It's all about the answers!

Ask a question

Why does an LDAP account get recognized as ADMIN for RTC 4.0.2?


Andrew Trobec (49712139139) | asked Apr 23 '13, 9:14 a.m.
 Hello,

I performed a local RTC 4.0.2 installation and I connected the JTS to LDAP.

During the configuration process where I logged in with ADMIN/ADMIN  I had to replace some web.xml files and server.xml with versions generated by the setup wizard.  I did that and restarted as instructed.  When I continued the setup process I used an LDAP account since the ADMIN/ADMIN account was no longer recognised.  On the LDAP configuration page I selected to disable the ADMIN account and completed the wizard.

Now when I login with one of the LDAP accounts it gets recognised as the disabled ADMIN account.  Why does it do this and how can I solve?

Regards,

Andrew

Accepted answer


permanent link
Josh Crawford (984515) | answered Apr 23 '13, 11:07 a.m.
 Another scenario which we see this is with Tomcat as an application server which by default is case sensitive.  Many Ldap providers are case insensitive.  If the user in Ldap has a CaMel cased user ID a login attempt with all lower case will succeed from an Ldap perspective but the user will not be recognized by tomcat and therefore treated as Admin.

You can verify this is what's happening by looking in your jts.log file and looking for instances of:

2013-04-23 11:04:03,639 [         http-bio-9443-exec-35]  WARN com.ibm.team.repo                                              sitory.servlet.TeamServerServlet   - CRJAZ1186W Authenticated user "CRAWfomj" do                                              es not exist in the repository.  Logging in as "ADMIN".  The user may need to be                                               imported into the repository.  Note that login can be case-sensitive.

You can see my user account is all lowercase. 

C:\Windows\system32>net user /domain crawfomj
The request will be processed at a domain controller for domain asylum.ibm.com.

User name                    crawfomj
Full Name                    crawfomj
Comment
User's comment
##########


Andrew Trobec selected this answer as the correct answer

Comments
Bo Chulindra commented Apr 23 '13, 11:18 a.m.
JAZZ DEVELOPER

I agree that this is another case. I should mention that it is again a case of LDAP authenticating the user but the JTS server not knowing about the user (since it tries to look for the user in its repository but because of the case mismatch, it cannot find it).

In this case, Tomcat is not doing any authentication. For example, this can still happen if you are using WAS.

The right answer here is to configure the JTS for case-insensitive login if LDAP authentication is case-insensitive.


1
Andrew Trobec commented Apr 24 '13, 2:18 a.m.

 Hello Bo and Josh,


The issue was with the case-sensitivity.  I no longer receive that issue.  Thanks for the input!

Regards,

Andrew

One other answer



permanent link
Bo Chulindra (1.3k2718) | answered Apr 23 '13, 10:14 a.m.
JAZZ DEVELOPER
Your LDAP user is being authenticated by your LDAP server which is why you are able to login to the JTS. However, the JTS server only knows about LDAP users which have been imported into the server. So when a user is successfully authenticated by the container but the JTS does not know about the user, then the JTS assigns the user with some default account. In the case of JazzAdmins users, that default account will be ADMIN (although this is slightly different than ADMIN/ADMIN).

During completion of the setup wizard, it is likely that the LDAP user you completed the setup wizard with was imported during the User Registry step. That user should be not be displayed as ADMIN when logged in.

Your other users can be imported by either:
  • LDAP nightly sync. Every night, the JTS will synch with your LDAP server. This will import all your LDAP users.
  • Manual import. This can be done using the JTS Server Administration web UI. Particularly, as part of the Users menu.
  • Turn on self-registration. It is possible to turn on self-registration so that if a user logs in to the JTS, then the JTS will import the user if needed. This can be done using the JTS Server Administration web UI and visiting the Advanced Properties page.



Comments
Andrew Trobec commented Apr 23 '13, 10:53 a.m.

Hello Bo,

Thank you for your answer.  I will check on this.
In the meantime, a user appears in the userlist with name "Unassigned" and when I open the user properties I get the message:

An error response was received from the Jazz Team Server. Status=400. Message: The ContributorHandle with the "[UUID _YNh4MOlsEdq4xpiOKg5hvA]" item ID doesn't match any existing ContributorRecords.show details

What is this and how can I remove it?
Regards,
Andrew 


Bo Chulindra commented Apr 23 '13, 11:40 a.m.
JAZZ DEVELOPER

I've never heard of the "Unassigned" user before. I did some research and I believe it is a special user created for CCM work items. However, I also do not believe it is supposed to show up in the Active Users list (if that's where you are seeing it).

I found this work item, Unassigned user is translated to Japanese and shows up in Active CCM Users (209985), which is a case when the user "unassigned" was erroneously displayed in the Active Users page because the user ID was translated and the filter did not remove it.

...continued below...


Bo Chulindra commented Apr 23 '13, 11:40 a.m.
JAZZ DEVELOPER

This work item, Cannot open "Unassigned" user by User Editor (138763), shows that the error you are seeing is typical for this user. I would guess it's because the user was never meant to be inspected since it is a special user that is normally hidden from sight.

I believe the user is necessary for CCM and should not be removed. However, I believe it is wrong that you are seeing the user in some list of users and are able to attempt to open its user properties.


Andrew Trobec commented Apr 24 '13, 2:23 a.m.

Hello Bo,

Yes this seems to be exactly the problem that I have.  Should I open a Defect for it?
Regards,
Andrew


Bo Chulindra commented Apr 24 '13, 9:57 a.m. | edited Apr 24 '13, 9:58 a.m.
JAZZ DEVELOPER

Please do. Open it against Jazz Foundation and file it against Repository.

Your answer


Register or to post your answer.