Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Login Problems with LDAP

Hello,

Ia have the same problem as Bruno in the following link: https://jazz.net/forum/questions/98319/login-problems-with-ldap

I have browsed through the questions in the forum, but I could not find an answer to my problem.
I shall try to describe it and maybe somebody can point me to the right discussion.

Very simply said we are using RTC 4.0.2 on a VmWare server which uses Windows Server 2008 R2.
The database we are using is MS SQLserver 2012. 

I ran setup and configure ldap, I replaced the web.xml in each path and the server.xml. I imported users from LDAP, but when I ask one of them to try to connect with to jts, rm, qm or ccm, they get the message "Invalid User ID or password".   My account was an application user, that I created instead of ADMIN, I delete the entry that exists in the tomcat-users.xml with that user, when I try to connect I get the error "http 403", when I try again it says: "CRJAZ1394E The user ID "xxxxx" is not a member of any Jazz J2EE roles but must be a member of one to access the repository".

When I connect to Jts/admin and explore and user properties (with and application account and changing the configuration from ldap to tomcat users), I see that my user does not have any jazz group checked and the check boxes are disable.

Thanks for your help ...

0 votes


Accepted answer

Permanent link
This does show the mapping Joe was asking about.  E.g. com.ibm.team.repository.ldap.groupMapping=JazzAdmins\=Domain Users...

Did you use the Tool referenced in the other link to verify the LDAP settings and that this group can be found? 
omar pimentel selected this answer as the correct answer

0 votes

Comments

Hi Antoinette,

The file I downloaded just create LDAP groups and users related to ldap, so I decline it.

As you can see I am using the LDAP group "Domain Users", that it is a default group in LDAP and contain all the created users.

Besides, after I finished the setup, I could import users from Active Directory and assign to a Project Area I created. Secondly, Jazz is validating the LDAP password, if I type a wrong password it displays a message, If I type the  right one it tries to navigate to jazz home.

Thanks.

I can synchronize users with LDAP.

Omar, I agree.  You do not have a problem with the authentication.  The message "not a member of any group", the synching of users works, the "invalid un or pw" message" all confirm that.  What needs to be verified is the group settings:
a) the users are indeed assigned to the LDAP group - that's what we're asking if you confirmed with the LDAP Tool.  You can either view the group and see what members are in there or view a user and see what his/her group is. 
b) the group settings you configured - The base group DN, the group name property, the group member property.  You indicated that the Tomcat xml files have been updated and copied over but do they the right values for the settings?  These should all be confirmed by the LDAP administrator. 
c) the group mapping - your properties file show that is done and correct.

Hi Antoinette,

Thanks for your advice.  The LDAP administrator and I downloaded the tool and reviewed the parameters you suggested.  In that process we noticed that jazz groups he created were assigned as members of other groups instead of users directly.

I am very pleased with your help!


3 other answers

Permanent link
Omar, look in the teamserver.properties file - that's where the admin UI settings are saved. 

0 votes

Comments

Hi Antoinette,

This the content of my teamserver.properties file:

#Thu Jan 16 17:14:00 BOT 2014
com.ibm.team.repository.ldap.membersOfGroup=member
com.ibm.team.repository.db.jdbc.location=//myDBServer\:1433;databaseName\=my_jts_db;user\=myjtsDBuser;password\={password}
com.ibm.team.repository.ldap.groupMapping=JazzAdmins\=Domain Users, JazzUsers\=Domain Users, JazzDWAdmins\=Domain Users, JazzProjectAdmins\=Domain Users, JazzGuests\=Domain Users
com.ibm.team.datawarehouse.auth.userId=etl_user
com.ibm.team.repository.changeEvent.expirationByCategory=SystemLog\:259200
com.ibm.team.datawarehouse.db.odsTableSpace=ts2
com.ibm.team.repository.ldap.baseUserDN=dc\=myDomainServer,dc\=com
com.ibm.team.datawarehouse.db.jdbc.location=//myDBServer\:1433;databaseName\=my_dwh_db;user\=my_dwhDBuser;password\={password}

.... file continues but we got a character limit in this interface

I will be waiting for your answer.

Thanks again!


Permanent link
 Omar, to follow-up on what Joe is asking,  if you go to .../jts/admin > Server > Advanced Properties 
There is a section for Group settings.  Per that post you referenced, you can check your LDAP Group settings.  The second part is in the "Jazz to LDAP Group Mapping" - is this filled in?  What do you have it set to?

Toni

0 votes

Comments

As the server is configured to authenticate through LDAP, if I try to connect with ADMIN/ADMIN, it does not work, If I try to do it with my account and LDAP password  I get the error "You are not authorized to access Jazz Team Server Admin UI".

In order to prove what you are asking me to, I will configure the server to authenticate through tomcat-users.xml. OK?

Thanks Antoinette... 


Permanent link
Hi Omar,

  Did you create Jazz groups in LDAP and map the user to that.

Regards
Joe

0 votes

Comments

Hi Joe,

I assigned the LDAP group "Domain Users" to all jazz groups (ie: JazzAdmins, JazzDWAdmins, JazzGuests, JazzUsers, JazzProjectAdmins). I did manage to manage the security just from the application without affecting SysAdmins.

Is there anything wrong?

secondly, I notice that jazz is validating my password with LDAP, because it does not displays that my password is wrong, instead it tries to log me on, but it can achieve it, so it displays the following error:

"We're Sorry...

The user ID you logged in with is not recognizable.

You are not authorized to access Jazz Team Server Admin UI.

Error!"

Thanks for your help!


Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 2,354

Question asked: Jan 17 '14, 5:34 p.m.

Question was seen: 7,238 times

Last updated: Jan 24 '14, 3:22 p.m.

Confirmation Cancel Confirm