Sunday, 11 November 2012

After Changing LDAP Providers, Users Are Not Picking Up Correct Rights or Permissions When Logging In


After Changing LDAP Providers, Users Are Not Picking Up Correct Rights or Permissions When Logging In

Cause Justification:

This issue is caused because the user logging in does not have administrative rights, or Imaging is not picking up the correct administrative rights for the user, so the user is being presented with basic options without any of the configuration menus.
If using a new or changed LDAP provider, the latter can happen because the user's or group's GUIDs from the LDAP provider are cached from the initial startup of Imaging, and so may not match the new GUIDs. This means that the users are not receiving the proper rights, and so are being logged in as normal users with basic rights.


To resolve this issue, you must ensure that the user logging in is an administrator within WebLogic Server. If the issue occurred after adding or changing LDAP providers, you can refresh/reset the cached GUID values in the Imaging security tables, by performing one of the following solutions:

Method 1, via the WLST tool:

Step#1: Connect to WLST tool using following steps:
. ${HOME}/db_wls_env.sh
cd ${MW_HOME}/Oracle_ECM1/common/bin
./wlst.sh
wls:/offline> connect()
Supply username, password, server URL

wls:/offline> connect()
Please enter your username :weblogic
Please enter your password :
Please enter your server URL [t3://localhost:7001] :
Connecting to t3://localhost:7001 with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'mkkbase_domain'.

Step#2: Execute the following command to refresh the GUIDs:
wls:/mkkbase_domain/serverConfig> refreshIPMSecurity()
wls:/mkkbase_domain/serverConfig> exit()

Step#3: Login to IPM Database using PL/SQL Developer and Check the following three tables, to ensure that their GUID columns are refreshed:
SYSTEM_SECURITY
DEFINITION_SECURITY
DOCUMENT_SECURITY

Method 2, via the Enterprise Manager front end:

1. Login into the EM Console(http://mkkaixserver1:7001/em
2. Navigate down to the Imaging server under the Weblogic Domain Folder.
3. Once the right hand pane refreshes, click on the 'WebLogic Server' drop down menu and select 'System MBean Browser'.
4. On the MBean Browser tree go to Application Defined MBeans --> oracle.imaging --> Server: IPM_server1 --> cmd --> cmd
5. Click on the 'refreshIPMSecurity' link on the right hand pane.
6. Press Invoke button.

Step#3: Login to IPM Database using PL/SQL Developer and Check the following three tables, to ensure that their GUID columns are refreshed:
SYSTEM_SECURITY
DEFINITION_SECURITY
DOCUMENT_SECURITY

If the above step fails then manually truncate the IPM Security tables and changing the admin user would be next solution:

1. Clear the Imaging System_Security table with either a truncate table or delete * from System_Security command
create table DEV1_IPM.SYSTEM_SECURITY_20120207 as select * from DEV1_IPM.SYSTEM_SECURITY;
create table DEV1_IPM.DEFINITION_SECURITY_20120207 as select * from DEV1_IPM.DEFINITION_SECURITY;
create table DEV1_IPM.DOCUMENT_SECURITY_20120207 as select * from DEV1_IPM.DOCUMENT_SECURITY;
truncate table DEV1_IPM.SYSTEM_SECURITY;
truncate table DEV1_IPM.DEFINITION_SECURITY
truncate table DEV1_IPM.DOCUMENT_SECURITY

2. Restart the IPM Server Only

3. Login as MKKIPMADMIN as the first user to IPM. Now, MKKIPMADMIN will be the new administrator for IPM.

No comments:

Post a Comment