It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Guidelines | FAQ
Follow this question
Question details

×4,712
×4,321

question asked: Sep 08 '15, 10:05 a.m.
question was seen: 3,353 times
last updated: Nov 10 '16, 3:07 a.m.

Related questions

[closed] LDAP Integration with multiple LDAP DN's (mulitple AD Forests) with Jazz V.6.0 and later

0
1
Guido Schneider (3.4k1491115) | asked Sep 08 '15, 10:05 a.m.
closed Nov 10 '16, 3:07 a.m. by Ralph Schoon (63.6k33646)

Hello All, 

I have a question about the LDAP integration with Jazz.

We have the issue that our company will introduce a second AD forest with user accounts in it. This means we will have two LDAP registries with different base DN’s. In Jazz 5.0.2 is it (as much as I know) not possible to define two different LDAP registries with different DN's, user account and server to verify usernam/password in multiple DN’s. (btw. ClearQuest can do this).

WAS itself could do this with federated repository, but the login is done in Jazz (Java-EE) and not in WAS. WAS does the access group resolution and the groups for the user import, if I’m correct.

My Idea is now, (we have Jazz 6.0) to introduce JAS (Jazz Authorization Server), based on WAS liberty profile. And there it should be possible to define multiple LDAP registries with different DN’s etc..

I read through this documents:

JAS: http://www-01.ibm.com/support/knowledgecenter/SSYMRC_6.0.0/com.ibm.jazz.install.doc/topics/c_jsasso_jas_user_mgmt.html

LDAP in Websphere Liberty: http://www-01.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_sec_ldap.html?cp=SSEQTP_8.5.5%2F1-3-11-0-4-2-0-1

Does anybody know if this idea is correct and the approach could work?

Following applications must work

  • JTS
  • CCM
  • QM
  • RM
  • JRS (DCC, RB)
  • DM

Any technotes/infos/recommendations with this? Has anybody experience with JAS?

many thanks
Guido

The question has been closed for the following reason: "The question is answered, right answer was accepted" by rschoon Nov 10 '16, 3:07 a.m.

Accepted answer

1
permanent link
Donald Nong (14.5k614) | answered Sep 08 '15, 9:32 p.m.
I cannot comment on the JAS part as I have not actually done it yet, but I would like to clarify the WAS federated repository bit. With this configuration, the authentication (login) is done by WAS, and it assigns the repository role as well - in fact, it's always done by the application server (WAS or Tomcat). This means that as long as you configure multiple LDAP servers in WAS correctly, following the instructions in the below article, CLM should work without any issues.
https://jazz.net/library/article/604

The challenge is still user synchronization as you can configure the LDAP server in JTS only one at a time.
Guido Schneider selected this answer as the correct answer
Comments
Guido Schneider commented Sep 21 '15, 3:10 p.m.

 Hello Donald, thank you for the answer.


I tried now this setup with a federated repository pointing to two AD Domains.
Result:
- for users of one domain all is working perfect
- user of other domain can login in Jazz but they get authorization failure. No member of repository groups
BUT: when I look the user in JTS/CCM/QM/RM admin page user management, he is member of the repository group e.g. JazzUsers. The checkbox is checked and grayed out.

So it looks for me like the App is doing somthing different on runtime privilege evaluation than on user management.

The user synch is not important yet for me. First the logins must work.

Any idea what? Do you know how this group evaluation is done n runtime?

Donald Nong commented Sep 21 '15, 8:27 p.m.

CLM applications do not interact with the external user registry directly. The repository role assignment should be done during the authentication by the application server. With the user logged in, use the URL /<app>/authenticated/identity to verify this. For example, the URL https://jazz.net/jazz/authenticated/identity shows the privileges on jazz.net, and mine is

{
    "userId": "dnong",
    "roles": [
        "JazzUsers"]
}
Double check the J2EE role mapping settings of the application in WAS if in doubt.

1
Adam Wereszczynski commented Sep 24 '15, 8:30 a.m. | edited Sep 24 '15, 8:30 a.m.

Hi Guido,

Did you also map groups from the second AD to Repository Roles for all applications? In a federated repository in WAS you should now be able to see groups from both ADs and you must include the groups from the two ADs to each group (JazzAdmins, JazzUsers, etc.) for JTS, CCM & QM application.

As for the JAS, it is possible to use multiple LDAP servers with it just as with regular WAS but I don't know if there was any improvement in the LDAP synchronization (it only synchronizes users with the LDAP server configured in JTS server's Advanced Properties).

Guido Schneider commented Sep 24 '15, 3:39 p.m. | edited Sep 24 '15, 3:48 p.m.

This part works now, but not with DomainLocal Groups. It Needs Universal Groups in Active Directory.

Now I have to evaluate a solution for user Import and update. I stll hope JTS sees JAS as a single repository and only JAS neds to know about two repositories.
Or do I have to interprete your comment JTS is doing the User sync directly with the LDAP also if there is a JAS installed? This would be a bad concept.

Thanks

Guido

Guido Schneider commented Sep 24 '15, 3:52 p.m.

 Additional comment: the group membership checkboxes shown in the user profile page within jazz admin, are showing the group membership evaluation done by the settings in advanced properties and not the real group membership done by the WAS application group mapping. This was confusing me so I searched long time on wrong end.

Guido Schneider commented Oct 06 '15, 1:14 p.m. | edited Oct 06 '15, 1:14 p.m.

 I have this now up and running. Users of any LDAP registries can logon and use Jazz.


Only open issue is managing the users, because autoimport and manual import are only searching in the LDAP registry defined in Jazz advanced properties.
I'm now playing with self registration. 

Any idea about update of existing users? Do we have to script this externally? 

Do you know any plans to enhance Jazz so it can connect to multiple registries?

Regards
Guido

Mathieu Defianas commented Nov 09 '16, 7:47 a.m.

Hello,
@dnong, I use Jazz 6.0.2. and I have configured my WAS server to federated repository (in order to use some LDAP servers) but now, what is the configuration on /jts/setup ???
   - First option (on liberty from Memory)
   - Second option : LDAP
   - Third option : Other repository
Then, I would like to change my user configuration from one LDAP (a LDAP direct connection) by a new configuration on federated WAS (with many LDAP)
Thanks for your help
Regards
Mathieu

Donald Nong commented Nov 09 '16, 7:43 p.m.

You should use LDAP and one of the LDAP servers in JTS. This is caveat when using WAS federated user repository to host multiple LDAP servers. For more details, check this article.
https://jazz.net/library/article/604

Mathieu Defianas commented Nov 10 '16, 2:24 a.m.

Thanks @dnong.
I will implement this solutions even if it's not clear on the documentation that I must let a LDAP configuration on the server JTS ...
I should have choosen my third option : An external LDAP server
Mathieu

showing 5 of 9 show 4 more comments