ShowTable of Contents
Introduction
IBM® Lotus® Quickr® for WebSphere® Portal, as the name suggests, is an application running on WebSphere Portal that relies on underlying infrastructure for its security management, WebSphere Identity Manager (WIM) / Portal User Management Architecture (PUMA). Therefore working with Lotus Quickr requires familiarity with IBM WebSphere Portal and IBM WebSphere Application Server's security setup and user management.
In this article we discuss Quickr security issues in terms of four broad areas (not including issues that may arise at underlying layers; for example, log-in failure):
- Members portlet
- Directory search
- Roles
- Place access
Members portlet issues
The Members portlet is available upon Place creation and is reachable through the left-hand page navigation (see figure 1).
Figure 1. Members portlet
Issues can arise when the Members portlet is used to search for entities in LDAP to add as members or to see an existing list of members of a Place.
To troubleshoot:
1. When adding new members, the search is performed against a user repository (Directory/LDAP); therefore in the event of search delays or incorrect results, a WIM trace can help identify the cause:
WIM traces -- > com.ibm.ws.wim.*=all:com.ibm.websphere.wim.*=all:com.ibm.wsspi.wim.*=all
Look for the JNDI call to LDAP for the user/group and the return of this call, and investigate the trace in between.
For example:
[1/26/12 14:56:19:274 CET] 00000063 LdapConnectio > com.ibm.ws.wim.adapter.ldap.LdapConnection JNDI_CALL search(String,String, Object[], SearchControls) ENTRY o=ibm,c=in
(&(|(objectClass=inetorgperson)(objectClass=inetorgperson))(serialnumber=12345)) null [searchScope: 2, timeLimit: 600000, countLimit:4501, returningObjFlag: false, returningAttributes: [objectClass]] .....
[1/26/12 14:56:19:462 CET] 00000063 LdapConnectio < com.ibm.ws.wim.adapter.ldap.LdapConnection JNDI_CALL search(String,String, Object[], SearchControls) RETURN ...
2. Also, check the Portal Administration --- Manage Portlet --- Members (portlet) configurable parameters for search-related issues, for example, Type-ahead timeout control.
Directory search issues
A directory search pop-up window displays when action needs to be performed to grant/modify access through Quickr web UI to any resource (document/folder) in a Quickr Place. Issues can occur such as incorrect search results for a user (see figure 2) and an incorrect membership list for a group (see figure 3).
Figure 2. Grant/modify access to Quickr artifacts
Figure 3. Directory Search pop-up for granting/modifying access to Quickr artifacts
The directory search searches the query items (a name or a group) against LDAP and matches the result set to the community (Place membership) to give a final and valid result set. The trace that may help in directory search issues is
com.ibm.wps.resolver.cor.*=all
com.ibm.websphere.wmm.*=finest:
com.ibm.ws.wmm.*=finest:
com.ibm.workplace.*=finest:
com.ibm.wkplc.*=finest:
com.ibm.wps.um.*=finest:
com.ibm.wps.puma.*=finest
com.ibm.wps.teamspace.community.adapter.*-finest
For example, a typical statement of this trace may look as follows:
[2/23/11 12:29:41:201 CET] 00000043 WmmStore 2
com.ibm.wkplc.people.wmm.workspace.WmmStore nameSearch(short memberType,....
NOTE: Before diving into the trace, it's important that you know the query parameters such as the name of the user or group that was searched for. This will help you follow the thread in the trace file.
Role issues
Lotus Quickr provides four out-of-box roles (Manager, Editor, Contributor, and Reader) that can be used as a basis to create more roles. Roles decide what a Place member can do with various components of the Place (Library, Wikis, Blogs etc.), as shown in figures 4 and 5.
Figure 4. Manage Roles
Figure 5. “Create and change content owned” role
Place access issues
Access to a Place is based on membership to that Place, and the Places catalog is the troubleshooting point, if expected Places cannot be seen in “myPlaces”.
Issues can occur in which a user cannot see all Places to which he/she is member or cannot access a specific Place at all. To troubleshoot:
1. Access the Place Catalog Administration at the bottom of the Quickr UI (available only to Administrators), as shown in figure 6.
2. Rebuilding the Place Catalog helps in many cases. To do this:
a) Click “More actions” and select Clear Data, to remove the index.
b) Once the index is removed, click More actions, and select Collect Data to rebuild index.
NOTE: This index is not to be confused with the JCR index, which is a index of the content of the Places, as opposed to Catalog, which is only the index of Places and not their content.
3. Before rebuilding the index, you may also want to confirm that the source (Quickr server, local or remote) is correctly configured for indexing, using the Edit Details option.
Figure 6. Place Catalog Administration tab
4. It is useful to check whether the Place is missing only in “MyPlaces” but can be accessed through a friendly URL, or the Place cannot be accessed through friendly URL as well.
5. For further troubleshooting, the following traces are helpful:
com.ibm.lotus.placecntr.*=all
com.ibm.lotus.search.index.*=all
Conclusion
It is very important to classify the issue into one of the above categories so that it can be understood if the issue is on the LDAP side, Portal PUMA layer, or WIM layer. The traces then can accordingly reveal the issue at hand.
Tell us what you think
Please visit this link to take a one-question survey about this article:
Resources
developerWorks Lotus Quickr product page:
http://www.ibm.com/developerworks/lotus/products/quickr/
Quickr for WebSphere Portal Support home:
http://www-947.ibm.com/support/entry/portal/Overview/Software/Lotus/Lotus_Quickr_for_WebSphere_Portal
About the author
Aditya Mohan is currently an Advisory Software Engineer with the WebSphere Portal and Quickr support teams and has previously worked with Domino server and other Lotus products. You can reach him at
aditya.mohan@ie.ibm.com.