It's all about the answers!

Ask a question

How to configure LDAP with RTC 6.0.1 on linux using WebSphere Liberty?


Christopher Starr (44113) | asked Jan 07 '16, 7:04 p.m.
edited Jan 18 '16, 4:39 p.m. by Lisa Frankel (5462)
We just upgraded to RTC 6.0.1 on linux using its default WebSphere Liberty, from RTC 5.0.2 on linux using its default Tomcat with LDAP authentication. 
The upgrade completed successfully.
I use a browser to connect successfully to the login page of RTC 6.0.1, but all logins are failing and I cannot login in at all (not even as ADMIN).
The problem seems to be that LDAP was not properly setup in RTC 6.0.1 WebSphere Liberty during the upgrade migration from RTC 5.0.2 and tomcat.
What should I do to get LDAP working? I cannot login with my browser to the jts/setup screen, but I can edit the RTC 6.0.1 and WebSphere Liberty configuration files at the linux command prompt.
Any help would be most appreciated!

Comments
Donald Nong commented Feb 05 '16, 4:35 a.m.

Hi Christopher, have you been able to migrate the LDAP configuration from Tomcat to Liberty?

4 answers



permanent link
Ralph Schoon (61.2k33643) | answered Jan 08 '16, 2:10 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
Have you enabled LDAP in the server.xml file?

Comments
Ralph Schoon commented Jan 08 '16, 2:17 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Christopher Starr commented Jan 08 '16, 2:54 a.m.

LDAP is enabled in the RTC 6.0.1 liberty server.xml file. The problem we are having is that the LDAP configuration parameters that worked in the RTC 5.0.2 tomcat server.xml file do not seem to translate nicely to the format of the ldapUserRegistry.xml file used by RTC 6.0.1 WebSphere Liberty. I did see the following entry in the help page you sent, and clearly there is some problem aligning our organization's LDAP configuration that worked with tomcat to the structure of the ldapUserRegistry.xml file. I have followed examples of how to set up this file when using Microsoft Active Directory, but I am still seeing LDAP login errors on startup and no one is able to login to our upgraded RTC 6.0.1 right now.



Christopher Starr commented Jan 08 '16, 2:55 a.m.

Regarding the help page entry: Go to JazzInstallDir/server/liberty/servers/clm/conf, open the ldapUserRegistry.xml file and examine the values in the groupFilter and userFilter entries. If the values are not aligned with your organization's particular LDAP configuration, modify them before restarting the server. [The question is how to do this, and how to easily borrow from the tomcat server.xml ldap configuration that worked with RTC 5.0.2]


1
Christopher Starr commented Jan 08 '16, 4:04 a.m.

The Realm line that allows our Microsoft Active Directory LDAP to work in the tomcat server.xml file from RTC 5.0.2 is as follows:


<Realm classname="org.apache.catalina.realm.JNDIRealm" connectionName="RTCSERVICE@mycompany.org" connectionPassword="**" connectionURL="ldap://winvm-dc.mycompany.org:389" debug="99" referrals="follow" roleBase="ou=RTC,dc=mycompany,dc=org" roleName="cn" roleSearch="(member={0})" roleSubtree="true" userBase="ou=MyCompany Users,dc=mycompany,dc=org" userSearch="(sAMAccountName={0})" userSubtree="true"/>


Ralph Schoon commented Jan 08 '16, 4:26 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Thanks for sharing Christopher!


Christopher Starr commented Jan 08 '16, 3:09 p.m.

Ralph, would it be possible for you to translate our tomcat server.xml Realm line to what we need to enter into the new ldapUserRegistry.xml ?

showing 5 of 6 show 1 more comments

permanent link
Donald Nong (14.4k314) | answered Jan 08 '16, 3:36 a.m.
We have received quite many similar reports in Support. And the support folks also found that following the instruction is not enough to properly setting up LDAP in Liberty. We're still working on a reliable way to set it up. For the time being, the best approach is to contact Support.

Comments
Ralph Schoon commented Jan 08 '16, 3:41 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Donald, it would be great if we could publish examples in the deployment Wiki, once we have collected a few.


Donald Nong commented Jan 08 '16, 4:23 a.m.

That's for sure. We definitely need to publish something, regardless the format.


Christopher Starr commented Jan 08 '16, 2:22 p.m.

 Would it be possible for you to translate our tomcat server.xml Realm line to what we need to enter into the new ldapUserRegistry.xml ? We are using Microsoft Active Directory.


The Realm line that allows our Microsoft Active Directory LDAP to work in the tomcat server.xml file from RTC 5.0.2 is as follows:

<Realm classname="org.apache.catalina.realm.JNDIRealm" connectionName="RTCSERVICE@mycompany.org" connectionPassword="**" connectionURL="ldap://winvm-dc.mycompany.org:389" debug="99" referrals="follow" roleBase="ou=RTC,dc=mycompany,dc=org" roleName="cn" roleSearch="(member={0})" roleSubtree="true" userBase="ou=MyCompany Users,dc=mycompany,dc=org" userSearch="(sAMAccountName={0})" userSubtree="true"/>

Based on this, what should we enter into ldapUserRegistry.xml in RTC 6.0.1?


permanent link
Philippe Casidy (11) | answered Jan 08 '16, 5:10 a.m.
Hi,

To configure LDAP on RTC 6.0.1 with Liberty, I had to manually edit ldapUserRegistry.xml  to change idsFilter based on information provided at :
https://www-01.ibm.com/support/knowledgecenter/was_beta_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_sec_ldap.html

<ldapRegistry id="ldap" realm="SampleLdapIDSRealm" 
    host="ldapserver.mycity.mycompany.com" port="389" ignoreCase="true" 
    baseDN="o=mycompany,c=us" 
    ldapType="IBM Tivoli Directory Server"
    sslEnabled="true" 
    sslRef="LDAPSSLSettings">
    <idsFilters
    	userFilter="(&amp;(uid=%v)(objectclass=ePerson))" 
    	groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)
                     (objectclass=groupOfUniqueNames)
		     (objectclass=groupOfURLs)))"
    	userIdMap="*:uid" 
    	groupIdMap="*:cn" 
    	groupMemberIdMap="mycompany-allGroups:member;mycompany-allGroups:uniqueMember;
			  groupOfNames:member;groupOfUniqueNames:uniqueMember">
    </idsFilters>    
</ldapRegistry>


Comments
Christopher Starr commented Jan 08 '16, 2:18 p.m.

 Could you translate our tomcat server.xml Realm line to what we need to enter into the new ldapUserRegistry.xml ?


Mathieu Defianas commented Aug 03 '16, 3:45 a.m.

Hello Christopher,

Have you succeeded to translate tomcat server.xml Realm line to ldapUserRegistry.xml ?
In fact, I have the same problem ...
I would like to translate the attribute roleBase (on tomcat) to liberty but I don't find the best method.
Without this configuration, my user can log on Jazz but no group and role are mapped to LDAP ...

Thanks for your feeback
Mathieu


permanent link
Donald Nong (14.4k314) | answered Jan 10 '16, 6:20 p.m.
Mike from our GRT team has just published a deployment wiki on this topic. Check it out if you're interested. Any suggestions and comments are welcome for improving the quality of the wiki.
https://jazz.net/wiki/bin/view/Deployment/ConfigureLDAPforLibertyProfile

Comments
Robin Parker commented Feb 14 '16, 3:26 p.m. | edited Feb 14 '16, 3:27 p.m.

This answer would have saved me some time had I found it sooner.

I upgraded from a tomcat 5.0.2 installation that used openldap.

I found that the upgrade process failed in two areas:
  •  the bindPassword was not set correctly
  • the filters seemed to be set mainly in idsFilters with some malformed entries in customFilters.
Setting the bind password using the securityUtility tool and setting the correct user/group filters in customFilters fixed these issues for me.

I found this stack overflow article useful in setting up our filters - not sure if this is already covered by the deployment wiki update.


Donald Nong commented Feb 14 '16, 6:37 p.m.

Hi Robin, not quite sure why your configuration uses both "idsFilters" and "customFilters", since "idsFilters" should be used for Tivoli Active Directory only, and "customFilters" can actually be used with all LDAP servers.

No instructions can give exact steps for custom LDAP servers, as they are "customized", and can be completely different.

Administrators have to be quite familiar with LDAP to complete this task with ease and confidence.

Your answer


Register or to post your answer.