It's all about the answers!

Ask a question

How to switch from non-LDAP to LDAP with Tomcat and RTC 4 or 5?


Mike Shkolnik (9657160143) | asked Oct 29 '14, 7:08 p.m.
I see some instructions for setting up RTC on Tomcat with LDAP to start with, but couldn't find instructions for switching over. We have kept login IDs roughly the same between LDAP and Tomcat. I say roughly because LDAP has some IDs in mixed case while all our Tomcat logins are the same ID but all lower case. If necessary, we will likely change the ID to all lower case in LDAP if that creates a problem. Aside from case, though, the IDs are the same. The more automated I can make the migration, the better.

I know at the least I need to create 4 LDAP groups to match the groups in RTC ( JazzAdmins,  JazzDWAdmins,  JazzUsers,  JazzGuests) and then add people to the same groups they are already on in RTC. Beyond that, I don't know what to do. I also don't know what I need to do (if anything) about accounts that don't exist in LDAP because they aren't actual people (such as the accounts that interface with the database). Would greatly appreciate some advise.

One answer



permanent link
Ralph Schoon (60.5k33643) | answered Oct 30 '14, 6:24 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
Mike, the general outline would be:

  1. Setup LDAP and configure the group membership for the users.
  2. You need to have at least one user with JazzAdmin Group and an ID that is identical to to a user ID you already have in Tomcat.
  3. If you have that, you configure LDAP in the JTS/RTC setup. With Tomcat the instructions include generating some files and replacing the original ones in the deployed apps to enable LDAP
  4. You log in with LDAP and the Administrative user

If you need to, either enable ignorecase for the IDs or better, look into http://rsjazz.wordpress.com/2012/10/12/changing-the-jazz-user-id-using-the-rtc-plain-java-client-libraries/ for how to change the ID's prior to switching over to LDAP.


If all goes well, the users should now be able to use their LDAP ID and password to log in.


I would suggest trying this on a test system with Tomcat and Derby. The setup page for LDAP provides you with a link to a support page that describes how to test that the LDAP expressions work. I strongly recommend to follow that.

I think we described the process here as well: https://jazz.net/library/article/831



Comments
Georg Kellner commented Oct 30 '14, 9:08 a.m.

We followed those instructions some weeks ago, and in general it was fine.

One "problem" we had, were the data warehouse jobs, as they used the built in users called dw_user or etl_user, in combination with a 3.0 installation where we couldn't change the license to the new user.
After moving to 4.0 we could change the license and some configurations in the DWH config has to be done, like setting the authentication from JTS to Form, and, of course changing the job settings to the new user.

Your answer


Register or to post your answer.