This is an archive of the Maximo Yahoo Community. The content of this pages may be a sometimes obsolete so please check post dates.
Thanks to the community owner Christopher Wanko for providing the content.
I'm getting *only* the logout page. I can't get the login page to come up, but at least Maximo is running. Yesterday was a nightmare.
Any suggestions here? Websphere is definitely talking to my domain controllers, I can query users and groups from there. I'm using FORM authentication right now, going to switch to BASIC to see if I can at least login.
-C
Okay, I actually got it to work with the MAXADMIN user but no other user can log in. What should I be checking here? The AD group maximousers contains more than just MAXADMIN.
-C
I haven't seen any earlier posts apart from the "I'm getting *only* the logout page" one.
So please excuse if I'm stating the obvious, but have you synchronised any other users yet?
Regards
Jim
From: MAXIMO@yahoogroups.com [mailto:MAXIMO@yahoogroups.com]
Sent: 13 June 2017 15:03
To: MAXIMO@yahoogroups.com
Subject: [MAXIMO List] Re: Maximo 7.6 and LDAP on WebSphere... ugh.
Okay, I actually got it to work with the MAXADMIN user but no other user can log in. What should I be checking here? The AD group maximousers contains more than just MAXADMIN.
-C
I guess not!
Begs the question, how did maxadmin get synchronized and no one else?
Without configuring either an LDAPSYNC or VMMSYNC cron, you will not have users in Maximo other than the standard mxadmin, mxintadm and maxreg.
If user management has not been disabled in Maximo (a system property) you would be able to create a user in Maximo as long as the login id matches whichever AD(?) attribute you are using with the standard being CN.
Best to set up a cron instance but you'll need to decide what the top level is in AD for User and Group searches and any other filter that you may wish to apply to avoid pulling everything into Maximo regardless of what it is.
From: MAXIMO@yahoogroups.com [mailto:MAXIMO@yahoogroups.com]
Sent: 13 June 2017 15:55
To: MAXIMO@yahoogroups.com
Subject: RE: [MAXIMO List] Re: Maximo 7.6 and LDAP on WebSphere... ugh.
I guess not!
They would have been included in the maxinst data file.
From: MAXIMO@yahoogroups.com [mailto:MAXIMO@yahoogroups.com]
Sent: 13 June 2017 16:03
To: MAXIMO@yahoogroups.com
Subject: [MAXIMO List] Re: Maximo 7.6 and LDAP on WebSphere... ugh.
Begs the question, how did maxadmin get synchronized and no one else?
Is your system in Admin mode?
Make sure you are not in ADMIN mode.(DBCONFIG) Very common cause of this
type issue.
Paul D. Bishop
On Tue, Jun 13, 2017 at 10:03 AM, maximal@wanko.com [MAXIMO] <
MAXIMO@yahoogroups.com> wrote:
>
>
> Okay, I actually got it to work with the MAXADMIN user but no other user
> can log in. What should I be checking here? The AD group maximousers
> contains more than just MAXADMIN.
>
> -C
>
>
>
>
>
>
>
>
>
Not in admin mode, and the users already exist in MAXUSER, GROUPUSER, etc. I am converting an existing system to use LDAP for auth and user membership. There is a username to match in MAXUSER, so it must be something else.
I'll try dropping and adding a user manually, and see if it picks up. Thanks everyone, I'll keep at it.
Yes, I do need to configure VMMSYNC. That looks fun.
-C
I'd refer you here:
https://www.ibm.com/developerworks/community/blogs/a9ba1efe-b731-4317-9724-a181d6155e3a/entry/maximo_and_ldap_configuration_from_start_to_finish?lang=en https://www.ibm.com/developerworks/community/blogs/a9ba1efe-b731-4317-9724-a181d6155e3a/entry/maximo_and_ldap_configuration_from_start_to_finish?lang=en
Look at Step 2, subpoint 7. Make sure you are using the right realm.
Can you give us your system information? App server, database, and Maximo version?
I know when we upgraded to 7.5, we had an issue with the case. Might be worth checking out if case sensitivity is an issue:
http://www-01.ibm.com/support/docview.wss?uid=swg21394865 http://www-01.ibm.com/support/docview.wss?uid=swg21394865
I trashed my security on my development WebSphere instance. PMR in with IBM, I've really messed it up trying to revert.
-C
WebSphere 8.5.5 on Windows Server 2012, with Oracle 12c and Maximo 7.6
Right now WebSphere is not synchronizing nodes, so I'm stuck until I can fully revert back to scratch. Once I do that, I'll be taking a directory backup and taking another stab at it.
Sending all uppercase would seem like a fix, as my AD sAMAccountName values tend to be mixed case.
-C
Reverted... and it was a pain.
Probably going to do something stupid and try again tomorrow. This time I'll backup the entire directory.
-C
Right back where I started. At least I can synchronize the nodes.
Only maxadmin can login. I can't figure out how to log in with any other ID.
-C
I know you have likely already looked at this, but am going to suggest it anyway.
Make sure that you do not have ADMIN mode ON. Pat Morrow
pmorrow8@yahoo.com
From: "maximal@wanko.com [MAXIMO]" <MAXIMO@yahoogroups.com>
To: MAXIMO@yahoogroups.com
Sent: Wednesday, June 21, 2017 1:04 PM
Subject: [MAXIMO List] Re: Maximo 7.6 and LDAP on WebSphere... ugh.
Right back where I started. At least I can synchronize the nodes.
Only maxadmin can login. I can't figure out how to log in with any other ID.
-C
#yiv6447291431 #yiv6447291431 -- #yiv6447291431ygrp-mkp {border:1px solid #d8d8d8;font-family:Arial;margin:10px 0;padding:0 10px;}#yiv6447291431 #yiv6447291431ygrp-mkp hr {border:1px solid #d8d8d8;}#yiv6447291431 #yiv6447291431ygrp-mkp #yiv6447291431hd {color:#628c2a;font-size:85%;font-weight:700;line-height:122%;margin:10px 0;}#yiv6447291431 #yiv6447291431ygrp-mkp #yiv6447291431ads {margin-bottom:10px;}#yiv6447291431 #yiv6447291431ygrp-mkp .yiv6447291431ad {padding:0 0;}#yiv6447291431 #yiv6447291431ygrp-mkp .yiv6447291431ad p {margin:0;}#yiv6447291431 #yiv6447291431ygrp-mkp .yiv6447291431ad a {color:#0000ff;text-decoration:none;}#yiv6447291431 #yiv6447291431ygrp-sponsor #yiv6447291431ygrp-lc {font-family:Arial;}#yiv6447291431 #yiv6447291431ygrp-sponsor #yiv6447291431ygrp-lc #yiv6447291431hd {margin:10px 0px;font-weight:700;font-size:78%;line-height:122%;}#yiv6447291431 #yiv6447291431ygrp-sponsor #yiv6447291431ygrp-lc .yiv6447291431ad {margin-bottom:10px;padding:0 0;}#yiv6447291431 #yiv6447291431actions {font-family:Verdana;font-size:11px;padding:10px 0;}#yiv6447291431 #yiv6447291431activity {background-color:#e0ecee;float:left;font-family:Verdana;font-size:10px;padding:10px;}#yiv6447291431 #yiv6447291431activity span {font-weight:700;}#yiv6447291431 #yiv6447291431activity span:first-child {text-transform:uppercase;}#yiv6447291431 #yiv6447291431activity span a {color:#5085b6;text-decoration:none;}#yiv6447291431 #yiv6447291431activity span span {color:#ff7900;}#yiv6447291431 #yiv6447291431activity span .yiv6447291431underline {text-decoration:underline;}#yiv6447291431 .yiv6447291431attach {clear:both;display:table;font-family:Arial;font-size:12px;padding:10px 0;width:400px;}#yiv6447291431 .yiv6447291431attach div a {text-decoration:none;}#yiv6447291431 .yiv6447291431attach img {border:none;padding-right:5px;}#yiv6447291431 .yiv6447291431attach label {display:block;margin-bottom:5px;}#yiv6447291431 .yiv6447291431attach label a {text-decoration:none;}#yiv6447291431 blockquote {margin:0 0 0 4px;}#yiv6447291431 .yiv6447291431bold {font-family:Arial;font-size:13px;font-weight:700;}#yiv6447291431 .yiv6447291431bold a {text-decoration:none;}#yiv6447291431 dd.yiv6447291431last p a {font-family:Verdana;font-weight:700;}#yiv6447291431 dd.yiv6447291431last p span {margin-right:10px;font-family:Verdana;font-weight:700;}#yiv6447291431 dd.yiv6447291431last p span.yiv6447291431yshortcuts {margin-right:0;}#yiv6447291431 div.yiv6447291431attach-table div div a {text-decoration:none;}#yiv6447291431 div.yiv6447291431attach-table {width:400px;}#yiv6447291431 div.yiv6447291431file-title a, #yiv6447291431 div.yiv6447291431file-title a:active, #yiv6447291431 div.yiv6447291431file-title a:hover, #yiv6447291431 div.yiv6447291431file-title a:visited {text-decoration:none;}#yiv6447291431 div.yiv6447291431photo-title a, #yiv6447291431 div.yiv6447291431photo-title a:active, #yiv6447291431 div.yiv6447291431photo-title a:hover, #yiv6447291431 div.yiv6447291431photo-title a:visited {text-decoration:none;}#yiv6447291431 div#yiv6447291431ygrp-mlmsg #yiv6447291431ygrp-msg p a span.yiv6447291431yshortcuts {font-family:Verdana;font-size:10px;font-weight:normal;}#yiv6447291431 .yiv6447291431green {color:#628c2a;}#yiv6447291431 .yiv6447291431MsoNormal {margin:0 0 0 0;}#yiv6447291431 o {font-size:0;}#yiv6447291431 #yiv6447291431photos div {float:left;width:72px;}#yiv6447291431 #yiv6447291431photos div div {border:1px solid #666666;min-height:62px;overflow:hidden;width:62px;}#yiv6447291431 #yiv6447291431photos div label {color:#666666;font-size:10px;overflow:hidden;text-align:center;white-space:nowrap;width:64px;}#yiv6447291431 #yiv6447291431reco-category {font-size:77%;}#yiv6447291431 #yiv6447291431reco-desc {font-size:77%;}#yiv6447291431 .yiv6447291431replbq {margin:4px;}#yiv6447291431 #yiv6447291431ygrp-actbar div a:first-child {margin-right:2px;padding-right:5px;}#yiv6447291431 #yiv6447291431ygrp-mlmsg {font-size:13px;font-family:Arial, helvetica, clean, sans-serif;}#yiv6447291431 #yiv6447291431ygrp-mlmsg table {font-size:inherit;font:100%;}#yiv6447291431 #yiv6447291431ygrp-mlmsg select, #yiv6447291431 input, #yiv6447291431 textarea {font:99% Arial, Helvetica, clean, sans-serif;}#yiv6447291431 #yiv6447291431ygrp-mlmsg pre, #yiv6447291431 code {font:115% monospace;}#yiv6447291431 #yiv6447291431ygrp-mlmsg * {line-height:1.22em;}#yiv6447291431 #yiv6447291431ygrp-mlmsg #yiv6447291431logo {padding-bottom:10px;}#yiv6447291431 #yiv6447291431ygrp-msg p a {font-family:Verdana;}#yiv6447291431 #yiv6447291431ygrp-msg p#yiv6447291431attach-count span {color:#1E66AE;font-weight:700;}#yiv6447291431 #yiv6447291431ygrp-reco #yiv6447291431reco-head {color:#ff7900;font-weight:700;}#yiv6447291431 #yiv6447291431ygrp-reco {margin-bottom:20px;padding:0px;}#yiv6447291431 #yiv6447291431ygrp-sponsor #yiv6447291431ov li a {font-size:130%;text-decoration:none;}#yiv6447291431 #yiv6447291431ygrp-sponsor #yiv6447291431ov li {font-size:77%;list-style-type:square;padding:6px 0;}#yiv6447291431 #yiv6447291431ygrp-sponsor #yiv6447291431ov ul {margin:0;padding:0 0 0 8px;}#yiv6447291431 #yiv6447291431ygrp-text {font-family:Georgia;}#yiv6447291431 #yiv6447291431ygrp-text p {margin:0 0 1em 0;}#yiv6447291431 #yiv6447291431ygrp-text tt {font-size:120%;}#yiv6447291431 #yiv6447291431ygrp-vital ul li:last-child {border-right:none !important;}#yiv6447291431
Admin mode not on.
I finally got it to work, at least the authentication part. I had to edit a wimconfig.xml file to use sAMAccountName.
Now my next problem, which you only see once you can auth and get in: I can't manage my security group assignments. I *only* want LDAP auth for users, I do NOT want LDAP group assignments.
How do I fix that?
-C
Set the property mxe.LDAPGroupMgmt=0
https://www.ibm.com/support/knowledgecenter/SSLKT6_7.6.0/com.ibm.mbs.doc/securgroup/c_props_user_grp_mgmt_creation.html https://www.ibm.com/support/knowledgecenter/SSLKT6_7.6.0/com.ibm.mbs.doc/securgroup/c_props_user_grp_mgmt_creation.html
I was looking for that setting, thanks!
Turned out, though, I had to re-set my ability on my named account to authorize group assignments.
So now I'm LDAPped. It's... okay.
-C
Yeah, your set up is not common. We have the same LDAP setup. I create the Maximo users manually (Security > Users). As long as the userid matches with your LDAP, the password authentication is managed by LDAP.
We did have to manually update via sql all our userid logins to upper case though. We also had to turn on
mxe.convertloginid=1
This way submissions of user logins are always upper case.
Tends to be an issue where LDAP or Maximo runs on a Linux.
One more question: I have a new security group "maximousers" which is apparently synchronizing my users. I didn't create it, so the LDAPSYNC must have done it.
I think I really want my AD group maximousers to synchronize with Maximo group EVERYONE, don't I? How would my groupMapping..xml look for that?
-C
That's because the Group synchronisation filter will pick up any AD group found under the BaseDN, creating in Maximo where necessary and adding the group members.
If you had wished the user synchronisation to be into EVERYONE it may have been best to create the AD group as EVERYONE instead of MAXIMOUSERS.
I still think that there is a benefit to keeping them separate e.g. you may actually end up granting permissions to EVERYONE and then, as soon as you synchronise users they need to be named licensed users. If you are only ever pulling over legitimate users then this isn't necessarily an issue. You could even set up all the Maximo Security Groups in AD and push the responsibility of populating those to Network Admins, but they are unlikely to thank you for it.
Given the possibility of an IBM license audit, I prefer a process whereby a Maximo System Administrator adds new users to whichever Maximo Security Groups that they have entitlement to, including EVERYONE.
From: MAXIMO@yahoogroups.com [mailto:MAXIMO@yahoogroups.com]
Sent: 28 June 2017 14:40
To: MAXIMO@yahoogroups.com
Subject: [MAXIMO List] Re: Maximo 7.6 and LDAP on WebSphere... ugh.
One more question: I have a new security group "maximousers" which is apparently synchronizing my users. I didn't create it, so the LDAPSYNC must have done it.
I think I really want my AD group maximousers to synchronize with Maximo group EVERYONE, don't I? How would my groupMapping..xml look for that?
-C
The only utility I can see is to verify a list of AD users appearing in Maximo, by virtue of maximousers membership. That may be sufficient for my purposes.