No Longer have Administrator access after changing LDAP Domains (xyz.com to abc.com)
We need to reconfigure WebSphere security from one LDAP System (xyz) to Microsoft Active Directory. We have reconfigure WebSphere security for accessing Active directory and setup the JazzAdmin/User roles (in WebSphere). We need to log into Jazz Team Server to add the new userId’s and remove the old userId’s. The problem is that the default user Id and password (ADMIN/ADMIN) does not work.
From reading the forum, it seems that this is disabled when LDAP is setup. I have tried, without success, to re-enable the ADMIN id by modifying the teamserver.properties file to set admin access parameter to true. Also tried to create a new user by using the repotools –createUser. The createUser command requires an administrator id and password. It generates the following error:
CRJAZ1357E The repotools command failed to log in to the following server: https://URL:PortNumber/jts. Check the login credentials.
Which, to me is a sure indication that the userId and password where not correct for the command to work.We do not know the user Id and password of any user that had administrator access.
How do we get administrator access?
2 answers
1. Re-enable the "ADMIN" user, which you have already done.
2. Add the "ADMIN" user, even just temporarily, to the new LDAP server. It should be added to a group mapped to the JazzAdmins role. Note that during login you need to use the LDAP password rather than the default "admin".
Or you can (temporarily) add an LDAP user with the same Id as any existing users registered in JTS.
Applications / Application Types / Websphere enterprise applications
Look at the settings under each of jts_war, ccm_war, qm_war ( or jazz_war, depending on the heritage of the application ) " Security role to user/group mapping"
and remap the JazzAdmin, JazzUsers, etc to new groups in your ID management system. Hopefully, Id forms are common between the prior and new external registry.
Comments
The user Id forms are not be the same from the old registry to the new. What I think needs to change is the user information in the Jazz Server admin. The security roles for each application (as you mention above) has been done.
Thank you for responding!
Are you mapping roles to groups or individuals ? It's my understanding that the JTS will import missing members of the various jazz roles periodically.
Edit conf/jts/log4j.properties
You might consider enabling LDAP logging [ would require restart in your case ].
LDAP access from jazz
Turn on query trace against the LDAP server
log4j.logger.com.ibm.team.repository.service.jts.internal.userregistry.ldap.LDAPUserRegistry=DEBUG
by uncommenting that last line, maybe using INFO over DEBUG.
You could also query the JTS database for existence of your new ID.
[ ommtting connection details, etc ]
select * from repository.contributor where user_id='your-new-id'