Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

How to configure LDAP with RTC 6.0.1 on linux using WebSphere Liberty?

We just upgraded to RTC 6.0.1 on linux using its default WebSphere Liberty, from RTC 5.0.2 on linux using its default Tomcat with LDAP authentication. 
The upgrade completed successfully.
I use a browser to connect successfully to the login page of RTC 6.0.1, but all logins are failing and I cannot login in at all (not even as ADMIN).
The problem seems to be that LDAP was not properly setup in RTC 6.0.1 WebSphere Liberty during the upgrade migration from RTC 5.0.2 and tomcat.
What should I do to get LDAP working? I cannot login with my browser to the jts/setup screen, but I can edit the RTC 6.0.1 and WebSphere Liberty configuration files at the linux command prompt.
Any help would be most appreciated!

0 votes

Comments

Hi Christopher, have you been able to migrate the LDAP configuration from Tomcat to Liberty?



4 answers

Permanent link
Mike from our GRT team has just published a deployment wiki on this topic. Check it out if you're interested. Any suggestions and comments are welcome for improving the quality of the wiki.
https://jazz.net/wiki/bin/view/Deployment/ConfigureLDAPforLibertyProfile

2 votes

Comments

This answer would have saved me some time had I found it sooner.

I upgraded from a tomcat 5.0.2 installation that used openldap.

I found that the upgrade process failed in two areas:
  •  the bindPassword was not set correctly
  • the filters seemed to be set mainly in idsFilters with some malformed entries in customFilters.
Setting the bind password using the securityUtility tool and setting the correct user/group filters in customFilters fixed these issues for me.

I found this stack overflow article useful in setting up our filters - not sure if this is already covered by the deployment wiki update.

Hi Robin, not quite sure why your configuration uses both "idsFilters" and "customFilters", since "idsFilters" should be used for Tivoli Active Directory only, and "customFilters" can actually be used with all LDAP servers.

No instructions can give exact steps for custom LDAP servers, as they are "customized", and can be completely different.

Administrators have to be quite familiar with LDAP to complete this task with ease and confidence.


Permanent link
We have received quite many similar reports in Support. And the support folks also found that following the instruction is not enough to properly setting up LDAP in Liberty. We're still working on a reliable way to set it up. For the time being, the best approach is to contact Support.

1 vote

Comments

Donald, it would be great if we could publish examples in the deployment Wiki, once we have collected a few.

That's for sure. We definitely need to publish something, regardless the format.

 Would it be possible for you to translate our tomcat server.xml Realm line to what we need to enter into the new ldapUserRegistry.xml ? We are using Microsoft Active Directory.


The Realm line that allows our Microsoft Active Directory LDAP to work in the tomcat server.xml file from RTC 5.0.2 is as follows:

<Realm classname="org.apache.catalina.realm.JNDIRealm" connectionName="RTCSERVICE@mycompany.org" connectionPassword="**" connectionURL="ldap://winvm-dc.mycompany.org:389" debug="99" referrals="follow" roleBase="ou=RTC,dc=mycompany,dc=org" roleName="cn" roleSearch="(member={0})" roleSubtree="true" userBase="ou=MyCompany Users,dc=mycompany,dc=org" userSearch="(sAMAccountName={0})" userSubtree="true"/>

Based on this, what should we enter into ldapUserRegistry.xml in RTC 6.0.1?


Permanent link
Have you enabled LDAP in the server.xml file?

0 votes

Comments

LDAP is enabled in the RTC 6.0.1 liberty server.xml file. The problem we are having is that the LDAP configuration parameters that worked in the RTC 5.0.2 tomcat server.xml file do not seem to translate nicely to the format of the ldapUserRegistry.xml file used by RTC 6.0.1 WebSphere Liberty. I did see the following entry in the help page you sent, and clearly there is some problem aligning our organization's LDAP configuration that worked with tomcat to the structure of the ldapUserRegistry.xml file. I have followed examples of how to set up this file when using Microsoft Active Directory, but I am still seeing LDAP login errors on startup and no one is able to login to our upgraded RTC 6.0.1 right now.


Regarding the help page entry: Go to JazzInstallDir/server/liberty/servers/clm/conf, open the ldapUserRegistry.xml file and examine the values in the groupFilter and userFilter entries. If the values are not aligned with your organization's particular LDAP configuration, modify them before restarting the server. [The question is how to do this, and how to easily borrow from the tomcat server.xml ldap configuration that worked with RTC 5.0.2]

The Realm line that allows our Microsoft Active Directory LDAP to work in the tomcat server.xml file from RTC 5.0.2 is as follows:


<Realm classname="org.apache.catalina.realm.JNDIRealm" connectionName="RTCSERVICE@mycompany.org" connectionPassword="**" connectionURL="ldap://winvm-dc.mycompany.org:389" debug="99" referrals="follow" roleBase="ou=RTC,dc=mycompany,dc=org" roleName="cn" roleSearch="(member={0})" roleSubtree="true" userBase="ou=MyCompany Users,dc=mycompany,dc=org" userSearch="(sAMAccountName={0})" userSubtree="true"/>

1 vote

Thanks for sharing Christopher!

Ralph, would it be possible for you to translate our tomcat server.xml Realm line to what we need to enter into the new ldapUserRegistry.xml ?

showing 5 of 6 show 1 more comments

Permanent link
Hi,

To configure LDAP on RTC 6.0.1 with Liberty, I had to manually edit ldapUserRegistry.xml  to change idsFilter based on information provided at :
https://www-01.ibm.com/support/knowledgecenter/was_beta_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_sec_ldap.html

<ldapRegistry id="ldap" realm="SampleLdapIDSRealm" 
    host="ldapserver.mycity.mycompany.com" port="389" ignoreCase="true" 
    baseDN="o=mycompany,c=us" 
    ldapType="IBM Tivoli Directory Server"
    sslEnabled="true" 
    sslRef="LDAPSSLSettings">
    <idsFilters
    	userFilter="(&amp;(uid=%v)(objectclass=ePerson))" 
    	groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)
                     (objectclass=groupOfUniqueNames)
		     (objectclass=groupOfURLs)))"
    	userIdMap="*:uid" 
    	groupIdMap="*:cn" 
    	groupMemberIdMap="mycompany-allGroups:member;mycompany-allGroups:uniqueMember;
			  groupOfNames:member;groupOfUniqueNames:uniqueMember">
    </idsFilters>    
</ldapRegistry>

0 votes

Comments

 Could you translate our tomcat server.xml Realm line to what we need to enter into the new ldapUserRegistry.xml ?

Hello Christopher,

Have you succeeded to translate tomcat server.xml Realm line to ldapUserRegistry.xml ?
In fact, I have the same problem ...
I would like to translate the attribute roleBase (on tomcat) to liberty but I don't find the best method.
Without this configuration, my user can log on Jazz but no group and role are mapped to LDAP ...

Thanks for your feeback
Mathieu

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,495
× 1,381

Question asked: Jan 07 '16, 7:04 p.m.

Question was seen: 6,234 times

Last updated: Aug 03 '16, 3:45 a.m.

Confirmation Cancel Confirm