External users in connections, multiple LDAPs when using domino root

Originally posted over on the Cube Soft Blog

As mentioned in our presentation at EngageUG – We came across a problem when adding multiple LDAP repositories in WebSphere.

The scenario was a Domino customer – who use the root domino domain – had a requirement for a second LDAP repository in connections to manage external users. They are a global company and via directory assistance grab the users that need access to connections but have no control over the records themselves. The plan was to have a 2nd domino domain for external users that the admins could manage independently of the main directory / domain.

We hit a problem as when using the domino root – it does all sorts of *fun* things inside WebSphere to overwrite any 2nd LDAP or additional base realm entries. After much testing with domino and ad as a 2nd LDAP, all the known work arounds didn’t resolve the issue, we opened a PMR.

As it turns out the answer was pretty simple:

Set your domino root LDAP us as you would do normal – but, when you get to the point of adding the unique base entry to the realm add a name i.e o=dominoRoot (it doesn’t matter what this is as long as its o= something)

Select the tick the box to use a different distinguished name – leave the 2nd box blank
*EDIT* – you may need to add double quotes to provide a blank – i.e “” we will remove this in the next step

domRoot

Save the config.

Next we need to edit the wimconfig to remove the offending entry that causes WebSphere to get confused.

The wimconfig can be found in <WAS_HOME>/profiles/Dmgr01/config/cells/<CELL_NAME>/wim/config

Find the entry relating to the new domino root entry .. and remove the duplicate base entry :

<wimconfig.xml>--------------------------------------------
<config:baseEntries name=""/>
<config:baseEntries name="o=dominoldap" nameInRepository=""/>
</wimconfig.xml>--------------------------------------------

remove the line
<config:baseEntries name=""/>

save and close the file and restart the deployment manager and connections nodes.

Once restarted the Domino root users and groups are still accessible inside WAS / Connections and it is now possible to add a second LDAP base entry correctly.

In the case of this particular customer we have added an External users AD, but another domino domain directory or any other supported LDAP should also work perfectly 🙂

Do you monitor your Connections environment?

After being to a few user groups lately and seeing all the great monitoring tools for Domino I am interested in what people use to monitor connections.

The WebSphere piece of connections can put a lot of people off and I am wondering if something was available would you use it?

  • If you do monitor, what do you use
  • If something was available with a *dashboard* would you use it?
  • What features would you like in a monitoring app
  • Would you be interested in something bundled in Nagios etc

I have created a quick survey which should only take you 2 mins to fill in, if you can spare the time to fill it in I would be most grateful

You can use the survey below or head to the link here: https://www.surveymonkey.com/s/NZBDNW6

 

Create your free online surveys with SurveyMonkey , the world’s leading questionnaire tool.

Fun and games with Commuity wigets

Last night we managed to close a PMR that had been open for a few weeks on a strange issue with Community Widgets.

After remapping the connections admin user everything worked exactly as expected except for 2 tiny issues – Adding the blogs and surveys widgets inside a community thew a nasty error.

communityError

 

Thanks to Justin Cornell in IBM support we managed to get to the bottom of the issue by remapping the widgets admin user even though it was mapped correctly.

Jump over to the Cube Soft Blog –  Fun and games with Community Widgets for the full diagnosis and resolution.

Fun and Games – O yes 🙂

 

 

 

 

 

Help shape connections search

If you are interested in helping IBM shape the search application inside Connections there is a survey that you can participate in.

This is a short survey to better understand attitudes and behaviours around search and how users – well – use it 🙂

You can find the search survey here

Fill it in and you will make a Connections product manager very happy 🙂

Odd issue with Connections Mail

I have been looking to implement Connections mail for a while for one of my customers, after finally sorting out some SSO issues we had been seeing I was ready to deploy into their DEV/TEST environment. No problem I thought – Connections mail is a very simple install a couple of config files and a quick wsadmin command to get the help to work.

Once I had deployed I was seeing the strangest issues –

Contact your system administrator:
Missing element with class=”os-site-mail-notify”

After spending a few hours trying to work out what the issue was, sanity checking myself in the Connections skype chat and much google-ing – I threw in the towel and opened a PMR. I did my usual of explaining the situation, listing OS and level, Connections versions and fixes etc and sending in a screen shot, Log files and the Connections mail config file – a couple of hours later I had a response.

It appears that something has changed between V4 and V4.5 of connections – I had customisations brought over from V4 and copied the header.jsp as it looked on first glance that there was no changes between 4 & 4.5

In Version 4.5 the span for the mail notify icons is :
–%><span class=”os-site-mail-notify”></span><%–

Previously it was:
–%><span id=”os-site-mail-notify”></span><%–

Changing this span from id to class resolved my issue.

So the moral of the story is even if you think nothing has changed – it most likely has

Big thanks to Jonathan P. Dormady Staff Software Engineer in Connections Support for finding me a solution so quickly

 

Speaking at Connect 2014 what an honor

It is an honor and a privilege to have been chosen with my friend and community peer Christoph Stoettner to speak at this years Connect / Lotusphere conference.

This will be the 4th Connect / Lotusphere I have attended but the first I have spoken a full session at – in previous years I have helped run a BOF and have spoken at speedgeeking.

We will be speaking in the Best Practices track, sharing our admin and scripting tips and tricks to help make a Connections Admin’s day a little easier 🙂

Screen Shot 2013-11-26 at 12.58.57The full article can be found here on the IBM social insights blog

See you in Orlando 🙂

mod_deflate compressing your Connections pages before they hit the client

I have also posted this over on the Cube Soft Blog
The Apache v2 module mod_deflate is extremely handy if you are serving IBM Connections up to remote locations with little bandwidth. Some of the Connections pages have large css or java script files that are required to function correctly but for countries that have poor connection to the remote server this causes slow page load times and sometimes timeouts.

So mod_deflate to the rescue ..

open your httpd.conf file and ensure that the mod_deflate is uncommented

LoadModule deflate_module modules/mod_deflate.so

just before section 3 for virtual hosts – add the following

## set deflate

SetOutputFilter DEFLATE
# Netscape 4.x has some problems…
BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
# BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
# the above regex won’t work. You can use the following
# workaround to get the desired effect:
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
# Don’t compress already-compressed files
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .(?:avi|mov|mp3|mp4|rm|flv|swf|mp?g)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .pdf$ no-gzip dont-vary
DeflateCompressionLevel 9

### Section 3: Virtual Hosts

Note – I have the DeflateCompressionLevel set to 9 – this is the highest amount of compression. Depending on the load and size of your HTTP server this may use a lots of CPU time to deflate, this may need to be monitored and tuned for your specific server

Inside the virtual host for the secure Connections server add the same deflate directive (see example below)


ServerName yourservername.com
SSLEnable
Include “/opt/IBM/HTTPServer/conf/rewrite.conf”
Header set Access-Control-Allow-Origin “*”
## set deflate

SetOutputFilter DEFLATE
# Netscape 4.x has some problems…
BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
# BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
# the above regex won’t work. You can use the following
# workaround to get the desired effect:
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
# Don’t compress already-compressed files
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .(?:avi|mov|mp3|mp4|rm|flv|swf|mp?g)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .pdf$ no-gzip dont-vary
DeflateCompressionLevel 9

restart the HTTP server and the deflate module will be active

You can test the compression by visiting http://www.whatsmyip.org/http_compression/ and enter a url of a Connections page

For instance I put the profiles page of a customer’s server here that mod_deflate is enabled and the compression was a massive 67.4%

Original Size: 7.27 KB
Compressed Size: 2.37 KB
Data Savings: 67.4%

So all in all if you have sites that are in bandwidth starved places – mod_deflate is worth taking a look at.

ConnCtrl bash script for IBM Connections

I have also blogged this over on the Cube Soft company blog – with my good friend <a href=”http://twitter.com/TimsterC” title=”TimsterC” target=”_blank”>Mr Tim Clark</a> we have created a script for starting and stopping IBM Connections on Red Hat (RHEL)

 

The script has a bunch of variables to allow you to input the path to the WebSphere deployment manager and nodes, and a place to enter the names of your Connections servers.

Please visit Tim’s blog for all the information and to download the script.

Connections 4.0 cr issues when you have a shared data folder not on the WAS server

We have spotted a lovely issue with patching Connections 4 to CR2 and above when using a < connections path > /data/shared folder on anything other than a single WAS node.

For example in a standard one node connections install the < connections path > /data/shared folder is on the same machine as the connections instance .. in a multi-node instance the shared data folder is normally on a san / network share.

In my instance the shared data was on a RHEL nfs share that was mapped to the node machines as a filesystem, we had seen no issue with this at all, until we attempted to update the Connections version 4.0 instance to CR4 – the CR4 updates installed correctly but on starting the connections servers up, the news feed and a lot of the widget data was not displaying correctly – throwing a javascript error!! I was stumped, I had seen this before, this particular instance is owned and run by a non root user, when the instances are started as root the permissions are not set correctly and it throws an error.

This was not the case here. The non root user owned all the files and had started the Connections servers, so it should work. There appeared to be no obvious errors in the SystemOut logs for the servers.

Flummoxed by this – I rolled the patches off, at Connections 4.0 again restarted the servers and it worked correctly.

Convinced there may be an issue in CR4 I decided to attempt CR2, so later on in the week had another attempt at patching. Stuart was also doing some maintenance on another customer machine at the same time so we worked through it together. Once the CR2 patches were installed correctly we saw the same issue. So with Stuart checking the errors thrown and I checking the logs and a fiddler trace we managed to deduce that when the fix packs were applying , the wrong webresources directory was being updated.

Under < connections path > /data/shared/provision/webresources on the local machine – all the files had been updated with the new fix pack files NOT the actual shared data folder on the network share. The WebSphere variable for the instance has the correct folder mapped and all the other files from the /data/shared folder are being served correctly.

The quick resolution to this was to delete all the files under the networked share folder /provision/webresources and copy the files from the local machine /data/shared/provision/webresources – restart the servers and as if by magic it works.

IBM have acknowledged that this is an issue and hopefully we wont see this issue again .. but IF you see something similar and you have a shared folder that is not on your connections machine – check to ensure the correct set of files has been updated.

Yet another one of those *fun* fixes – hope it helps someone else save some pain

Connections 4.x search – well that was a weird problem

If you have migrated or moved an IBM Connections instance from 3.0.1 > 4.x (either 4.0 or 4.5) or moved data between 4.x servers you may have noticed a weird issue with searching, especially around communities.

The reason I have been a bit quiet on the blog of late is because I am working on a few Connections projects many of which have involved migrating data between test and live servers or replicating data between servers. I have come across a few issues relating to search so I thought I would share them to save you guys the pain.

Everyone knows when you migrate or move data between servers you should clear the scheduled tasks and rebuild the search indexes – but in V4.x a new set of search data came in for Community searching – the catalog.

When the search task runs is collects a bunch of information about communities for the lists you see under the my communities tab and public communities – it collects this in the catalog.

The issues I was seeing was that all historical data regarding Community membership and Public communities was not being shown and that is because of the catalog.

There are a couple of places that catalog data is stored and you can check this by looking up the WebSphere variables :

CATALOG_INDEX_DIR
CATALOG_REPLICATION_DIR

Typically CATALOG_INDEX_DIR is stored in < Connections install > /data/local/catalog/index

and CATALOG_REPLICATION_DIR is stored in < Connections install > /data/shared/catalog/indexReplication

there is also a temporary folder in your os tmp directory called indexCreationDir in the case of most linux systems it is /tmp/indexCreationDir

When you run your data migration and delete the search index under < Connections install > data/local/search ( I normally rename the index folder to #index)

also rename or remove the Places folder under < Connections install >/data/local/catalog/index/ and < Connections install > /data/shared/catalog/indexReplication and remove or rename the /tmp/indexCreationDir

once you restart Connections run an index now to rebuild the indexes, seedlist and the catalog data and your search will function as expected.

for example:

execfile(“searchAdmin.py”)

SearchService.indexNow(“activities, blogs, calendar, communities, dogear, files, forums, profiles, status_updates, wikis”)

 

I am sure that our resident Community script guru (Mr Christoph Stoettner) could script clearing these but for now its a manual process – hope this will save you some head aches on upgrades and migrations 🙂