It's all about the answers!

Ask a question

Problem mapping custom LDAP groups to roles in Jazz

Michael Plautz (26711) | asked Sep 29 '14, 1:28 p.m.
Referring to this article, I am trying to map LDAP groups to roles in Jazz for setup.  I just got Jazz (Rational Team Concert) unpacked and started, I am using the latest September 9th 2014 5.0.1 release, and I started going through all of the setup.  I am using DB2 for the database, and I already got that all set up, and I went to the URL to begin my setup.  In the setup, I selected the option for LDAP authentication and got to the point where I was successfully able to authenticate when clicking the "Test Authentication" button.  After configuring this, it informed me that I needed to log out and log back in with my LDAP credentials to proceed.  (I also remember clicking on a "Save Tomcat Config Files" button near the bottom of the page).  I went and replaced the generated LDAP enabled XML configuration files with the originals, and shutdown and started up my server.  Now, I go to log back in, and it authenticates to the LDAP directory properly, but I see:

We're sorry...
The user ID you logged in with is not recognizable
If you used the default ADMIN user to log in, you likely disabled it during the setup.  Try again using the new admin user you created during the setup.

Well I then found this article on custom mapping from an LDAP directory.  This would be handy and a nice alternative to allowing everybody all roles (which would just be for test/proof of concept).  So I added a `<Resource>` element to the `<GlobalNamingResources>` element of tomcat's server.xml, I created , and I also created a file in `/opt/IBM/JazzTeamServer/server/tomcat/conf/Catalina/localhost/` called jts.xml because no jts.xml already existed, and I added basically what was in the article.  Other than this, my configuration (including the web.xml files for each webapp) is the same as per the article above.  I stop and start the server, and I log back in and see the same message above.  

It appears that I can get back in with ADMIN if I go to the tomcat/conf/server.xml and replace it with the original contents (which nullifies my LDAP settings as well).  

Is there anything that I am doing incorrectly?  Let's assume I wanted to go with the second method to define groups locally.  Are there any other changes I need to make to the web.xml file of each webapp?

Donald Nong commented Sep 29 '14, 8:02 p.m.

Two things that you did not mention and you may need to double check - the mapping file and the LDAPLocalGroupRegistryProvider advanced properties in JTS. You may also turn on the LDAP debugging using the file of JTS (although I am not sure whether it will reveal anything about local group mapping).

Michael Plautz commented Sep 30 '14, 4:27 p.m.

So I did find, after asking my company's LDAP administrator, that the group I was trying to authenticate against was actually not a group, but a container, and therefore did not have a member property.  I actually never got a "warm fuzzy green" when I clicked Test Connection for LDAP. I got a message saying "Some of the users in this group do not have a member attribute," which was to be expected, since I was creating a global account, and I knew there would be some users in this group that didn't have all the attributes.

What I still can't figure out is how to do what the second article mentions, which is how to do the mapping file and get it to be recognized without getting the user ID not recognizable error. I did what the article said (as I described above). I can enable the log4j for JTS, but the article never talked about going into the JTS advanced properties. I was maybe hoping for clarification on how to do the local group mapping. After I create the mapping file, and make an entry in the server.xml file for it, what do I need to do to each webapp's web.xml? How do I format jts.xml? Does it just have one element?

Accepted answer

permanent link
Ralph Schoon (62.7k33643) | answered Sep 30 '14, 5:46 a.m.
edited Sep 30 '14, 5:49 a.m.
The setup mentions to validate the settings.

Another thing with Tomcat and LDAP is that you need to replace some descriptor files for all the applications JTS, CCM, RM, QM (save the old ones and copy the new ones over) This used to be described in the setup LDAP setup step, after setting - as described in the LDAP setup using the button Save Tomcat Config Files and the related description. 

The new configuration files were saved in the tomcat folder. Click "Next" to save the LDAP settings. Replace server.xml and web.xml with the new files and restart Tomcat.
show details

You need to restart the server after that.

I would suggest to really follow to make sure your settings are correct.

Also, you need to have the new user you want to use for the login in LDAP, with the right repository groups. the steps above should provide you with the information.
Michael Plautz selected this answer as the correct answer

Ralph Schoon commented Sep 30 '14, 5:51 a.m.

Most of the steps mentioned above you did. We described the process here, I think: maybe that helps a bit.

Michael Plautz commented Oct 08 '14, 10:35 a.m.

Ralph, that was really all it was - I just needed to verify the LDAP settings. I followed the link that you posted, and I even got the LDAP Browser tool installed. Ultimately, even though I could provide user level access, my roles were not working because the top-level group I was trying to assign as a role, CN=Users,DC=Domain,DC=Com, was in fact not a group, but a container. According to the protocol of LDAP, it doesn't work this way - I cannot assign a role to a container, only to a group. So, I just went ahead and got a group created and everything worked fine - I got the warm fuzzy green when I went to test the settings (this is required for it to work - not getting a warm fuzzy green when you hit test connection will not allow your setup to work), and it works fine now.

The final unanswered question is how to get local role mapping to work. I am no longer interested in this because I now have the ability to have LDAP groups organized in my company, but I followed the article and could not get it to work the way it said it should.

Ralph Schoon commented Oct 08 '14, 10:44 a.m.

Great you got it working Michael. Sadly I am not an expert for all this. I just get along somehow. Maybe you could contact support if the description you have does not work.

Your answer

Register or to post your answer.