It's all about the answers!

Ask a question

No Longer have Administrator access after changing LDAP Domains (xyz.com to abc.com)


O. Frank Allen (622) | asked Nov 20 '14, 10:26 a.m.
edited Nov 20 '14, 10:29 a.m.

We need to reconfigure WebSphere security from one LDAP System (xyz) to Microsoft Active Directory.   We have reconfigure WebSphere security for accessing Active directory and setup the JazzAdmin/User roles (in WebSphere).  We need to log into Jazz Team Server to add the new userId’s and remove the old userId’s.  The problem is that the default user Id and password (ADMIN/ADMIN) does not work.

From reading the forum, it seems that this is disabled when LDAP is setup.  I have tried, without success, to re-enable the ADMIN id  by modifying the teamserver.properties file to set admin access parameter to true.  Also tried to create a new user by using the repotools –createUser. The createUser command requires an administrator id and password. It generates the following error:

CRJAZ1357E The repotools command failed to log in to the following server: https://URL:PortNumber/jts. Check the login credentials.

Which, to me is a sure indication that the userId and password where not correct for the command to work.We do not know the user Id and password of any user that had administrator access.

How do we get administrator access?

Please Help. Thanks in Advance... O. Frank

2 answers



permanent link
Kevin Ramer (4.5k8183200) | answered Nov 20 '14, 11:52 a.m.
There are steps in configuring the User Roles in jts, ccm, qm war setups.   It sounds like you can access your WebSphere management with new LDAP.  Is that correct ?  If so one step you will need to perform is mapping groups to jazz roles along this WebSphere path:

Applications / Application Types / Websphere enterprise applications

Look at the settings under each of jts_war, ccm_war, qm_war ( or jazz_war, depending on the heritage of the application )  " Security role to user/group mapping"

and remap the JazzAdmin, JazzUsers, etc to new groups in your ID management system.   Hopefully, Id forms are common between the prior and new external registry.


Comments
O. Frank Allen commented Nov 20 '14, 12:51 p.m.

The user Id forms are not be the same from the old registry to the new.  What I think needs to change is the user information in the Jazz Server admin.  The security roles for each application (as you mention above) has been done.
Thank you for responding!


Kevin Ramer commented Nov 20 '14, 1:03 p.m.

Are you mapping roles to groups or individuals ?  It's my understanding that the JTS will import missing members of the various jazz roles periodically.  
Edit conf/jts/log4j.properties
You might consider enabling LDAP logging [ would require restart in your case ].


   LDAP access from jazz     



Turn on query trace against the LDAP server


log4j.logger.com.ibm.team.repository.service.jts.internal.userregistry.ldap.LDAPUserRegistry=DEBUG



by uncommenting that last line, maybe using INFO over DEBUG.

You could also query the JTS database for existence of your new ID.  
[ ommtting connection details, etc ]
select * from repository.contributor where user_id='your-new-id' 


permanent link
Donald Nong (14.5k414) | answered Nov 20 '14, 8:05 p.m.
You need to do two things.
1. Re-enable the "ADMIN" user, which you have already done.
2. Add the "ADMIN" user, even just temporarily, to the new LDAP server. It should be added to a group mapped to the JazzAdmins role. Note that during login you need to use the LDAP password rather than the default "admin".
Or you can (temporarily) add an LDAP user with the same Id as any existing users registered in JTS.

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.