CCM – Problems accessing libraries using Domino LDAP

CCM – Problems accessing libraries using Domino LDAP

There is a known issue with CCM and explicitly added “dominoUNIDs” in environments, where domino is used as LDAP backend ( http://www-01.ibm.com/support/docview.wss?uid=swg21664341 ).

A customer reported a problem with some users that do not have access to libraries within communities just after they have been created. We first thought of this “dominoUNID” problem. But our analysis showed that this seems to be another problem:

  • Identify the ID of the “problematic” community ( copied from URL  ), for ex.: 8266f2b1-a4d8-44d0-9a7d-3faed3b36698
  • Enabling Waltz & Sonata Trace on the fileNet Server –> http://www-10.lotus.com/ldd/lcwiki.nsf/xpDocViewer.xsp?lookupName=IBM+Connections+4.5+Documentation#action=openDocument&res_title=Enabling_Waltz_and_Sonata_traces_ic45&content=pdcontent
  • Accessing the Community with the “problemematic” user
  • Search for the community-ID in the waltz.sonata.trace.log

Some lines below when we hit the community search we saw some queries against DSX memberservice. At the first glance, there were no obvious problems with the query, but when we compared the exported LDIF with that query we noticed that the e-mail address that was used by filenet to identify the user was not correct.

So the quesion was, where does this invalid eMail address come from? When looking into the Domino directory we understood, that the customer placed an eMail address beside their “normal” UID username into the Shortname field. So far so good – well not so good for Filenet.

CCM interprets this value as the eMail address, which is not the case. To be honest I do not understand why the customer did not set the eMail addresses to the same value in both fields (UID / internet eMail address)… but these are the mysteria of directories 😉

2014-11-12 13:52:39,304 [WebContainer : 0] DEBUG com.ibm.connections.directory.services.engine.DSXSearchEngine – WALTZ: DSX URL= https://some.connections.url/profiles/dsx/instance.do?email=shortcut%40connections.url

Double-check this with the DSX URLs and/or the right values: ( for example I use: ShortName: shortcut@connections.url, e-mail: full.name@connections.url )

  • https://some.connections.url/profiles/dsx/instance.do?email=shortcut@connections.url   –> no result
  • https://some.connections.url/profiles/dsx/instance.do?login=shortcut@connections.url  –> display user information
  • https://some.connections.url/profiles/dsx/instance.do?email=full.name@connections.url –> display user information

The problem in more details

Many Lotus Notes customers have additional e-mail addresses in their person document, placed in the shortName field. So each row/entry is a UID value in LDAP. In this scenario the problem was the following:

The additional e-mail address was placed on the top of the ShortName field. This value ( e-mail address ) was synched to PEOPLDB via TDI as PROF_UID and it seems to be interpreted as e-mail address, although it is a UID…

Solution!

The solution was very simple… Do not place additional e-mail addresses on the top of this field in the domino directory/person document. If this has been done, you just have move these entries top down and run “sync_all_dns” in TDI, to push the change to PEOPLEDB.

export_nsf

Leave a Reply

Your email address will not be published. Required fields are marked *