It's all about the answers!

Ask a question

How to sync users defined in WAS (Users & Groups) not ldap with JTS & CCM

Ravikanth Chavali (25824) | asked Jan 11 '15, 9:05 p.m.
edited Jan 11 '15, 11:03 p.m.

I am yet to integrate WAS with LDAP.

I have manually defined users and groups in WAS thru admin console. The group names exactly match the Repository Permissions in JTS. I have assigned these WAS groups to the WAS users.

I have mapped the application roles to the corresponding WAS groups.

I was hoping to avoid redefining the users in JTS again.

How can we sync the users defined in WAS with JTS & CCM ? Can we use the repotools command line ?

I tried: 
./ -syncUsers repositoryURL= adminUserId=XXXX adminPassword=XXXXX
I got an error message:
Repo Tools
Provisioning using "./conf/jts/provision_profiles".
  Jazz Foundation - Core Libraries, Version 5.0.1 (RJF-I20140805-1241)
CRJAZ1389E The Jazz server is configured to use 'UNSUPPORTED' user directory. User synchronization is not supported by the configured user directory. 

Also, In the same scenario, If I try enabling self registration approach with users defined in WAS but not ldap integration, the feature did not work. Instead I got the same message when this feature was disabled by default. CRJAZ2612E ravikanth is not a user in the repository. Check the spelling and capitalization of the user ID. The user might need to be imported into the repository.

Does that mean that auto registration also requires WAS to be integrated with LDAP or similar and does not work with users defined in WAS ?

Ravikanth Chavali

One answer

permanent link
Lily Wang (4.9k714) | answered Jan 12 '15, 12:09 a.m.
Hi Ravi,
If you are using "Unsupported" user registry type in JTS, you can not use "repotools -syncUsers" command. The command is for LDAP user registry only. You have to manually create users which have the same userid as you created in WAS.
I'm not quite understand about the auto registration you mentioned.
If you defined a user in WAS and assigned the user to one of the Jazz related WAS group, you need to manually create the user (using same userid) in jts/admin. The you can access JTS and CCM using the user id and the password you defined in WAS.

Lonnie VanZandt commented Mar 25, 10:39 a.m.
If the -migrateToJsaSso script is run, that script will set the to UNSUPPORTED away from DETECT (for Liberty) or LDAP (for LDAP).

As soon as that is done, the -syncUser script ceases to work - and very likely the nightly synchronization also ceases.

How then does one automate the synchronization of changes in the peer LDAP server into Jazz CLM on an automated, ideally immediate basis?

It cannot be that administrators are required to update both the LDAP servers and the Jazz CLM user repositories - that would negate the purpose, the intention for the LDAP server and delegated Identity Management.

There is a gap in IBM Jazz documentation on how to deploy a CLM suite with JAS SSO with using an external LDAP server for the management of Users and Groups.

Please work internally at IBM to track down the configuration steps for this and update available IBM Knowledgebase articles to describe this scenario for clients who are deploying without a portfolio of IBM applications.

Your answer

Register or to post your answer.