It's all about the answers!

Ask a question

Multiple LDAP with Jazz Authorization Server


pumtat boonyakarn (316) | asked Oct 08 '15, 1:12 a.m.
edited Oct 09 '15, 3:43 a.m. by Mehul Patel (8794)
Hi,
Currently I have confiuge JAS to integrate with multiple LDAP. so Is there anyway to configure JTS to map the group from multiple LDAP ? Thank you.

2 answers



permanent link
Guido Schneider (3.4k1379103) | answered Oct 10 '15, 9:31 a.m.
Hi Pumtat,

because JAS is based on the WAS libertiy profile, this is possible with help of a federate repository REALM definition, with multiple LDAP registries (e.g. multiple AD forests). So the login and the group mapping goes through multiple LDAP registries.
One trick is, in the group mapping of JTS/CCM/QM you can have multiple groups mapped per repository role. SO you can map groups from different LDAP registries.

See also my question / answers on:
  • https://jazz.net/forum/questions/206291/ldap-integration-with-multiple-ldap-dns-mulitple-ad-forests-with-jazz-v60-and-later
  • https://jazz.net/forum/questions/208725/howto-filter-out-disabled-users-in-a-federate-repositories-realm-within-was
Only issue is currently the import/synch/update of the users, because v6.0 and earlier versions of JTS cannot have more than one LDAP configuration in advanced properties to searchs users from. But for this there exists workaround like switching the lDAP properties or using repotool commands.

There exists a plan item in jazz.net (currently planned for V.6.0.1-M5 where JTS should become able to search the users out of JAS instead directly from LDAP.

Note: don't be confused by the login/group resolution of a user agains the import/synch/update of the User DB. This are two complettly different handled processes. The first is WAS the second is JTS.

regards
Guido

permanent link
Sunil Kumar R (1.1k12143) | answered Oct 09 '15, 8:58 a.m.
JAZZ DEVELOPER
Hi Pumtat, No Jazz (CLM) cannot be configured to integrate with multiple LDAP.

I believe your query comes from a background of LDAP requiring failover/ load balancing so that a backup LDAP takes over when the primary fails (or is unavailable).

In general, the best way to handle the situation as above is to design the LDAP system in high availability mode and configure CLM to use the HA LDAP URL so CLM is unware of the LDAP switch.

I see this post discuss the same scenario for your reference : https://jazz.net/forum/questions/158923

Best Regards
Sunil

Your answer


Register or to post your answer.