RTC 2.0 - Tomcat - LDAP - Active Directory -- Bad solution
After several weeks of hard work (together with IBM support) we are now able to use our Active directory (via LDAP) together with RTC.
Although it is running now, we see some disadvantages of the chosen solution.javascript:emoticon(':(')
The JNDI implementation for LDAP of Tomcat isnt very complete
o It isnt possible to have groups in groups. All users must be direct members of the group.
o No backup configuration for the LDAP server
o There isnt the possibility to have a second source for authorization/authentication
There must be always a coupling between the four RTC roles and 4 LDAP (Active Directory) groups. Why there isnt the possibility to use LDAP only for authentication (password check) and handle the roles inside of RTC.
You have do define the LDAP configuration twice
o In the Tomcat configuration file (server.xml)
o In the RTC properties
The IBM support cant give much help for LDAP problems. For example, they have a validation test program, this shows that everything is ok, but RTC doesnt work (the problem was, that RTC and Tomcat are case sensitive, the test program not and also uses different LDAP searches)
As LDAP is the only simple possibility for security within RTC (using tomcat_users file is only a solution for private users).
We hope, will spend a little additional effort to integrate LDAP into RTC and Tomcat. (perhaps develop an own LDAP Realm for Tomcat). :(
Although it is running now, we see some disadvantages of the chosen solution.javascript:emoticon(':(')
The JNDI implementation for LDAP of Tomcat isnt very complete
o It isnt possible to have groups in groups. All users must be direct members of the group.
o No backup configuration for the LDAP server
o There isnt the possibility to have a second source for authorization/authentication
There must be always a coupling between the four RTC roles and 4 LDAP (Active Directory) groups. Why there isnt the possibility to use LDAP only for authentication (password check) and handle the roles inside of RTC.
You have do define the LDAP configuration twice
o In the Tomcat configuration file (server.xml)
o In the RTC properties
The IBM support cant give much help for LDAP problems. For example, they have a validation test program, this shows that everything is ok, but RTC doesnt work (the problem was, that RTC and Tomcat are case sensitive, the test program not and also uses different LDAP searches)
As LDAP is the only simple possibility for security within RTC (using tomcat_users file is only a solution for private users).
We hope, will spend a little additional effort to integrate LDAP into RTC and Tomcat. (perhaps develop an own LDAP Realm for Tomcat). :(
6 answers
Thanks for the heads-up!!
To the other Jazz.net folks - we are also thinking about using Tomcat, with LDAP for authentication. Do the limitations described in the above post also apply to WebSphere? Or is Jazz/RTC on WebSphere somehow "better" with LDAP than Tomcat?
Thanks,
Mike Johnson
To the other Jazz.net folks - we are also thinking about using Tomcat, with LDAP for authentication. Do the limitations described in the above post also apply to WebSphere? Or is Jazz/RTC on WebSphere somehow "better" with LDAP than Tomcat?
Thanks,
Mike Johnson
I don't think Team Concert is bad in handling the LDAP connection. It is consistent with the design of Tomcat which is a good thing. I think the problem is really that the setup process for end users is still a little too complicated. Like you said it is hard to see exactly where an error occurs so that one can fix it. I have always found that Java error messages can be confusing anyway.
>> LDAP implementation is not complete
Can you please elaborate why you think LDAP implementation is not complete
>> Cannot specify backup ldap server
Authentication / Authorization is managed by Tomcat. You can specify an alternate LDAP server in server.xml file.
>> groups in groups feature
This is a valid issue. We have enhancement request to support this feature. We have been avoiding this because any generic solution would degrade the performance.
--- Balaji
Can you please elaborate why you think LDAP implementation is not complete
>> Cannot specify backup ldap server
Authentication / Authorization is managed by Tomcat. You can specify an alternate LDAP server in server.xml file.
>> groups in groups feature
This is a valid issue. We have enhancement request to support this feature. We have been avoiding this because any generic solution would degrade the performance.
--- Balaji
I don't think Team Concert is bad in handling the LDAP connection. It is consistent with the design of Tomcat which is a good thing. I think the problem is really that the setup process for end users is still a little too complicated. Like you said it is hard to see exactly where an error occurs so that one can fix it. I have always found that Java error messages can be confusing anyway.
Into Tomcat server.xml it is possible to add another realm LDAP, but how can I add an alternate LDAP server into RTC teamserver.properties ?
Thanks a lot and best regards.
Wagner Arnaut
Thanks a lot and best regards.
Wagner Arnaut
>> Cannot specify backup ldap server
Authentication / Authorization is managed by Tomcat. You can specify an alternate LDAP server in server.xml file.
How is the syntax for the alternate LDAP-Server in the server.xml?
Best Regards
Belinda
For support of multiple group, please refer to enhancement 88128
https://jazz.net/jazz/web/projects/Jazz%20Foundation#action=com.ibm.team.workitem.viewWorkItem&id=88128
Tomcat layer setting and RTC layer setting is for different usage, tomcat for authentication, and RTC for authorization.
in RTC, it has specific role, so commonly you you need to assign to different groups, but you can also mapping different RTC role(group) to the same LDAP group.
https://jazz.net/jazz/web/projects/Jazz%20Foundation#action=com.ibm.team.workitem.viewWorkItem&id=88128
Tomcat layer setting and RTC layer setting is for different usage, tomcat for authentication, and RTC for authorization.
in RTC, it has specific role, so commonly you you need to assign to different groups, but you can also mapping different RTC role(group) to the same LDAP group.
The JNDI implementation for LDAP of Tomcat isnt very complete
o It isnt possible to have groups in groups. All users must be direct members of the group.
o No backup configuration for the LDAP server
o There isnt the possibility to have a second source for authorization/authentication
There must be always a coupling between the four RTC roles and 4 LDAP (Active Directory) groups. Why there isnt the possibility to use LDAP only for authentication (password check) and handle the roles inside of RTC.
You have do define the LDAP configuration twice
o In the Tomcat configuration file (server.xml)
o In the RTC properties
The IBM support cant give much help for LDAP problems. For example, they have a validation test program, this shows that everything is ok, but RTC doesnt work (the problem was, that RTC and Tomcat are case sensitive, the test program not and also uses different LDAP searches)