Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Why does an LDAP account get recognized as ADMIN for RTC 4.0.2?

Questions
Tags
Users
Badges
Andrew Trobec
(49713144139) Apr 23 '13, 9:14 a.m.
 Hello,

I performed a local RTC 4.0.2 installation and I connected the JTS to LDAP.

During the configuration process where I logged in with ADMIN/ADMIN  I had to replace some web.xml files and server.xml with versions generated by the setup wizard.  I did that and restarted as instructed.  When I continued the setup process I used an LDAP account since the ADMIN/ADMIN account was no longer recognised.  On the LDAP configuration page I selected to disable the ADMIN account and completed the wizard.

Now when I login with one of the LDAP accounts it gets recognised as the disabled ADMIN account.  Why does it do this and how can I solve?

Regards,

Andrew

1 vote

2 answers
5,556 views
1 vote

Accepted answer

Permanent link
Josh Crawford
(984615) Apr 23 '13, 11:07 a.m.
 Another scenario which we see this is with Tomcat as an application server which by default is case sensitive.  Many Ldap providers are case insensitive.  If the user in Ldap has a CaMel cased user ID a login attempt with all lower case will succeed from an Ldap perspective but the user will not be recognized by tomcat and therefore treated as Admin.

You can verify this is what's happening by looking in your jts.log file and looking for instances of:

2013-04-23 11:04:03,639 [         http-bio-9443-exec-35]  WARN com.ibm.team.repo                                              sitory.servlet.TeamServerServlet   - CRJAZ1186W Authenticated user "CRAWfomj" do                                              es not exist in the repository.  Logging in as "ADMIN".  The user may need to be                                               imported into the repository.  Note that login can be case-sensitive.

You can see my user account is all lowercase. 

C:\Windows\system32>net user /domain crawfomj
The request will be processed at a domain controller for domain asylum.ibm.com.

User name                    crawfomj
Full Name                    crawfomj
Comment
User's comment
##########


Andrew Trobec selected this answer as the correct answer

1 vote

Comments
Bo Chulindra
JAZZ DEVELOPER Apr 23 '13, 11:18 a.m.

I agree that this is another case. I should mention that it is again a case of LDAP authenticating the user but the JTS server not knowing about the user (since it tries to look for the user in its repository but because of the case mismatch, it cannot find it).

In this case, Tomcat is not doing any authentication. For example, this can still happen if you are using WAS.

The right answer here is to configure the JTS for case-insensitive login if LDAP authentication is case-insensitive.

Andrew Trobec
Apr 24 '13, 2:18 a.m.

 Hello Bo and Josh,


The issue was with the case-sensitivity.  I no longer receive that issue.  Thanks for the input!

Regards,

Andrew

1 vote

One other answer

Permanent link
Bo Chulindra
JAZZ DEVELOPER (1.3k2718) Apr 23 '13, 10:14 a.m.
Your LDAP user is being authenticated by your LDAP server which is why you are able to login to the JTS. However, the JTS server only knows about LDAP users which have been imported into the server. So when a user is successfully authenticated by the container but the JTS does not know about the user, then the JTS assigns the user with some default account. In the case of JazzAdmins users, that default account will be ADMIN (although this is slightly different than ADMIN/ADMIN).

During completion of the setup wizard, it is likely that the LDAP user you completed the setup wizard with was imported during the User Registry step. That user should be not be displayed as ADMIN when logged in.

Your other users can be imported by either:
  • LDAP nightly sync. Every night, the JTS will synch with your LDAP server. This will import all your LDAP users.
  • Manual import. This can be done using the JTS Server Administration web UI. Particularly, as part of the Users menu.
  • Turn on self-registration. It is possible to turn on self-registration so that if a user logs in to the JTS, then the JTS will import the user if needed. This can be done using the JTS Server Administration web UI and visiting the Advanced Properties page.


1 vote

Comments
Andrew Trobec
Apr 23 '13, 10:53 a.m.

Hello Bo,

Thank you for your answer.  I will check on this.
In the meantime, a user appears in the userlist with name "Unassigned" and when I open the user properties I get the message:

An error response was received from the Jazz Team Server. Status=400. Message: The ContributorHandle with the "[UUID _YNh4MOlsEdq4xpiOKg5hvA]" item ID doesn't match any existing ContributorRecords.show details

What is this and how can I remove it?
Regards,
Andrew 

Bo Chulindra
JAZZ DEVELOPER Apr 23 '13, 11:40 a.m.

I've never heard of the "Unassigned" user before. I did some research and I believe it is a special user created for CCM work items. However, I also do not believe it is supposed to show up in the Active Users list (if that's where you are seeing it).

I found this work item, Unassigned user is translated to Japanese and shows up in Active CCM Users (209985), which is a case when the user "unassigned" was erroneously displayed in the Active Users page because the user ID was translated and the filter did not remove it.

...continued below...

Bo Chulindra
JAZZ DEVELOPER Apr 23 '13, 11:40 a.m.

This work item, Cannot open "Unassigned" user by User Editor (138763), shows that the error you are seeing is typical for this user. I would guess it's because the user was never meant to be inspected since it is a special user that is normally hidden from sight.

I believe the user is necessary for CCM and should not be removed. However, I believe it is wrong that you are seeing the user in some list of users and are able to attempt to open its user properties.

Andrew Trobec
Apr 24 '13, 2:23 a.m.

Hello Bo,

Yes this seems to be exactly the problem that I have.  Should I open a Defect for it?
Regards,
Andrew

Bo Chulindra
JAZZ DEVELOPER Apr 24 '13, 9:58 a.m.

Please do. Open it against Jazz Foundation and file it against Repository.

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 2,357

Question asked: Apr 23 '13, 9:14 a.m.

Question was seen: 5,556 times

Last updated: Apr 24 '13, 9:58 a.m.

Confirmation Cancel Confirm