SECJ0129E: Authorization failed for user once loging in with any user - via ldap SSO
I have installed CLM 6.0.1 (+iFix 001) with WAS and SSO connection via ldap users.
I have made sure the relevant users are part of the relevant Jazz groups and i also see them within CLM and i can see there groups assignment.
But Once the users try to login they receive an error message:
"Permission Denied
Your account does not have the group memberships required to access the requested resource."
Now in WAS as i test the connection to ldap i see that the connection is successful and all LDAP settings are correct.
Checking the system out log i see the following error message:
"SECJ0129E: Authorization failed for user <user_name> while invoking GET on default_host:/jts/secure/authenticated/identity, Authorization failed, Not granted any of the required roles: JazzUsers JazzAdmins JazzGuests JazzProjectAdmins "
What can be the problem?
Hope someone can help
|
3 answers
Ralph Schoon (63.5k●3●36●46)
| answered Feb 22 '16, 5:34 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER In your setup LDAP, /jts/customSetup#/steps/6 note the second sub step provides information and links. Follow the link and follow the description there to test and verify your LDAP settings and parameters. I am pretty sure there is an issue with your LDAP setup. Follow the link below:
Step 2:Configure Jazz Team Server to use an LDAP server to act as my user registry
Once you have configured your application server and LDAP server as described in the server setup guide, complete this form to configure the Jazz Team Server to use your LDAP server for user and group information.
For additional reference and help browsing your directory, see the topic How to verify LDAP parameters for Jazz Team server configuration.
|
Did you get Permission Denied when accessing all applications...eg, /jts/admin, /ccm/web, /ccm/admin? If this is specific to certain applications and/or certain pages (/web versus /admin), I would suspect that the user/group mapping in WebSphere may need to be re-done. Note that you do not need to bring WebSphere down to remap the group for each application. (refer to step 9 in http://www-01.ibm.com/support/knowledgecenter/SSYMRC_6.0.1/com.ibm.jazz.install.doc/topics/t_deploy_was.html?lang=en)
Comments
Donald Nong
commented Feb 22 '16, 10:49 p.m.
The application will be restarted when the security setting is changed, and all associated user sessions will be terminated - users will get prompted to re-login. Just to be aware.
|
Note that SSO only deals with authentication, not authorization (Java security role mapping). A simple way to verify the authorization is to access the URL https://<host>:<port>/<app>/authenticated/identity (replacing <app> with jts, ccm, qm and rm) after logging in in the normal way. You should get a JSON presentation of the current logged in user Id and the associated roles (JazzAdmins and etc). If you see different result for any particular application, you need to double check the Java security role mapping for that application.
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.