Jazz Library Tip: Configuring WAS with LDAP realm
Author name

Tip: Configuring WAS with LDAP realm

Last Updated: October 31, 2008
Author: Daniel Kogan

Summary

In this TechNote we will provide step by step guidance of how to setup WAS with LDAP realm to install Jazz Server including discussion on Application Server LDAP Configuration, LDAP filters and verifying LDAP connection.

For the General WAS setup with Jazz please follow this Installing Jazz Team Server with WAS article

More Information

Jazz uses J2EE container managed authentication for login and system permissions. In order for application security to work, you must configure a realm with the application server. While file based realm is generally OK for testing, the LDAP realm is recommended for production deployment.

For more information on Authentication and Authorization please refer to this technote

For the WAS setup with file based realm please follow the Configuring WAS with Federated realm TechNote

LDAP Setup

In this section we will show how to setup and configure LDAP realm.

In order for Jazz to authorize a user authenticated by the application server, the user must be a valid Jazz repository contributor. Jazz is shipped with a bootstrap user called ADMIN pre-configured in the database. However, unless ADMIN / ADMIN is a valid set of credentials in the LDAP repository being used by WebSphere Application Server, you will not be able to login to Jazz after installing on WebSphere.

To avoid this issue, we will add at least one valid LDAP user as a Jazz repository contributor BEFORE configuring the security of Jazz on WebSphere Application Server using the Jazz setup WEB UI interface under User management tab.

Note

The pre-configured ADMIN user is pre-created in the Derby database. If you either use DB2, Oracle, your own instance of Derby or any other database, please make sure to run the “repotools” command to configure the data. For the instructions on how to run the “repotools” command please follow the instructions here.

LDAP Server Configuration

WebSphere Application Server LDAP configuration varies based on your particular LDAP server and schema. Before modifying your WebSphere LDAP configuration for Jazz, you should ensure that basic WebSphere LDAP functionality is functioning correctly. For complete information on configuring WebSphere Application Server for LDAP authentication, see the WebSphere Application Server InfoCenter article, Configuring Lightweight Directory Access Protocol user registries.

Retrieve the LDAP server SSL certificate (optional)

If your LDAP server is configured with Secure Socket Layer (SSL), you first need to retrieve the certificate from the server .

  1. Bring up the WAS admin console
  2. Expand Security and select SSL certificate and key management
  3. Click Manage endpoint security configurations
  4. Select the Outbound node for your appserver
  5. Click Key stores and certificates
  6. Click NodeDefaultTrustStore
  7. Click Signer certificates
  8. Click Retrieve from port button
  9. Fill in the following properties: Host, Port, Alias
  10. Click Retrieve signer information and hit OK
  11. Restart the server


WAS Setup

  1. In the WAS Admin Console go to Secure Administration, applications, and infrastructure menu option in the left menu column

  2. For LDAP setup , choose Standalone LDAP registry. When selecting the Realm to configure Set as current button needs to be activated in order to save this option.

  3. Note

      Unless Set as current button is clicked the chosen Realm might not be the one used for Jazz deployment (see the image below)




  4. Press the Configure button to go into Realm Configuration Screen.



  5. Please Make sure that
    • Primary Administrative user name is set to the valid LDAP user
    • Host is the correct LDAP host
    • Port is the LDAP anonymous connection port. If SSL is enabled, the default port is 636, if SSL is not enabled, the default port is 389.
    • Base Distinguished Name (DN) is base user DN in the LDAP directory
    • Select SSL enabled if the server requires SSL connection


  6. Verify the LDAP server type (we used “Custom” for our testing)



  7. Then click on Advanced Lightweight Directory Access Protocol (LDAP) user registry settings on the right.



  8. Specify the user and group filters.



  9. The settings we use are:
    • User Filter: (&(uid=%v)(objectclass=inetOrgPerson))
    • Group Filter: (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=posixGroup)))
    • User id map: *:uid
    • Group id map: *:cn
    • Group member id map: ibm-allGroups:member;ibm-allGroups:uniqueMember


    Note

    • These are just the example settings that assume that uid is used to represent the user id of a user in LDAP, cn is used to represent the name of a user in ldap
    • For our purposes, the User ID map is important because this is the representation of the user that will be passed to Jazz. This attribute must match the userid that we created in the Jazz repository previously.
    • The settings below are chosen based on our internal IBM LDAP server configuration. For more LDAP information please follow the LDAP Configuration TechNote



  10. Click the Test connection button to verify the settings



  11. If all the settings are correct, you will see this message



  12. Click Apply, then Save the master configuration and restart the WAS process.

Assigning User Roles

In this section we will show how to assign roles and permissions to the users loaded from LDAP server.
It is an important step in the LDAP deployment to setup users from LDAP with proper permissions in WAS before application deployment.

  1. In order to do so click on Administrative User Roles button from  Secure administration, application, and infrastructure screen.



  2. On the User Roles screen use Add button to query for users from LDAP



  3. Grant the user appropriate permissions.



  4. The click on Apply and Save.

  5. Note

    Ability to assign a user role verifies that LDAP is setup properly and users are correctly retrieved.


Assigning Group Roles

In this section we will show how to assign roles and permissions to the groups loaded from LDAP server.

Note
 
This step is optional, however it verifies that the group filter is setup properly and the Jazz application will be deployed and started without any Group permissions related problems.


  1. Click on Administrative User Roles from Secure administration, application, and infrastructure screen



  2. On the Group Roles screen use Add button to query for groups from LDAP Make sure that you choose the existing user group from LDAP and successfully assign a role to it.



  3. In case of success, you should see this message.



  4. Click on Save to save the settings.

  5. Note

    Ability to assign a group role verifies that LDAP is setup properly and groups are correctly retrieved.

Logging back to WAS after LDAP Configuration setup

Once you completed LDAP Realm setup and restarted the WAS server, you have to login into WAS admin console using valid LDAP user/password.

  1. Open the admin console, you should be prompted for a userid/password
  2. Enter your userid/password
  3. You can verify the value returned by the User Id map by looking at the Welcome message at the top of the WebSphere Application Server Administrative Console.




If this value does not match the userid you entered in the Jazz repository, you will either need to add a corresponding userid in the Jazz repository or modify the User ID map property in the
WebSphere Application Server Administrative Console to return an appropriate value.
Tue, 11 Nov 2008