It's all about the answers!

Ask a question

Login Problems with LDAP


omar pimentel (352024) | asked Jan 17 '14, 5:34 p.m.

Hello,

Ia have the same problem as Bruno in the following link: https://jazz.net/forum/questions/98319/login-problems-with-ldap

I have browsed through the questions in the forum, but I could not find an answer to my problem.
I shall try to describe it and maybe somebody can point me to the right discussion.

Very simply said we are using RTC 4.0.2 on a VmWare server which uses Windows Server 2008 R2.
The database we are using is MS SQLserver 2012. 

I ran setup and configure ldap, I replaced the web.xml in each path and the server.xml. I imported users from LDAP, but when I ask one of them to try to connect with to jts, rm, qm or ccm, they get the message "Invalid User ID or password".   My account was an application user, that I created instead of ADMIN, I delete the entry that exists in the tomcat-users.xml with that user, when I try to connect I get the error "http 403", when I try again it says: "CRJAZ1394E The user ID "xxxxx" is not a member of any Jazz J2EE roles but must be a member of one to access the repository".

When I connect to Jts/admin and explore and user properties (with and application account and changing the configuration from ldap to tomcat users), I see that my user does not have any jazz group checked and the check boxes are disable.

Thanks for your help ...

Accepted answer


permanent link
Antoinette Iacobo (650712) | answered Jan 20 '14, 5:11 p.m.
This does show the mapping Joe was asking about.  E.g. com.ibm.team.repository.ldap.groupMapping=JazzAdmins\=Domain Users...

Did you use the Tool referenced in the other link to verify the LDAP settings and that this group can be found? 
omar pimentel selected this answer as the correct answer

Comments
omar pimentel commented Jan 20 '14, 5:32 p.m.

Hi Antoinette,

The file I downloaded just create LDAP groups and users related to ldap, so I decline it.

As you can see I am using the LDAP group "Domain Users", that it is a default group in LDAP and contain all the created users.

Besides, after I finished the setup, I could import users from Active Directory and assign to a Project Area I created. Secondly, Jazz is validating the LDAP password, if I type a wrong password it displays a message, If I type the  right one it tries to navigate to jazz home.

Thanks.


omar pimentel commented Jan 22 '14, 9:33 a.m.

I can synchronize users with LDAP.


Antoinette Iacobo commented Jan 23 '14, 10:23 a.m.

Omar, I agree.  You do not have a problem with the authentication.  The message "not a member of any group", the synching of users works, the "invalid un or pw" message" all confirm that.  What needs to be verified is the group settings:
a) the users are indeed assigned to the LDAP group - that's what we're asking if you confirmed with the LDAP Tool.  You can either view the group and see what members are in there or view a user and see what his/her group is. 
b) the group settings you configured - The base group DN, the group name property, the group member property.  You indicated that the Tomcat xml files have been updated and copied over but do they the right values for the settings?  These should all be confirmed by the LDAP administrator. 
c) the group mapping - your properties file show that is done and correct.


omar pimentel commented Jan 24 '14, 3:22 p.m.

Hi Antoinette,

Thanks for your advice.  The LDAP administrator and I downloaded the tool and reviewed the parameters you suggested.  In that process we noticed that jazz groups he created were assigned as members of other groups instead of users directly.

I am very pleased with your help!

3 other answers



permanent link
Antoinette Iacobo (650712) | answered Jan 20 '14, 3:21 p.m.
Omar, look in the teamserver.properties file - that's where the admin UI settings are saved. 

Comments
omar pimentel commented Jan 20 '14, 4:29 p.m.

Hi Antoinette,

This the content of my teamserver.properties file:

#Thu Jan 16 17:14:00 BOT 2014
com.ibm.team.repository.ldap.membersOfGroup=member
com.ibm.team.repository.db.jdbc.location=//myDBServer\:1433;databaseName\=my_jts_db;user\=myjtsDBuser;password\={password}
com.ibm.team.repository.ldap.groupMapping=JazzAdmins\=Domain Users, JazzUsers\=Domain Users, JazzDWAdmins\=Domain Users, JazzProjectAdmins\=Domain Users, JazzGuests\=Domain Users
com.ibm.team.datawarehouse.auth.userId=etl_user
com.ibm.team.repository.changeEvent.expirationByCategory=SystemLog\:259200
com.ibm.team.datawarehouse.db.odsTableSpace=ts2
com.ibm.team.repository.ldap.baseUserDN=dc\=myDomainServer,dc\=com
com.ibm.team.datawarehouse.db.jdbc.location=//myDBServer\:1433;databaseName\=my_dwh_db;user\=my_dwhDBuser;password\={password}

.... file continues but we got a character limit in this interface

I will be waiting for your answer.

Thanks again!


permanent link
Antoinette Iacobo (650712) | answered Jan 20 '14, 1:13 p.m.
 Omar, to follow-up on what Joe is asking,  if you go to .../jts/admin > Server > Advanced Properties 
There is a section for Group settings.  Per that post you referenced, you can check your LDAP Group settings.  The second part is in the "Jazz to LDAP Group Mapping" - is this filled in?  What do you have it set to?

Toni

Comments
omar pimentel commented Jan 20 '14, 1:47 p.m.

As the server is configured to authenticate through LDAP, if I try to connect with ADMIN/ADMIN, it does not work, If I try to do it with my account and LDAP password  I get the error "You are not authorized to access Jazz Team Server Admin UI".

In order to prove what you are asking me to, I will configure the server to authenticate through tomcat-users.xml. OK?

Thanks Antoinette... 


permanent link
Don Max (241229) | answered Jan 18 '14, 12:51 a.m.
Hi Omar,

  Did you create Jazz groups in LDAP and map the user to that.

Regards
Joe

Comments
omar pimentel commented Jan 20 '14, 8:37 a.m.

Hi Joe,

I assigned the LDAP group "Domain Users" to all jazz groups (ie: JazzAdmins, JazzDWAdmins, JazzGuests, JazzUsers, JazzProjectAdmins). I did manage to manage the security just from the application without affecting SysAdmins.

Is there anything wrong?

secondly, I notice that jazz is validating my password with LDAP, because it does not displays that my password is wrong, instead it tries to log me on, but it can achieve it, so it displays the following error:

"We're Sorry...

The user ID you logged in with is not recognizable.

You are not authorized to access Jazz Team Server Admin UI.

Error!"

Thanks for your help!

Your answer


Register or to post your answer.