IBM Security Verify

 View Only

  • 1.  UserLookupHelper gives issues after upgrade to ISVA10.0.4.0 IF1

    Posted Wed November 09, 2022 05:13 AM
    Hi All,

    I recently upgraded my appliance from ISVA10.0.3.1 to ISVA10.0.4.0 IF1.
    After this upgrade I experience issues with the UserLookupHelper.

    I am using the following function to initialize the UserLookupHelper

    function initUserLookupHelper(mgmtDomain) {
	var fn = "initUserLookupHelper()";
	logmsg(TRACE,fn+" Entering");
	if (mgmtDomain === undefined) {
		mgmtDomain = "";
	}
	if (mgmtDomain == "") {
		mgmtDomain = "Default";
	}
	var prps = new java.util.Properties();
	prps.put("ldap.enable-last-login","true");
	prps.put("ldap.login-failures-persistent","true");
	var ulh = new UserLookupHelper();
	if(mgmtDomain=="Default") {
		//Init with our ISAM RTE username/password config
		logmsg(DEBUG,fn+" Initialise User Lookup Helper using RTE config.");
		ulh.init(false, prps);
	} else {
		//Init with our serverconnection config
		var connName = "isam-ldap";
		var ldapConnection = ServerConnectionFactory.getLdapConnectionByName(connName);
		if(ldapConnection==null) {
			logmsg(FATAL,fn+" LdapConnection not found: "+connName);
		} else {
			var ldapServer = ldapConnection.getHost(0);
			var ldapBindDn = ldapServer.getBindDn();
			var ldapBindPwd = ldapServer.getBindDnPwd();
			var ldapHostname = ldapServer.getHostname();
			var ldapPort = ldapServer.getPort();
			var ldapKeystore = ldapServer.getKeystore();
			var ldapTimeout = 10;
			logmsg(DEBUG,fn+" Initialise User Lookup Helper using LdapConnection "+connName+" and Management Domain: "+mgmtDomain);
			ulh.init(ldapHostname, ldapPort, ldapBindDn, ldapBindPwd, ldapKeystore, null, "(|(objectclass=ePerson)(objectclass=Person))", mgmtDomain, ldapTimeout, true, prps);
		}
	}
	return ulh;
}
​

    I use this sequence to recreate the issue:

    In the first call to my infomap script I initialize the UserLookupHelper with mgmtDomain=Default
    var hlpr = initUserLookupHelper("Default");
    subsequent calls like below all work
    var user = hlpr.getUser(username);

    In a second call to my infomap script I initialize the UserLookupHelper with mgmtDomain=employee
    var hlpr = initUserLookupHelper("employee");
    subsequent calls like below do not work
    var user = hlpr.getUser(username);

    This behaviour is only experienced afte the upgrade to ISVA10.0.4.0 IF1.

    Does anyone know what is going on here?

    Regards,
    Paul van den Brink

    ------------------------------
    Paul van den Brink
    ------------------------------


  • 2.  RE: UserLookupHelper gives issues after upgrade to ISVA10.0.4.0 IF1

    Posted Thu November 10, 2022 02:17 AM
    Hi Paul,

    You might face the changed behaviour of the UserLookupHelper , see:
    https://www.ibm.com/docs/en/sva/10.0.4?topic=critical-changes-in-this-release

    UserLookupHelper update
    The UserLookupHelper previously ignores override properties when caching the configuration for init calls that use the Verify Access RTE, or the configuration in the Username Password authentication mechanism. This results in old override properties being returned via the cache, instead of the new properties taking precedence. The UserLookupHelper will now cache based on override properties as well for init calls that use the Verify Access RTE, or the configuration in the Username Password authentication mechanism.

    Frank

    ------------------------------
    Frank Thurau
    ------------------------------

    Original Message


  • 3.  RE: UserLookupHelper gives issues after upgrade to ISVA10.0.4.0 IF1

    Posted Thu November 10, 2022 04:48 AM
    Hi All,

    I've added hlpr.shutdown(); in every infomap call.
    This seems to solve the issue I am facing.

    Regards,
    Paul van den Brink

    ------------------------------
    Paul van den Brink
    ------------------------------

    Original Message


  • 4.  RE: UserLookupHelper gives issues after upgrade to ISVA10.0.4.0 IF1

    Posted Thu November 17, 2022 03:54 AM
    Hi All,

    I had to remove the hlpr.shutdown(); 

    After the introduction it caused the failure of 30% of the calls.
    All with the following message:
    [11/17/22, 8:17:44:494 CET] 00074e5a id=00000000 com.ibm.security.access.user.UserLookupHelper I search com.tivoli.pd.rgy.exception.ServerDownRgyException: HPDAA0278E None of the configured LDAP servers of the appropriate type for the operation can be contacted.

    Regards,
    Paul van den Brink

    ------------------------------
    Paul van den Brink
    ------------------------------

    Original Message


  • 5.  RE: UserLookupHelper gives issues after upgrade to ISVA10.0.4.0 IF1

    Posted Mon March 27, 2023 08:48 PM

    Hi Paul, After you remove  hlpr.shutdown(); , How did you solve this? Thanks in advance.



    ------------------------------
    David Vicenteño Sanchez
    ------------------------------

    Original Message


  • 6.  RE: UserLookupHelper gives issues after upgrade to ISVA10.0.4.0 IF1

    Posted Tue April 11, 2023 03:39 AM

    Hi David,

    Yes and no.
    After the removal of hlpr.shutdown(); the message HPDAA0278E disappeared, but my original issue was still not solved.
    I received a fixpack which made it possible to make the following calls with Domain:
    deleteUserWithDomain()
    createUserWithDomain()
    getUserByNativeIdWithDomain()

    Together with the already available getUserWithDomain​() I was able to fix my issue by changing all my mapping rules.

    Regards,
    Paul



    ------------------------------
    Paul van den Brink
    ------------------------------

    Original Message