exception("FileNet [%s] installer [%s] failed, exit code [%s]:" % (comp, binary, result))
Exception: FileNet [ce] installer [5.2.1.2-P8CPE-WIN-FP002.EXE] failed, exit code [-1]:
LotusConnections Component [CCM] install is FAILED

The installation continued after this,  installing all the other applications, the "only" failed installation was the CCM application. OK, So now I started to troubleshoot this error. Was the 5.2.1.2-P8CPE-WIN-FP002.EXE file corrupt? I downloaded a new one and tried to install Connections again but I got the same error message. I then checked the VMware resources, had I enough CPU or RAM? Yes. How about free disk space for the temp folder? CCM needs at least 6 GB otherwise the installation will fail. No that wasn't it. I tried to install Connections once more, this time I made a copy of the D:\IBM\Connections\FileNet folder under installation so I could investigate all the files created in this folder during installation. This as the Connections Installation Wizard deletes this folder when it fails to make a successful installation of IBM Connections. It's hard to troubleshot if logs and other files are deleted by the installation… 🙂

So what did I find in the FileNet folder? In the log file ce_install_log_5.2.1.2.txt I found the following error:


so jan 24 20:05:08:104 Error while building the EAR file in the installer
Status: FATAL ERROR
Additional Notes: FATAL ERROR – sö jan 24 20:05:10:818 [ERROR]
BUILD FAILED
D:\IBM\Connections\FileNet\ContentEngine\lib\mergeears.xml:99: The following error occurred while executing this line:
D:\IBM\Connections\FileNet\ContentEngine\lib\mergeears.xml:135: The following error occurred while executing this line:
D:\IBM\Connections\FileNet\ContentEngine\lib\mergeears.xml:202: Unparseable date: "01/24/2016 08:05 em"
at org.apache.tools.ant.taskdefs.Touch.checkConfiguration(Touch.java:256)
at org.apache.tools.ant.taskdefs.Touch.execute(Touch.java:280)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
at sun.reflect.GeneratedMethodAccessor6.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
at java.lang.reflect.Method.invoke(Method.java:620)
at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
at org.apache.tools.ant.Task.perform(Task.java:348)
at org.apache.tools.ant.Target.execute(Target.java:435)
at org.apache.tools.ant.Target.performTasks(Target.java:456)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1393)
at org.apache.tools.ant.helper.SingleCheckExecutor.executeTargets(SingleCheckExecutor.java:38)
at org.apache.tools.ant.Project.executeTargets(Project.java:1248)
at org.apache.tools.ant.taskdefs.Ant.execute(Ant.java:440)
at org.apache.tools.ant.taskdefs.CallTarget.execute(CallTarget.java:105)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
at sun.reflect.GeneratedMethodAccessor6.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
at java.lang.reflect.Method.invoke(Method.java:620)
at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
at org.apache.tools.ant.Task.perform(Task.java:348)
at org.apache.tools.ant.Target.execute(Target.java:435)
at org.apache.tools.ant.Target.performTasks(Target.java:456)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1393)
at org.apache.tools.ant.helper.SingleCheckExecutor.executeTargets(SingleCheckExecutor.java:38)
at org.apache.tools.ant.Project.executeTargets(Project.java:1248)
at org.apache.tools.ant.taskdefs.Ant.execute(Ant.java:440)
at org.apache.tools.ant.taskdefs.CallTarget.execute(CallTarget.java:105)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
at java.lang.reflect.Method.invoke(Method.java:620)
at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
at org.apache.tools.ant.Task.perform(Task.java:348)
at org.apache.tools.ant.Target.execute(Target.java:435)
at org.apache.tools.ant.Target.performTasks(Target.java:456)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1393)
at org.apache.tools.ant.Project.executeTarget(Project.java:1364)
at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
at org.apache.tools.ant.Project.executeTargets(Project.java:1248)
at org.apache.tools.ant.Main.runBuild(Main.java:851)
at org.apache.tools.ant.Main.startAnt(Main.java:235)
at org.apache.tools.ant.launch.Launcher.run(Launcher.java:280)
at org.apache.tools.ant.launch.Launcher.main(Launcher.java:109)
Caused by: java.text.ParseException: Unparseable date: "01/24/2016 08:05 em"
at java.text.DateFormat.parse(DateFormat.java:369)
at org.apache.tools.ant.taskdefs.Touch.checkConfiguration(Touch.java:249)
… 44 more

Total time: 9 seconds


So I opened the mergeears.xml file and looked at the row 202. Hmm, something with dates??? OK, lets ask Google about "mergeears.xml:202: Unparseable date". The first hit I got was this one.
https://www-01.ibm.com/support/docview.wss?uid=swg1PJ43439 from december 15, 2015. "CPE FIX PACK INSTALLER FAILS WHEN USING FINNISH(FINLAND) ON WINDOWS". Aha! So that was the cause. Well I am not using Finnish but as I am sitting in Stockholm, Sweden my Windows Server is using Swedish as date format and location (for system locale I use English US). So it appears there is a bug in the 5.2.1.2-P8CPE-WIN-FP002.EXE fixpack, that will make the installation fail if the date format and location on the operating system is something other than English…

"… The 5.2.1.2-CPE installer fails with a fatal Unparseable date
error when Region and Language is set to Finnish(Finland) on
Windows.  It's probable that this is a general installer issue
that will fail for any Region and Language that has a different
date format.

The problem is fixed in the ant script, which should now work
for any non English locales also Resolved by 5.2.1.3-P8CPE-FP003 and higher."

The workaround for this is to always use English as date format and location during installation of IBM Connections. After the installation is done you can change date format and location to the one that you prefer. 🙂

So did it work? Yes, I changed date format and location to English, tried to install IBM Connections again and now the installation finished SUCCESSFULLY with that lovely little green icon!

3