javaeclipseldapwebsphere-libertyj-security-check

Migrate LDAP configurarions from Websphere to Liberty


I'm starting with a new maven web jsf application in local development. I have already a correctly configured Websphere 8.5 application server with correct configurations to use ldap. The new project will use Liberty instead traditional Websphere.

I set up what I think I need in Liberty's server.xml and application's web.xml

Liberty's server.xml:

<ldapRegistry
id="ldap"
realm="LdapRegistry"
ldapType="Microsoft Active Directory"
host="host-copy-pasted-from-websphere-configuration"
port="port-copy-pasted-from-websphere-configuration"
baseDN="baseDN-copy-pasted-from-websphere-configuration"
searchTimeout="120"
reuseConnection="true"
ignoreCase="true"
bindDN="bindDN-copy-pasted-from-websphere-configuration"
bindPassword="bindDN-known-password"
sslEnabled="false">
<activedFilters
    userFilter="userFilter-copy-pasted-from-websphere-configuration"
    groupFilter="groupFilter-copy-pasted-from-websphere-configuration"
    groupIdMap="groupIdMap-copy-pasted-from-websphere-configuration"
    userIdMap="userIdMap-copy-pasted-from-websphere-configuration"
    groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember"
    >
</activedFilters>

application's web.xml (most of configuration copy-pasted from old other applications):

<security-role>
    <role-name>AllAuthenticated</role-name>
</security-role>
<security-constraint>
    <display-name>AllAuthenticated</display-name>
    <web-resource-collection>
        <web-resource-name>AllAuthenticated</web-resource-name>
        <url-pattern>/pages/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>PUT</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>AllAuthenticated</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>LdapRegistry</realm-name>
    <form-login-config>
        <form-login-page>/login.xhtml</form-login-page>
        <form-error-page>/error.xhtml</form-error-page>
    </form-login-config>
</login-config>

my login.xhtml:

    ...
<form id="login-form" action="j_security_check" class="shadow mx-auto" method="post">
    ...
    <input type="text" id="j_username" name="j_username" class="form-control form-control-lg" required="required" autofocus="autofocus" />
    ...
    <input type="password" id="j_password" name="j_password" class="form-control" required="required" />
    ...

ibm-application-bnd.xml:

<application-bnd ...>
<security-role name="AllAuthenticated">
    <special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>

I guess it's not far from good config because when I login with bad password I get console message "Ensure that both the principal name and the password are specified correctly. Ensure that the account is not locked and that the account is enabled."

When I type the right password the error message is not displayed, no message is displayed, anyway I'm redirected to error.xhtml page, and if I try to navigate to an application's page I'm redirected to login.xhtml

Be patient pls, I work on java just from few months...

What I can try? Since I have no error message to investigate...

EDIT

Using @J Van Hill instructions I added trace logging on the server.xml. What I find is that when I use right password I get in trace this entry:

[controls={com.ibm.wsspi.security.wim.model.LoginControl=
[countLimit=4501
returnSubType=true
searchLimit=0
timeLimit=0
]}
entities={com.ibm.wsspi.security.wim.model.LoginAccount=
[password=****
principalName=my-username
]}
validated=false
]

and after some rows this entry:

[entities={com.ibm.wsspi.security.wim.model.Entity=
[IdentifierType= {
    externalName=cn=my-username,ou=my-ou,o=my-o,c=my-c
    repositoryId=com.ibm.ws.security.registry.ldap.config[ldap]
    uniqueName=cn==my-username,ou=my-ou,o=my-o,c=my-c
}
]}
validated=false
]

I'm investigating on security roles... Any other point of view is appreciated.

EDIT 2

I'm analyzing better the trace. After some rows of above entries there are errors entries:

[13/04/20 19.39.59:317 CEST] 00000079 id=00000000 com.ibm.ws.security.registry.RegistryException               > <init> Entry  
                                                                                                                   null
                                                                                                                   java.lang.NullPointerException
        at com.ibm.ws.security.wim.adapter.ldap.LdapHelper.getOctetString(LdapHelper.java:66)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConfigManager.getExtIdFromAttributes(LdapConfigManager.java:2841)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConnection.getEntityByIdentifier(LdapConnection.java:815)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConnection.getEntityByIdentifier(LdapConnection.java:761)
        at com.ibm.ws.security.wim.adapter.ldap.LdapAdapter.get(LdapAdapter.java:342)
        .....
        .....
        .....
        .....
        .....
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1047)
        at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

    [13/04/20 19.39.59:318 CEST] 00000079 id=0e8ce458 com.ibm.ws.security.registry.RegistryException               < <init> Exit  
                                                                                                                   com.ibm.ws.security.registry.RegistryException
        at com.ibm.ws.security.wim.registry.WIMUserRegistry.getUserSecurityName(WIMUserRegistry.java:296)
        at com.ibm.ws.security.authentication.internal.jaas.modules.ServerCommonLoginModule.getSecurityName(ServerCommonLoginModule.java:113)
        at com.ibm.ws.security.authentication.jaas.modules.UsernameAndPasswordLoginModule.login(UsernameAndPasswordLoginModule.java:77)
        at com.ibm.ws.kernel.boot.security.LoginModuleProxy.login(LoginModuleProxy.java:51)
        at sun.reflect.GeneratedMethodAccessor1372.invoke(Unknown Source)
        .....
        .....
        .....
        .....
        .....
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1047)
        at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
    Caused by: java.lang.NullPointerException
        at com.ibm.ws.security.wim.adapter.ldap.LdapHelper.getOctetString(LdapHelper.java:66)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConfigManager.getExtIdFromAttributes(LdapConfigManager.java:2841)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConnection.getEntityByIdentifier(LdapConnection.java:815)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConnection.getEntityByIdentifier(LdapConnection.java:761)
        at com.ibm.ws.security.wim.adapter.ldap.LdapAdapter.get(LdapAdapter.java:342)
        .....
        .....
        .....
        .....
        .....
        at com.ibm.ws.security.wim.ProfileManager.genericProfileManagerMethod(ProfileManager.java:263)
        at com.ibm.ws.security.wim.ProfileManager.get(ProfileManager.java:207)
        at com.ibm.ws.security.wim.VMMService.get(VMMService.java:208)
        at com.ibm.ws.security.wim.registry.util.SecurityNameBridge.getUserSecurityName(SecurityNameBridge.java:182)
        at com.ibm.ws.security.wim.registry.WIMUserRegistry.getUserSecurityName(WIMUserRegistry.java:291)
        ... 49 more

    [13/04/20 19.39.59:344 CEST] 00000079 id=00000000 com.ibm.ws.logging.internal.impl.IncidentImpl                I FFDC1015I: Ƞstato creato un incidente FFDC: "com.ibm.ws.security.registry.RegistryException com.ibm.ws.security.authentication.jaas.modules.UsernameAndPasswordLoginModule 107" in ffdc_20.04.13_19.39.59.0.log
    [13/04/20 19.39.59:402 CEST] 00000079 id=00000000 com.ibm.ws.security.authentication.AuthenticationException   > <init> Entry  
                                                                                                                   null
                                                                                                                   com.ibm.ws.security.registry.RegistryException
        at com.ibm.ws.security.wim.registry.WIMUserRegistry.getUserSecurityName(WIMUserRegistry.java:296)
        at com.ibm.ws.security.authentication.internal.jaas.modules.ServerCommonLoginModule.getSecurityName(ServerCommonLoginModule.java:113)
        at com.ibm.ws.security.authentication.jaas.modules.UsernameAndPasswordLoginModule.login(UsernameAndPasswordLoginModule.java:77)
        at com.ibm.ws.kernel.boot.security.LoginModuleProxy.login(LoginModuleProxy.java:51)
        at sun.reflect.GeneratedMethodAccessor1372.invoke(Unknown Source)
        .....
        .....
        .....
        .....
        .....
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1047)
        at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
    Caused by: java.lang.NullPointerException
        at com.ibm.ws.security.wim.adapter.ldap.LdapHelper.getOctetString(LdapHelper.java:66)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConfigManager.getExtIdFromAttributes(LdapConfigManager.java:2841)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConnection.getEntityByIdentifier(LdapConnection.java:815)
        at com.ibm.ws.security.wim.adapter.ldap.LdapConnection.getEntityByIdentifier(LdapConnection.java:761)
        at com.ibm.ws.security.wim.adapter.ldap.LdapAdapter.get(LdapAdapter.java:342)
        .....
        .....
        .....
        .....
        .....
        at com.ibm.ws.security.wim.ProfileManager.genericProfileManagerMethod(ProfileManager.java:263)
        at com.ibm.ws.security.wim.ProfileManager.get(ProfileManager.java:207)
        at com.ibm.ws.security.wim.VMMService.get(VMMService.java:208)
        at com.ibm.ws.security.wim.registry.util.SecurityNameBridge.getUserSecurityName(SecurityNameBridge.java:182)
        at com.ibm.ws.security.wim.registry.WIMUserRegistry.getUserSecurityName(WIMUserRegistry.java:291)
        ... 49 more

    [13/04/20 19.39.59:403 CEST] 00000079 id=5177825f com.ibm.ws.security.authentication.AuthenticationException   < <init> Exit  
                                                                                                                   com.ibm.ws.security.authentication.AuthenticationException
        at com.ibm.ws.security.authentication.jaas.modules.UsernameAndPasswordLoginModule.login(UsernameAndPasswordLoginModule.java:109)
        at com.ibm.ws.kernel.boot.security.LoginModuleProxy.login(LoginModuleProxy.java:51)
        at sun.reflect.GeneratedMethodAccessor1372.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
        .....
        .....
        .....
        .....
        .....
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1047)
        at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

EDIT 3

Some additional information from trace log (I had to cut some of previous edit's log because post can be max 30000 chars).

As requested here is exposed the JNDI_CALL entries in trace after login with right password before NPE.

...
...
...
[14/04/20 9.16.57:291 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.LdapHelper              < printSearchControls Exit  
                                                                                                               [searchScope: 2, timeLimit: 120, countLimit: 4501, returningObjFlag: false, returningAttributes: [objectguid, objectClass, cn, principalname]]
[14/04/20 9.16.57:291 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL search(Name,String,SearchControls) [ldap://XXXXXXXXXXXXX:XXX] 
                                                                                                               o=MY-O,c=,MY-C
                                                                                                               (&(cn=MY-USERNAME)(objectclass=inetOrgPerson))
                                                                                                               [searchScope: 2, timeLimit: 120, countLimit: 4501, returningObjFlag: false, returningAttributes: [objectguid, objectClass, cn, principalname]]
[14/04/20 9.16.57:305 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL search(Name,String,SearchControls) [14 ms] 
                                                                                                               com.sun.jndi.ldap.LdapSearchEnumeration@20e0d246
[14/04/20 9.16.57:305 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.LdapConnection          3 search(String, String, Object[], SearchControls) Received search results, looping through elements. May include referral chasing.
[14/04/20 9.16.57:306 CEST] 00000083 id=3a9c8114 com.ibm.ws.security.wim.adapter.ldap.LdapConnection          > supportRangeAttributes Entry  
                                                                                                               {objectclass=objectClass: top, person, organizationalPerson, inetOrgPerson, XXXXXOrgPerson, mdfPerson, cn=cn: MY-USERNAME}
                                                                                                               o=MY-O,c=,MY-C
                                                                                                               com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext@4d39fb26{iProviderURL=ldap://XXXXXXXXXXXXX:XXX, iCreateTimestampSeconds=1586848567, iPoolTimeStampSeconds=1586848567}
[14/04/20 9.16.57:307 CEST] 00000083 id=3a9c8114 com.ibm.ws.security.wim.adapter.ldap.LdapConnection          < supportRangeAttributes Exit 
[14/04/20 9.16.57:307 CEST] 00000083 id=427f3b80 com.ibm.ws.security.wim.adapter.ldap.CachedNamingEnumeration > add Entry  
                                                                                                               cn=MY-USERNAME,ou=MY-OU: null:null:{objectclass=objectClass: top, person, organizationalPerson, inetOrgPerson, XXXXXOrgPerson, mdfPerson, cn=cn: MY-USERNAME}
[14/04/20 9.16.57:307 CEST] 00000083 id=427f3b80 com.ibm.ws.security.wim.adapter.ldap.CachedNamingEnumeration < add Exit 
[14/04/20 9.16.57:307 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.LdapConnection          3 search(String, String, Object[], SearchControls) Received search results, looped through elements. Num of elements retrieved: 1
[14/04/20 9.16.57:307 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL getResponseControls() [ldap://XXXXXXXXXXXXX:XXX]
[14/04/20 9.16.57:307 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL getResponseControls() [0 ms]
[14/04/20 9.16.57:307 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL setRequestControls(Control[]) [ldap://XXXXXXXXXXXXX:XXX]
[14/04/20 9.16.57:307 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL setRequestControls(Control[]) [0 ms]
[14/04/20 9.16.57:307 CEST] 00000083 id=645bfd15 com.ibm.ws.security.wim.adapter.ldap.context.ContextManager  > releaseDirContext Entry  
                                                                                                               com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext@4d39fb26{iProviderURL=ldap://XXXXXXXXXXXXX:XXX, iCreateTimestampSeconds=1586848567, iPoolTimeStampSeconds=1586848567}
...
...
...
[14/04/20 9.16.57:376 CEST] 00000083 id=645bfd15 com.ibm.ws.security.wim.adapter.ldap.context.ContextManager  < createDirContext Exit  
                                                                                                               com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext@34fc1054{iProviderURL=ldap://XXXXXXXXXXXXX:XXX, iCreateTimestampSeconds=1586848617, iPoolTimeStampSeconds=1586848617}
[14/04/20 9.16.57:376 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL close() [ldap://XXXXXXXXXXXXX:XXX]
[14/04/20 9.16.57:376 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL close() [0 ms]
[14/04/20 9.16.57:376 CEST] 00000083 id=5a992031 com.ibm.ws.security.wim.adapter.ldap.LdapAdapter             < authenticateWithPassword Exit 
...
...
...
[14/04/20 9.16.57:618 CEST] 00000083 id=645bfd15 com.ibm.ws.security.wim.adapter.ldap.context.ContextManager  > checkPrimaryServer Entry  
                                                                                                               com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext@4d39fb26{iProviderURL=ldap://XXXXXXXXXXXXX:XXX, iCreateTimestampSeconds=1586848567, iPoolTimeStampSeconds=1586848567}
                                                                                                               ldap://XXXXXXXXXXXXX:XXX
                                                                                                               1586848618
[14/04/20 9.16.57:618 CEST] 00000083 id=645bfd15 com.ibm.ws.security.wim.adapter.ldap.context.ContextManager  < checkPrimaryServer Exit  
                                                                                                               com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext@4d39fb26{iProviderURL=ldap://XXXXXXXXXXXXX:XXX, iCreateTimestampSeconds=1586848567, iPoolTimeStampSeconds=1586848567}
[14/04/20 9.16.57:618 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.ContextManager  3 getDirContext ContextPool: total=1, poolSize=0, currentTime=1586848618, createTime=1586848567
[14/04/20 9.16.57:618 CEST] 00000083 id=645bfd15 com.ibm.ws.security.wim.adapter.ldap.context.ContextManager  < getDirContext Exit  
                                                                                                               com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext@4d39fb26{iProviderURL=ldap://XXXXXXXXXXXXX:XXX, iCreateTimestampSeconds=1586848567, iPoolTimeStampSeconds=1586848567}
[14/04/20 9.16.57:618 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL search(String,String,SearchControls) [ldap://XXXXXXXXXXXXX:XXX] 
                                                                                                               cn=MY-USERNAME,ou=MY-OU,o=MY-O,c=MY-C
                                                                                                               objectclass=*
                                                                                                               javax.naming.directory.SearchControls@562c6943
[14/04/20 9.16.57:621 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.context.TimedDirContext 3 JNDI_CALL search(String,String,SearchControls) [3 ms] 
                                                                                                               com.sun.jndi.ldap.LdapSearchEnumeration@61d24608
[14/04/20 9.16.57:621 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.LdapHelper              > prepareDN Entry  
                                                                                                               cn=-MY-USERNAME,ou=MY-OU,o=MY-O,c=MY-C
                                                                                                               null
[14/04/20 9.16.57:621 CEST] 00000083 id=00000000 com.ibm.ws.security.wim.adapter.ldap.LdapHelper              > unescapeDoubleBackslash Entry  
                                                                                                               cn=MY-USERNAME,ou=MY-OU,o=MY-O,c=MY-C
...
...
...

And this is LdapConfigManager's method getExtIdFromAttributes(...) immediately prior to the NPE

...
...
...
[14/04/20 9.16.57:647 CEST] 00000083 id=3a9c8114 com.ibm.ws.security.wim.adapter.ldap.LdapConnection          < getUniqueName Exit  
                                                                                                               cn=MY-USERNAME,ou=MY-USERNAME,o=MY-O,c=MY-C
                                                                                                               [14/04/20 9.16.57:647 CEST] 00000083 id=6bbc56a3 com.ibm.ws.security.wim.adapter.ldap.LdapConfigManager       > getExtIdFromAttributes Entry  
                                                                                                               cn=MY-USERNAME,ou=MY-USERNAME,o=MY-O,c=MY-C
                                                                                                               Entity
                                                                                                               {objectguid=objectguid: null, objectclass=objectClass: top, person, organizationalPerson, inetOrgPerson, XXXXXOrgPerson, mdfPerson, principalname=principalname: null}
[14/04/20 9.16.57:647 CEST] 00000083 id=6bbc56a3 com.ibm.ws.security.wim.adapter.ldap.LdapConfigManager       > getExtId Entry  
                                                                                                               Entity
[14/04/20 9.16.57:647 CEST] 00000083 id=6bbc56a3 com.ibm.ws.security.wim.adapter.ldap.LdapConfigManager       > getLdapEntity Entry  
                                                                                                               Entity
[14/04/20 9.16.57:647 CEST] 00000083 id=00000000 com.ibm.wsspi.security.wim.model.Entity                      > getSubEntityTypes Entry  
                                                                                                               Entity
...
...
...

I'm very very beginner on this stuff, I noted some other configurations in original Websphere I did not set in Liberty. I don't know if I'm doing in the right way

1. In Websphere I have entry Global Security --> JAAS - J2C Authentication data, so I added in server.xml in futureManager branch:

<feature>jdbc-4.2</feature>

then added this authData entry:

<authData id="MY-IDENTIFICATION" user="MY-DB-USER" password="MY-DB-PASSWORD"/>

then in ibm-application-bnd.xml added

   <resource-ref name="jdbc/MY-JDBC" binding-name="jdbc/MY-JDBC">
     <authentication-alias name="MY-IDENTIFICATION"/>
   </resource-ref>

This attempt reported no result.

(N.B.: jdbc already correctly set up in server.xml since without authentication the web application can access db with mybatis)

2. There are also configurations about what's called "Federated Repositories", I'm trying to build the node on server.xml, but I have some difficulties. Is this mandatory and could be the cause?


Solution

  • I was very superficial. I started this implementation starting from this:

    https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_sec_ldap.html

    Reading with no atteintion I saw only two type of LDAP "IBM Directory Server" and "Microsoft Active Directory Server"

    I was not really aware of what kind of LDAP I'm working with, since I was not able to find it in my working websphere configurations and since those configurations were made following some notes of collegues.

    I copy-pasted the code from the link above, and since configs for IBM Directory Server did not work at all, I used Microsoft Active Directory Server which seemed to work and was giving me misleading behaviour as explained in the question...

    Unfortunately my local websphere configs are a little confusing also, there are a lot of tests e configs maybe unnecessary.

    So at the end it was not necessary, since is not used, federatedRepository settings, and even resource-ref entry in ibm-application-bnd is unnecessary.

    The only thing I needed was to know in clear way what's ldap server used. After @Gas comment I checked the entries in server.xml about ldapType and filters. If I did not copy-pasted the code I would be aware that after typing ldapType=" eclipse suggest a lot of ldap types... so I remind my self that ldap is not Microsoft Active Directory Server. In my case LDAP was ODSEE, unfortunetely not listed, searched on google and found on wikipedia (https://en.wikipedia.org/wiki/Sun_Java_System_Directory_Server) that ODSEE was before named some years ago as Sun Java System Directory Server.

    Now, for every ldapType you have to type the right filters entries, no config errors is given if you make a mistake, just not logged in with message which could be misleading.

    So right Ldap config in my case is:

    <ldapRegistry
    id="ldap"
    realm="LdapRegistry"
    ldapType="Sun Java System Directory Server"
    host="host-copy-pasted-from-websphere-configuration"
    port="port-copy-pasted-from-websphere-configuration"
    baseDN="baseDN-copy-pasted-from-websphere-configuration"
    searchTimeout="120"
    reuseConnection="true"
    ignoreCase="true"
    bindDN="bindDN-copy-pasted-from-websphere-configuration"
    bindPassword="bindDN-known-password"
    sslEnabled="false">
    <iplanetFilters
        userFilter="userFilter-copy-pasted-from-websphere-configuration"
        groupFilter="groupFilter-copy-pasted-from-websphere-configuration"
        groupIdMap="groupIdMap-copy-pasted-from-websphere-configuration"
        userIdMap="userIdMap-copy-pasted-from-websphere-configuration"
        groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember"
        >
    </iplanetFilters>
    

    I found the right filter to use by exclusion... I guess this is the right association between ldapType and filters:

    Now I'm able to log in, at least in HTTP (not yet in HTTPS, but this is another story and my work for this evening...)

    Above considerations could be obvious, and the config error trivial, but I guess my this experience could be usefull for someone else.