Skip to end of metadata
Go to start of metadata

Keywords

500 internal server error
Error []

Problem

When using an LDAP user store with DTR, access to DTR may fail with an Internal Server Error.

Description

The SAP-J2EE engine on which DTR is running is configured to use an LDAP based user store.

It is possible in LDAP based user stores to have multiple groups with the same name. Such groups could be in different domains, for example.

If the user store configured for the SAP-J2EE engine does indeed have multiple groups with the same name, then the logon into DTR may fail with an internal server error.

Solution

There are 3 different solutions to this problem.

Solution 1

Open Visual Administrator.
Choose Services.
Choose UME Provider.
Reset "ume.ldap.unigue_grup_attribute" with 'uid'.

Restart the system.

 

Solution 2

Check if you have some duplicated users.
They may exist in LDAP and are duplicated in the UME leading to a conflict.

go to http://host:port/dtr

Navigate to all the ACL files at
http://host:port/dtr/ws/system/config/active/ACLs/byPath

There are 4 ACL's:
-in http://host:port/dtr/ws/system/config/active/ACLs/byPath
-in /ws/system../
-in sysconfig/
-in /system-tools/admin/..

Change the ACL.xml files as so;

-click on the edit icon
-create an activity and checkout
-for each UME group in each ACL file, eg. NWDI.Administrators, copy the ACE block and paste it again,
changing only the principal field to it's unique name, eg, GRUP.PRIVATE_DATASOURCE.un:NWDI.Administrators.

LDAP integration works with these unique names and not their human-friendly versions.

You can obtain these unique group names by using the identity management and looking at the general details of a given group in nwa.

Delete any LDAP-related groups in these ACL's which you may find.

Add #com.tssap.dtr.server.deltav.security.um.useGroupUniqueID=true in repository.properties at
http://host:port/dtr/ws/system/config/active/registry using the same method of checkouts and edit

Ensure you have both a UME user eg. Administrator and an LDAP user with full admin rights in case either are no longer functioning correctly.

Solution 3

Follow the instructions in note 774339 and look at the error traces on the J2EE engine using the Visual Administrator tool or the web-based SAP NetWeaver Administrator (http://<host>:<port>/nwa)

Check if there are any messages with text that looks like:
"Group found, but unique name "<some group name>" is not unique!"

The actual text for <some group name> is dependent on the user store.

If such a message is found, then check if you have followed the instructions that has been specified in the DTR Administration document:
http://help.sap.com/saphelp_nw70/helpdata/en/20/f4a94076b63713e10000000a155106/frameset.htm

Further Instructions:

1. The documentation in the help portal mentioned above requires you to change an application property in DTR. Refer to note 1001509 on how to change a property in DTR.

2. Changing an application property in DTR requires you to log on to DTR. However, since the logon is failing due to the reasons described in this note, you will have to logon with a different set of logon credentials to successfully change the property. Here, there are two options:

a. You can logon as a different user who is not part of the conflicting groups.

b. You can activate the 'emergency user account' built into DTR, logon with the emergency user account and change the property.

The instructions to activate the emergency user account is available in the help portal at the following locations:

 

Release 70X (NW04s):

Under the development manual at: "Working with the Development Infrastructure / Administration of the Development Infrastructure / Configuring the NWDI User Management /User Authentication and User Authorization in the DTR / User Management Steps After Installation / Granting Initial Privileges"
Or directly under  https://help.sap.com/saphelp_nw70ehp3/helpdata/de/49/2a8f295c801904e10000000a42189c/content.htm

  • No labels