ShowTable of Contents
The first step to solving a user or group sharing problem is to collect the following items:
LDAP type (federated or standalone
Mashpus trace. *=info: com.ibm.mm.*=all
I've shared pages to groups. Why can't users from those groups see the pages?
Verify the space is shared to all the groups that the pages are shared to
The first thing to check is to ensure that you've shared the parent space or page with the same groups.
For example if you have a space with 2 pages and one page is shared with Group A while the other is shared with Group B, the parent page or space must be shared with both Group A and Group B.
Check the Base DN in WAS admin console
The trace shows the groups that the user belongs to differently than the group that the space or page is shared with.
For example, the user belongs to the group:
The page or space is shared to the group:
Notice in the first case, the baseDN uses upper case while in the second case it uses lower case. Since these do not match, the group share will fail. Users that are members of the group will not be able to able to see the space or page.
To fix this:
Undo the shares for the space or page.
Log into the WAS console and go to Global security > Standalone LDAP registry.
Set the baseDN to match exactly the baseDN for the groups the user belongs to as seen in the trace.
Restart the WebSphere Application Server in order to pick up the baseDN change.
Redo the shares.
Why isn't the space owner being displayed?
In general this is caused when the system can no longer find the owner. There are many possible reasons for this.
Verify the user is still present in the user repository (usually LDAP
Verify the owner listed in the Mashups DB matches the owner in the user repository
Sometimes this problem is introduces when the user repository is switched from Standalone to Federated or the other way around. The user ids are stored in the DB with a different format. So the entry in the DB may have been created with one format while the current user id is in a different format.
If you've recently installed ifix 3 for Business Space you may need to make a config change
Check the logs for this error:
[3/27/13 12:28:09:796 PDT] 00000027 StandardSecur 2 Provided users seems to be a group, returning null
This indicates that you will need to add a groupDnSearchFilter.
We send WebSphere a search request looking for a user name as a group. We do this in order to determine if it is a group or a user. The problem is that WebSphere is using the wrong filter here and so finds everything. We expect this particular search to come back empty since a user is not a group. The way to resolve this can be found here: http://www-01.ibm.com/support/docview.wss?uid=swg1PK51257 A custom ldap filter needs to be put in. For example, lets say the security.xml shows this value for the group: groupFilter="(&(cn=%v)(objectcategory=group))" This same objectclass or category for a group as is used in the LDAP should be used in the groupDnSearchFilter. This can be set up in the WebSphere Integrated Console: Global security > Standalone LDAP registry > custom properties. Create a new property.
The value for the groupDnSearchFilter will always be the objectclass or category from the groupFilter.
User and Group search results are not correct
This can happen when the LDAP user and group repository is very large and the search takes longer than the Mashups timeout.
Increase the timeout value
Add this property to ConfigServices.properties
Decrease the size of the repository
If the repository users nested groups, consider not using nested groups if possible.
Modify the search scope
Instead of connecting to the parent domain, change the configuration to connect to just the required child domains. Switch to using the AD Global Groups (instead of the Universal Groups) in the
Business Space application.
Group Shares are missing from space manager
The symptoms of this problem are that members of a group can access shared spaces and pages, but when reviewing the shares in the space manager, the groups are missing.
Troubleshooting this issue
Collect an export of the Mashups DB and review the shares. Compare the groups listed in the database to the groups listed in the repository.
This issue can happen when the DB contains shares for groups that have been removed from LDAP. A fix was created for Mashups 2.0 to prevent missing groups from causing this issue.
Members of the group can access the space. However, they
cannot see these groups in the space manager. The space manager shows
no groups despite the database having information about being shared.