Connections Content Manager and Cognos integration (i.e. Metrics) is not working for LDAP users in environments where the LDAP server is Domino AND complex LDAP search filters (for example nested boolean queries) have been specified in Federated Repositories configuration.
In other words, when LDAP users try to access a community library they have the following error: "The library may have been deleted or modified, or your access may have changed. Try reloading. If that fails, contact the library owner."
OR: When user clicks into the Library, there is no "Upload Files" or "New Folder" buttons present, even though they are a Community Member or Owner.
This does not happen for non-LDAP local users like 'wasadmin'.
For Cognos integration, the problem manifests itself when it's not possible to add LDAP users to the IbmConnectionsMetricsAdmin role, but it is possible to add non-LDAP local users like 'wasadmin'.
This is a known issue for Domino LDAP server that is tracked in SPR #CAHT959LQG.
Complex LDAP search filters (for example nested boolean queries) return no results from Domino LDAP.
The issue is independent from the use of wildcards or how the query is formulated, basically no results are returned even though a directory entry exists that matches the search attributes. Normal queries work as expected.
This is a normal query: (&(uid=tuser)(cn=test user)(objectClass=dominoPerson))
This is a nested query: (&(uid=tuser)(&(cn=test user)(objectClass=dominoPerson)))
IBM Connections 4.5
An example of a complex search filter is shown in the screen shot below. In the Federated Repositories configuration for the Domino LDAP being used for Connections, there is a filter set in the LDAP Entity Type for PersonAccount, i.e. (&(objectclass=dominoPerson)(availablefordirsync=1))
Diagnosing the problem
Remove the search filter from the Federated Repositories configuration for the Domino LDAP, synch the nodes and restart the Connections environment (including the nodeagent(s) and deployment manager).
Then retest the CCM or Cognos issue in Connections. If it now works OK, then it's very likely you are experiencing this issue.
Resolving the problem
Contact Domino Support to obtain a Hotfix for SPR CAHT959LQG for your specific Domino version.
However, the fix for this issue could introduce a performance degradation when there are many nested groups. Due to the performance regression potential, IBM is doing 2 things: 1. Working on an interim fix for 8.5.3 FP6 that disables this code path by default and adds the ini LDAP_COMPLEX_FILTER=1. This ini won't be active until 8.5.3 FP6 Interim Fix 1 and 9.0.1 Fix Pack 2. It will be documented under SPR MJON9GQHLL. 2. Working on a better solution that will not introduce a performance regression.
Today I received an Alert Flash regarding issues on IBM Notes/Domino Feature Pack 10 with the hint to stop upgrades. Currently the following issues are known: (fix available) The IBM Sametime client embedded within the IBM Notes client stops working after you install Notes 9.0.1 FP10 on top of Lotus Notes 9.0.1 FP9 + Sametime Embedded build 9.0.x clients http://www-01.ibm.com/support/docview.wss?uid=swg22012939(verified by L2) SMTP Mails with Umlauts broken after installing FP10 This seems to be regression. Support is working.(verified) Group iQ.Suite - Out of License because the internal product numbering has changed. The API reports a different version number. Before upgrade eg 184.108.40.206.0.0 => 9.0.1 FP9, after upgrade 900.0.11.0.0.0 => 9.0.1 FP10 Group is informed and can assist. Group will provide Hotfixes of iQ.Suite (19.1.5, 20.2.3 or 20.3) soon.(not yet verified) org.eclipse.core.runtime.CoreException: Plug-in http://com.ibm.domino.java .api was unable to …
The JVM in Designer is Upgraded to use 1.8 at compile time Eclipse Platform Upgraded to 4.6.2Embedded Sametime Upgraded To 901 By Default Add-on Installer for Notes CCM (Connections Content Manager)
The full listing of the new features are listed here: