It's all about the answers!

Ask a question

JNDI CombinedRealm authentication with CLM 5.0.2


Brian Furner (622) | asked Dec 23 '14, 12:42 p.m.
We have recently deployed Rational Team Concert 5.0.2 on TomCat and are trying to get multiple LDAP authentication working.  Our environment includes two Active Directories which share a two-way trust against which we would like to authenticate (lets call them domain1.edu and domain2.edu).  

If I setup TomCat with the following realm I am able to import users from domain1.edu, but not from domain2.edu despite the two-way trust.

<Realm className="org.apache.catalina.realm.JNDIRealm" connectionName="ACCT" connectionPassword="PWD" connectionURL="ldap://myldap.domain1.edu:3268" referrals="follow" roleBase="" roleName="cn" roleSearch="(member={0})" roleSubtree="true" userBase="OU=People,DC=domain1,DC=edu" userSearch="(&amp;(objectCategory=person)(sAMAccountName={0}))" userSubtree="true"/>

One option I have explored is using CombinedRealm in TomCat, but if I setup it up as follows, I still can only import users from domain1.edu and not domain2.edu

<Realm className="org.apache.catalina.realm.CombinedRealm">
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionName="ACCT" connectionPassword="PWD" connectionURL="ldap://myldap.domain1.edu:3268" referrals="follow" roleBase="ou=Groups,dc=domain1,dc=edu" roleName="cn" roleSearch="(member={0})" roleSubtree="true" userBase="OU=People,DC=domain1,DC=edu" userSearch="(&amp;(objectCategory=person)(sAMAccountName={0}))" userSubtree="true"/>
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionName="ACCT" connectionPassword="PWD" connectionURL="ldap://myldap.domain2.edu:3268" referrals="follow" roleBase="ou=Groups,dc=domain2,dc=edu" roleName="cn" roleSearch="(member={0})" roleSubtree="true" userBase="OU=People,DC=domain2,DC=edu" userSearch="(&amp;(objectCategory=person)(sAMAccountName={0}))" userSubtree="true"/>
</Realm>

If anyone has experience setting up authentication against multiple active directories in TomCat hosted Rational Team Concert I would love to get some advice.

One answer



permanent link
Donald Nong (14.5k614) | answered Dec 23 '14, 7:30 p.m.
Whether you can "import" users from the LDAP server depends on the settings in JTS, not Tomcat. Also, when importing users, it's more about searching groups rather than users - JTS will send a query to the LDAP server to retrieve the JAZZ* groups along with their members(users), then go through all the users in the response and add or update them in the repository.
The Tomcat setting will affect whether users from multiple LDAP servers can "authenticate".
If you have two Active Directory servers, maybe you can consider using a global catalog?

Comments
Brian Furner commented Dec 26 '14, 1:55 p.m.

Thanks Donald, this is very helpful perspective.


In terms of the "import" functionality, I am able to do ad-hoc searching for LDAP users in domain1 using the web interface, including users that are not already in one of the mapped JAZZ* groups, but the same is not true for domain2. 

I presently have the realms configured to attach to port 3268 which should be the global catalog port, but users from the trusted domain do not show up.

I am not very clear about the relationship between the TomCat configuration file settings and what I observe in Jazz Team Server Advanced Properties settings.  I have TomCat configured for the CombinedRealm, but the JTS Advanced Properties shows only a single LDAP configuration.  I assume the JTS interface only allows the specifying of a single LDAP configuration??


Donald Nong commented Dec 28 '14, 5:54 p.m.

Hi Brian,
If I understand correctly, the Tomcat LDAP configuration and JTS LDAP configuration are independent of one another. The Tomcat configuration is mainly for authentication and the JTS configuration is for everything else (such as finding an LDAP user).
JTS just acts as an LDAP client when connecting to an LDAP server, and those "advanced properties" settings are used for constructing the LDAP queries. If you can use another LDAP client to get users from both domains, you should be able to do the same for JTS.
The reason I suggested global catalog is that the two domains should be seen as one by an LDAP client.

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.