Problem : Can’t login to LDAP enabled Websphere as wasadmin

Problem : Can’t login to LDAP enabled Websphere as wasadmin

Hi,
I am unable to login to Websphere any more using wasadmin.  Each time I provide try to login as wasadmin I get the error “Login failed. Check the user ID and password and try again.”

One of two things may have triggered this problem.
First, the problem started after I switched wasadmin from one LDAP group to another and after a restart of the Cell/Node managers. I switched wasadmin back to the original group and restarted Websphere but I am still unable to login. Infact, when our LDAP server is monitored I don’t even see a connection attempt by wasadmin.

Second, I was also configuring active directory settings from within Websphere so is it possible that I have “locked myself out” of websphere.

It is puzzling that websphere is not even trying to contact the LDAP server.  The LDAP server is reachable via a ping from the application server. Did I somehow change a setting to tell websphere to not use LDAP?  Did websphere somehow loose the LDAP host name?  How can I out my settings if I can’t even login to websphere?

I also cannot connect via wsadmin – I get the error WASX7246E: Cannot establish “SOAP” connection to host applicationserver.company.local because of an authentication failure.

I have also checked the dmgr log files and note the error
CWWIM4537E No principal is found from the ‘wasadmin’ principal name.

Any suggestion as to what the problem is or how to troubleshoot it would be appreciated.

Exception = com.ibm.websphere.security.PasswordCheckFailedException
Source = com.ibm.ws.security.auth.ContextManagerImpl.runAs
probeid = 4001
Stack Dump = com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4537E No principal is found from the 'wasadmin' principal name.
	at com.ibm.ws.wim.ProfileManager.loginImpl(ProfileManager.java:3077)
	at com.ibm.ws.wim.ProfileManager.genericProfileManagerMethod(ProfileManager.java:262)
	at com.ibm.ws.wim.ProfileManager.login(ProfileManager.java:366)
	at com.ibm.websphere.wim.ServiceProvider.login(ServiceProvider.java:482)
	at com.ibm.ws.wim.registry.util.LoginBridge.checkPassword(LoginBridge.java:161)
	at com.ibm.ws.wim.registry.WIMUserRegistry$1.run(WIMUserRegistry.java:173)
	at com.ibm.ws.security.auth.ContextManagerImpl.runAs(ContextManagerImpl.java:3997)
	at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem(ContextManagerImpl.java:4094)
	at com.ibm.ws.wim.security.authz.jacc.JACCSecurityManager.runAsSuperUser(JACCSecurityManager.java:484)
	at com.ibm.ws.wim.security.authz.ProfileSecurityManager.runAsSuperUser(ProfileSecurityManager.java:961)
	at com.ibm.ws.wim.registry.WIMUserRegistry.checkPassword(WIMUserRegistry.java:162)
	at com.ibm.ws.security.registry.UserRegistryImpl.checkPassword(UserRegistryImpl.java:309)
	at com.ibm.ws.security.ltpa.LTPAServerObject.authenticate(LTPAServerObject.java:774)
	at com.ibm.ws.security.server.lm.ltpaLoginModule.login(ltpaLoginModule.java:453)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:618)
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:795)
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:209)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:709)
	at java.security.AccessController.doPrivileged(AccessController.java:246)
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:706)
	at javax.security.auth.login.LoginContext.login(LoginContext.java:603)
	at com.ibm.ws.security.auth.JaasLoginHelper.jaas_login(JaasLoginHelper.java:475)
	at com.ibm.ws.security.auth.ContextManagerImpl.login(ContextManagerImpl.java:3400)
	at com.ibm.ws.security.auth.ContextManagerImpl.login(ContextManagerImpl.java:3193)
	at com.ibm.ws.security.web.FormLoginExtensionProcessor$1.run(FormLoginExtensionProcessor.java:287)
	at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
	at com.ibm.ws.security.web.FormLoginExtensionProcessor.formLogin(FormLoginExtensionProcessor.java:295)
	at com.ibm.ws.security.web.FormLoginExtensionProcessor.handleRequest(FormLoginExtensionProcessor.java:171)
	at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:114)
	at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
	at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:766)
	at com.ibm.ws.webcontainer.webapp.WebApp.invokeFilters(WebApp.java:3331)
	at com.ibm.ws.wswebcontainer.webapp.WebApp.invokeFilters(WebApp.java:357)
	at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3242)
	at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:267)
	at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:811)
	at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1455)
	at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:113)
	at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:454)
	at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:383)
	at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:102)
	at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1818)
	at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
	at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
	at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
	at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136)
	at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:195)
	at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:743)
	at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:873)
	at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1469)

Solution: Can’t login to LDAP enabled Websphere as wasadmin

I was able to get LDAP working.  The solution had two parts.  First we moved wasadmin to the SWG group.  Our application server had been using this as the Base DSN.  (By placeing OU=SWG in the Base DSN string you cause the webphere to only look in that part of the LDAP tree that is below SWG.)

Second, our application server mysteriously started “talking” to the LDAP server.  i.e. We restarted Websphere then it tryed to connect to the LDAP server.  We had previously tried restarting websphere and had noticed that it did not attempt to contact the LDAP server.  Not sure what is behind this behavior.