It's all about the answers!

Ask a question

LDAP integration issues


Jason Kissinger (7143) | asked Mar 01 '09, 9:55 p.m.
I've just integrated our RTC server with our corporate Active Directory server. Base functionality is working fine, but I have a couple of issues that I need to resolve before rolling out to our production server:

1. User Property Names Mapping for email address. How is this verifying emailAddress property? I set:

userId=sAMAccountName,name=displayName,emailAddress=mail

and at least my user account in ldap has a 'mail' attribute. But it complains

The e-mail address property "mail" is not present in the LDAP registry

I put in another attribute (emailAddress=sAMAccountName) to get beyond this point, but obviously emails will not be imported correctly.

2. user display name. our ldap doesn't have a 'firstName lastName' attribute, it has a 'lastName, firstName' attribute, and separate firstName and lastName attributes. I'd prefer to use the 'firstName lastName' so user search, etc work as expected. Possible to map name to "firstName + ' ' + lastName"? Or other recommendations?


Thanks!

7 answers



permanent link
Balaji Krish (1.8k12) | answered Mar 01 '09, 11:11 p.m.
JAZZ DEVELOPER
Jason,

>> 1
What version of the Jazz server are you using ?

We had few issues with Active directory server. Can you try with 1.0.1.1 server. (1.0.1.1 server was released on 2/27/2009)

>>2
It is not possible. We don't have a mechanism to map a single attribute to multiple attributes in LDAP. Please open a enhancement request.

--- Balaji
Jazz Server Team

I've just integrated our RTC server with our corporate Active Directory server. Base functionality is working fine, but I have a couple of issues that I need to resolve before rolling out to our production server:

1. User Property Names Mapping for email address. How is this verifying emailAddress property? I set:

userId=sAMAccountName,name=displayName,emailAddress=mail

and at least my user account in ldap has a 'mail' attribute. But it complains

The e-mail address property "mail" is not present in the LDAP registry

I put in another attribute (emailAddress=sAMAccountName) to get beyond this point, but obviously emails will not be imported correctly.

2. user display name. our ldap doesn't have a 'firstName lastName' attribute, it has a 'lastName, firstName' attribute, and separate firstName and lastName attributes. I'd prefer to use the 'firstName lastName' so user search, etc work as expected. Possible to map name to "firstName + ' ' + lastName"? Or other recommendations?


Thanks!

permanent link
Jason Kissinger (7143) | answered Mar 02 '09, 2:42 p.m.
Thanks Balaji.

1. I'll try 1.0.1.1 this evening
2. opened Enhancement 73015: https://jazz.net/jazz/web/projects/Rational%20Team%20Concert#action=com.ibm.team.workitem.viewWorkItem&id=73015


Jason,

>> 1
What version of the Jazz server are you using ?

We had few issues with Active directory server. Can you try with 1.0.1.1 server. (1.0.1.1 server was released on 2/27/2009)

>>2
It is not possible. We don't have a mechanism to map a single attribute to multiple attributes in LDAP. Please open a enhancement request.


--- Balaji
Jazz Server Team

I've just integrated our RTC server with our corporate Active Directory server. Base functionality is working fine, but I have a couple of issues that I need to resolve before rolling out to our production server:

1. User Property Names Mapping for email address. How is this verifying emailAddress property? I set:

userId=sAMAccountName,name=displayName,emailAddress=mail

and at least my user account in ldap has a 'mail' attribute. But it complains

The e-mail address property "mail" is not present in the LDAP registry

I put in another attribute (emailAddress=sAMAccountName) to get beyond this point, but obviously emails will not be imported correctly.

2. user display name. our ldap doesn't have a 'firstName lastName' attribute, it has a 'lastName, firstName' attribute, and separate firstName and lastName attributes. I'd prefer to use the 'firstName lastName' so user search, etc work as expected. Possible to map name to "firstName + ' ' + lastName"? Or other recommendations?


Thanks!

permanent link
Jason Kissinger (7143) | answered Mar 02 '09, 10:45 p.m.
Update on issue 1: Upgrading to 1.0.1.1 made the email=mail a warning, allowing me to save that configuration. Imported a couple of users and the email came through as I'd expect.

Question on issue 2: Can you think of any ill effects to importing users as lastName, firstName (location)? ie: "Kissinger, Jason (STP)". All I can think is hint on user search ("begin with a space to search by last name") is backwards.

permanent link
Ralph Schoon (60.5k33643) | answered Mar 03 '09, 2:41 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
Hello jasonkissinger,

a customer of mine hat similar issues due to the fact that contractors have
very lonk names in their Active directory. One approach that seems feasible
and worked for them was to create an additional field, fill that with the
name to display and use it instead.

Ralph

Thanks Balaji.

1. I'll try 1.0.1.1 this evening
2. opened Enhancement 73015:
https://jazz.net/jazz/web/projects/Rational%20Team%20Concert#action=co
m.ibm.team.workitem.viewWorkItem&id=73015
balajikwrote:

Jason,

1

What version of the Jazz server are you using ?

We had few issues with Active directory server. Can you try with

1.0.1.1 server. (1.0.1.1 server was released on 2/27/2009)

2

It is not possible. We don't have a mechanism to map a single

attribute to multiple attributes in LDAP. Please open a enhancement
request.

--- Balaji
Jazz Server Team
jasonkissingerwrote:

I've just integrated our RTC server with our corporate Active
Directory server. Base functionality is working fine, but I have a
couple of issues that I need to resolve before rolling out to our
production server:

1. User Property Names Mapping for email address. How is this

verifying emailAddress property? I set:

userId=sAMAccountName,name=displayName,emailAddress=mail

and at least my user account in ldap has a 'mail' attribute. But it

complains

The e-mail address property "mail" is not present in the

LDAP registry

I put in another attribute (emailAddress=sAMAccountName) to get

beyond this point, but obviously emails will not be imported
correctly.

2. user display name. our ldap doesn't have a 'firstName lastName'

attribute, it has a 'lastName, firstName' attribute, and separate
firstName and lastName attributes. I'd prefer to use the 'firstName
lastName' so user search, etc work as expected. Possible to map name
to "firstName + ' ' + lastName"? Or other recommendations?

Thanks!


permanent link
Balaji Krish (1.8k12) | answered Mar 03 '09, 12:56 p.m.
JAZZ DEVELOPER
Jason,

You are right. There are no ill-effects of importing using last name, first name. User search is backwards (beign with a space to search by first name..)

--- Balaji


Update on issue 1: Upgrading to 1.0.1.1 made the email=mail a warning, allowing me to save that configuration. Imported a couple of users and the email came through as I'd expect.

Question on issue 2: Can you think of any ill effects to importing users as lastName, firstName (location)? ie: "Kissinger, Jason (STP)". All I can think is hint on user search ("begin with a space to search by last name") is backwards.

permanent link
Jason Kissinger (7143) | answered Mar 03 '09, 11:29 p.m.
@rschoon: thanks, but not an option for us... corporate ldap wouldn't allow us to add attributes. we'll be fine for now with our displayName attribute.

@Balaji: One more question, if you don't mind. Do I need to import ALL users that will access RTC. I was working under impression that users with jazzGuest ("All Employees" ldap group/tomcat role in my case) and no client access license could access the web interface with read-only permissions. Tried with one user and he was able to authenticate and get past tomcat authorization, but was then told by jazz that he didn't belong to appropriate group. Imported him, no client license assigned, and then he was able to see read-only. We have potentially hundreds (thousands?) of users that may access RTC, as this will be linked from some of our other systems. Importing our entire LDAP user base doesn't seem a palatable option. Any option to allow authenticated, but non-repo imported users to have read-only access?

Warning in logs:
WARN com.ibm.team.repository.servlet.TeamServerServlet - CRJAZ1183I Authenticated user "XXXX" does not exist in the repository. The user may need to be imported into the repository. Note that login is case-sensitive.

permanent link
Scott Rich (57136) | answered Mar 05 '09, 1:47 p.m.
JAZZ DEVELOPER

@Balaji: One more question, if you don't mind. Do I need to import ALL users that will access RTC.


Hey Jason,
Here's the link to the LDAP sync doc: http://publib.boulder.ibm.com/infocenter/rtc/v1r0m1/index.jsp?topic=/com.ibm.team.repository.web.admin.doc/topics/cldapsynctask.html

Hope this helps.

Scott Rich
IBM Jazz Team

Your answer


Register or to post your answer.