I will look at your suggestion of using Federation. We were using the standalone LDAP setting since that was the example provided in the IBM documentation for installing the IBM Security Identity Governance and Intelligence product.
I will provide updates on any progress we make.
Original Message:
Sent: Wed February 07, 2024 01:24 PM
From: Bill Holtzhauser
Subject: websphere Validation failed SECJ7724E Error in the user registry configuration unable to verify access to the user registry.
Hello James,
I am always perplexed when someone sets up a new connection in WebSphere to an LDAP server and chooses the Standalone LDAP registry option, when the federated repositories approach has been the preferred way since when it was introduced in WebSphere Application Server 6.1, do you have a reason you choose that?
But more directly to your situation, I looked up "SECJ7724E unable" in our problem database and see a really old APAR...
PM18294: LDAP SERVER VALIDATION FAILS DURING SECURITY DOMAIN CREATION IN WEBSPHERE APPLICATION SERVER V7.0
https://www.ibm.com/support/pages/apar/PM18294
So the "APAR" will be in your version of WebSphere, but the magic looks to be in the Problem conclusion of the APAR:
Problem conclusion
Introduced custom security property
"com.ibm.websphere.security.SecConfigTaskHelper.isGoodServerId.d
isableWildcardSearch", default value is false. When this
property is set to true, the validation step for configuring
an LDAP user registry in WebSphere Security Domain skips the
validation that a user exists in the registry. This does not
impact the configuration of LDAP for the global security
settings. Only enable this property if you are experiencing
configuration issues for the LDAP user registry in a WebSphere
Security Domain.
So I would try setting the custom security property
"com.ibm.websphere.security.SecConfigTaskHelper.isGoodServerId.disableWildcardSearch" to true and see if you still get that first error.
The second part you are seeing is strange, if you are really going to an LDAP server and not using SSL, why would the "Error" message be complaining about an SSL Handshake exception? I would be curious if that port (389) was actually using SSL. But I don't think this was your main goal anyway right? It was just another thing to try.
If you need much more help I would suggest opening a case with the support team:
https://ibm.com/mysupport
------------------------------
Bill Holtzhauser
Original Message:
Sent: Tue February 06, 2024 07:16 PM
From: James Smith
Subject: websphere Validation failed SECJ7724E Error in the user registry configuration unable to verify access to the user registry.
Hi everyone,
I am working on a WebSphere 9.0.5 installation on Windows server 2022. It will host an IBM Security Verify Identity Manager instance.
I need to configure a security domain to use a Standalone LDAP server. When I put in the configuration and click the Test Configuration button, it reports everything is good. However, when I click on OK or Apply, it then give me an error: Validation failed: SECJ7724E: Error in the user registry configuration unable to verify access to the user registry.
I've been searching but have not had much luck narrowing down the issue. I can connect without issue to the directory server with Apache Directory Studio. I tried a couple of different things, and got different errors but in the end it still isn't able to connect.
What am I missing?
I also tried this with another directory server without SSL and that still failed:
A different error:
------------------------------
James Smith
------------------------------