LDAP authentication with IBM Security Directory Server

[Phenix]

Hi all,

I am new to Cognos and LDAP, but I have the task to configure Cognos for SingleSignOn (SSO). My environment looks as follows:

Server A
----------
Websphere Application Server (newest version)
     Application tier Components
IBM HTTP Server


Server B
----------
Websphere Application Server (newest version)
    Content Manager Components


Servers C D E F
-----------
Multiple databases for Content Store etc.



As a first step, I wanted to configure Cognos for LDAP authentication. I have one IBM Security Directory Service up and running.


Can you tell me what steps I have to perform in order to get it working?

I tried the following approach, but with no luck:

On Server B I added a new authentication Namespace(IBM Tivoli LDAP) and configured it as follows:


(see image attached)

For the rest, I kept the defaults.

On Cognos Namespace I set "Allow anonymous access?" to false.

I deployed that to the Webpshere and restarted it.
When I try to login to Cognos I get the following message:

java.lang.RuntimeException: Expected a single account objectjava.lang.RuntimeException: Expected a single account object
at com.ibm.cognos.camaaa.internal.admin.handler.ExtractUserAccountInfo.handleInboundRequest(ExtractUserAccountInfo.java:35)
at com.ibm.cognos.camaaa.internal.common.handler.DefaultHandler.handleMessage(DefaultHandler.java:72)
at com.ibm.cognos.camaaa.internal.common.handler.HandlerWrapper.handleMessage(HandlerWrapper.java:172)
at com.ibm.cognos.camaaa.internal.auth.handler.AuthHandlerChain.invokeHandlersForward(AuthHandlerChain.java:79)
at com.ibm.cognos.camaaa.internal.common.handler.HandlerChain.handleMessage(HandlerChain.java:180)
at com.ibm.cognos.camaaa.internal.common.handler.HandlerWrapper.handleMessage(HandlerWrapper.java:172)
at com.ibm.cognos.camaaa.internal.auth.handler.AuthHandlerChain.invokeHandlersForward(AuthHandlerChain.java:79)
at com.ibm.cognos.camaaa.internal.common.handler.HandlerChain.handleMessage(HandlerChain.java:180)
at com.ibm.cognos.camaaa.internal.common.handler.HandlerWrapper.handleMessage(HandlerWrapper.java:172)
at com.ibm.cognos.camaaa.internal.auth.handler.AuthHandlerChain.invokeHandlersForward(AuthHandlerChain.java:79)
at com.ibm.cognos.camaaa.internal.common.handler.HandlerChain.handleMessage(HandlerChain.java:180)
at com.ibm.cognos.camaaa.internal.common.handler.HandlerWrapper.handleMessage(HandlerWrapper.java:172)
at com.ibm.cognos.camaaa.internal.auth.handler.AuthHandlerChain.invokeHandlersForward(AuthHandlerChain.java:79)
at com.ibm.cognos.camaaa.internal.common.handler.HandlerChain.handleMessage(HandlerChain.java:180)
at com.ibm.cognos.camaaa.internal.common.handler.HandlerWrapper.handleMessage(HandlerWrapper.java:172)
at com.ibm.cognos.camaaa.internal.auth.handler.AuthHandlerChain.invokeHandlersForward(AuthHandlerChain.java:79)
at com.ibm.cognos.camaaa.internal.common.handler.HandlerChain.handleMessage(HandlerChain.java:180)
at com.ibm.cognos.camaaa.internal.common.handler.HandlerWrapper.handleMessage(HandlerWrapper.java:172)

In the audit.log on the Security Directory Server I get the following output:

AuditV3--2016-03-31T09:42:49.218000-4:00--V3 Search--bindDN: cn=root--client: <MYIP>:51889--connectionID: 3968--received: 2016-03-31T09:42:49.217000-4:00--Success
base: uid=contentengine,cn=testrealm,dc=sbt
scope: baseObject
derefAliases: neverDerefAliases
typesOnly: false
filter: (objectclass=*)
attributes: uid
numberOfEntriesReturned: 1
AuditV3--2016-03-31T09:42:49.218000-4:00--V3 Bind--bindDN: uid=contentengine,cn=testrealm,dc=sbt--client: <MYIP>:54705--connectionID: 3970--received: 2016-03-31T09:42:49.218000-4:00--Success
name: uid=contentengine,cn=testrealm,dc=sbt
authenticationChoice: simple
AuditV3--2016-03-31T09:42:49.219000-4:00--V3 Search--bindDN: uid=contentengine,cn=testrealm,dc=sbt--client: <MYIP>:54705--connectionID: 3970--received: 2016-03-31T09:42:49.219000-4:00--Success
base: uid=contentengine,cn=testrealm,dc=sbt
scope: baseObject
derefAliases: neverDerefAliases
typesOnly: false
filter: (objectclass=*)
attributes: 1.1
numberOfEntriesReturned: 1
AuditV3--2016-03-31T09:42:49.219000-4:00--V3 Unbind--bindDN: uid=contentengine,cn=testrealm,dc=sbt--client: <MYIP>:54193--connectionID: 3969--received: 2016-03-31T09:42:49.219000-4:00--Success
AuditV3--2016-03-31T09:42:49.219000-4:00--V3 Search--bindDN: uid=contentengine,cn=testrealm,dc=sbt--client: <MYIP>:54705--connectionID: 3970--received: 2016-03-31T09:42:49.219000-4:00--Success
base: dc=sbt
scope: wholeSubtree
derefAliases: neverDerefAliases
typesOnly: false
filter: (&(objectclass=GROUPOFNAMES)(member=UID=CONTENTENGINE,CN=TESTREALM,DC=SBT))
attributes: uid
numberOfEntriesReturned: 1
AuditV3--2016-03-31T09:42:49.223000-4:00--V3 Search--bindDN: uid=contentengine,cn=testrealm,dc=sbt--client: <MYIP>:54705--connectionID: 3970--received: 2016-03-31T09:42:49.223000-4:00--Success
base: uid=contentengine,cn=testrealm,dc=sbt
scope: baseObject
derefAliases: neverDerefAliases
typesOnly: false
filter: (objectclass=*)
attributes: cn, uid
numberOfEntriesReturned: 1
AuditV3--2016-03-31T09:42:49.223000-4:00--V3 Search--bindDN: uid=contentengine,cn=testrealm,dc=sbt--client: <MYIP>:54705--connectionID: 3970--received: 2016-03-31T09:42:49.223000-4:00--Success
base: cn=testrealm,dc=sbt
scope: baseObject
derefAliases: neverDerefAliases
typesOnly: false
filter: (objectclass=*)
attributes: uid
numberOfEntriesReturned: 1

In the documentation, it is said that I have to login to Websphere and map a security role to a user. But the mentioned menu entry is not present. Can this cause this issue?

Does anyone know, why there are so many requests sent?
What did I wrong/miss?