It's all about the answers!

Ask a question

LDAP problem during upgrade 5.02 to 6.0.2 of Jazz RTC


Jean-Yves Buzenet (162) | asked Jul 26 '16, 6:07 a.m.
retagged Aug 05 '16, 5:09 p.m. by Ken Tessier (84117)

Hello
I have the following configuration : Linux Redhat 6.x, Jazz 5.0.2 withTomcat.
OpenLDAP on another server
Run fine on 5.0.2
My tomcat-server.xml :
_______________________________________________________________
     <Realm className="org.apache.catalina.realm.JNDIRealm"
             connectionName=""
             connectionURL=ldap://ldapserver:389
             roleBase="ou=JazzGroups,ou=rtc,dc=cie,dc=corp"
             roleName="cn"
             roleSearch="(memberUid={1})"
             roleSubtree="true"
             userBase="ou=users,dc=cie,dc=corp"
             userSearch="(uid={0})"
             userSubtree="true"/>
_______________________________________________________________
We launched upgrade to 6.0.2 with this script : "upgrade/jts/jts_upgrade.sh -oldJTSHome /opt/IBM/JazzTeamServer/server/conf"
And we got the following message (extract) :
_______________________________________________________________
........
Backing up the Liberty user configuration file "/opt/IBM/RTC_602/server/liberty/servers/clm/conf/basicUserRegistry.xml" to "/opt/IBM/RTC_602/server/liberty/servers/clm/conf/basicUserRegistry1469525654128backup.xml"...
Merging Tomcat users xml file "/opt/IBM/JazzTeamServer/server/tomcat/conf/tomcat-users.xml"...
Backing up the Liberty Server xml file "/opt/IBM/RTC_602/server/liberty/servers/clm/server.xml" to "/opt/IBM/RTC_602/server/liberty/servers/clm/server1469525654225backup.xml"...
Merging Tomcat server xml file "/opt/IBM/JazzTeamServer/server/tomcat/conf/server.xml"...
Backing up web.xml file "/opt/IBM/RTC_602/server/liberty/servers/clm/apps/jts.war/WEB-INF/web.xml"...
Updating web.xml file "/opt/IBM/RTC_602/server/liberty/servers/clm/apps/jts.war/WEB-INF/web.xml"...
CRJAZ1365I The server is attempting to connect to the following database: "thin:JTS/xxxxxxxx@//orasrv:1521/db"
CRJAZ1840W The following driver could not be loaded and registered: oracle.jdbc.OracleDriver. This JDBC driver JAR file must be provided in a path that is configured by the server scripts. Verify that the driver is in the expected location of "/opt/IBM/RTC_602/server/oracle/ojdbc6.jar" or consult the product setup instructions to change the location and then restart the server.
CRJAZ1093E The "com.ibm.team.repository.service.internal.schemagen.PersistentMappingService" feature could not start.
CRJAZ1779I This server is configured as a JTS.
CRJAZ2558I Setting the local server rename state to false and the openServerDescriptionServiceTemporarily state to false.
Updating configuration files for LDAP...
Internal Error: The service configuration for com.ibm.team.repository.service.jts.internal.userregistry.ldap.LDAPUserRegistryProvider could not be found. If the service is an extension service, consider using /com.ibm.team.repository.service/schema/extensionServiceLocator.exsd for a quick and easy fix to this problem.
CRJAZ2963E The WebSphere Liberty configuration files could not be modified for LDAP authentication.
CRJAZ1868E There was an error merging configuration files. See log for details.
The jts upgrade failed at step 0.  Correct the problem and run the script again starting at step 0.
_______________________________________________________________

I think that we must configure liberty for the LDAP setup before running the upgrade script.
Can you help on this ?
I have difficulties to feed the <customFilters> paragraph

I followed these URLs :
 - official doc : https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.2/com.ibm.jazz.install.doc/topics/t_config_ldap_connection_liberty.html
 - https://jazz.net/wiki/bin/view/Deployment/ConfigureLDAPforLibertyProfile
 - https://jazz.net/forum/questions/214013/how-to-configure-ldap-with-rtc-601-on-linux-using-websphere-liberty?sort=oldest

Thanks a lot
JY

4 answers



permanent link
Sany Maamari (13342643) | answered Aug 01 '16, 3:50 a.m.
edited Aug 01 '16, 3:51 a.m.
 Hello, 
Same problem here, 
Ldap connection migration from tomcat to liberty doesn't seem to work. 

permanent link
Mathieu Defianas (15932333) | answered Aug 03 '16, 2:54 a.m.
edited Aug 03 '16, 3:06 a.m.
Hello,

I have had the same problem during my upgrade from 5.0.2. to 6.0.2.
Please note that I use OpenLDAP to save user credentials.
I have changed the authentication method on this file :

cat /opt/RTC_V6.0.2/server/liberty/servers/clm/server.xml
.........
< ! --include location="conf/basicUserRegistry.xml"/-->
<include location="conf/ldapUserRegistry.xml"/>
.........

Then I have add the LDAP configuration on this file
cat /opt/RTC_V6.0.2/server/liberty/servers/clm/conf/ldapUserRegistry.xml
<?xml version="1.0" encoding="UTF-8"?><server>
<featureManager>
   <feature>ldapRegistry-3.0</feature>
</featureManager>
<ldapRegistry   baseDN="dc=compagny,dc=com"
   bindDN="uid=root,cn=admins,dc=compagny,dc=com"
   bindPassword="clearPassword"
   host="myLdap"
   id="myLdap:389"
   ignoreCase="true"
   ldapType="Custom"
   port="389"
   realm="myLdap:389"
   recursiveSearch="true"
   sslEnabled="false">
   <customFilters
      groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)(objectclass=posixGroup)))"
      groupIdMap="*:cn"
      groupMemberIdMap="*:memberUid"
      userFilter="(&amp;(uid=%v)(objectclass=posixAccount))"
      userIdMap="*:uid">
   </customFilters>
</ldapRegistry>
</server>

After this modification, the upgrade has finished.

But, now login on the application is impossible ... User is correctly mapped with the LDAP but groups mapping should be impossible.
I have this message :

Permission Denied
Your account does not have the group memberships required to access the requested resource.

I think I have found my problem.
On tomcat, on the version 5.0.2., I have this configuration :

cat /opt/RTC_V5.0.2/server/tomcat/conf/server.xml
<Realm
   className="org.apache.catalina.realm.JNDIRealm"
   connectionName="uid=root,cn=admins,dc=compagny,dc=com"
   connectionPassword="clearPassword"
   connectionURL="ldap://myLdap:389"
   debug="99"
   roleBase="ou=JazzGroups,ou=groups,dc=compagny,dc=com"
   roleName="cn"
   roleSearch="(memberUid={1})"
   roleSubtree="true"
   userBase="ou=people,dc=compagny,dc=com"
   userSearch="(uid={0})"
   userSubtree="true"/>
        
I see that user definition is correctly reported from tomcat configuration to the liberty configuration.
But, group definition (For example attribute roleBase) is missing on the liberty configuration and I don't find on google the mapping attribute to RoleBase from tomcat to liberty ...

Thanks for your help

Mathieu


permanent link
Shubjit Naik (1.4k1613) | answered Aug 03 '16, 4:22 a.m.
edited Aug 03 '16, 5:13 a.m.
Hi

I have not tried OpenLdap but we have documented the config with ApacheDS, not sure if the setting are same.

Since it is the only that groups that seems to be affected , you could try using the ObjectClass from that of ApacheDS configuration and see if that works:

<customfilters groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=groupOfNames)))" groupIdMap="*:cn" groupMemberIdMap="*:memberUid" userFilter="(&amp;(uid=%v)(|(objectclass=inetOrgPerson)(objectclass=posixAccount)))" userIdMap="*:uid"></customfilters>

In addition to this, if the groups are not the default name "JazzAdmins" etc, then you would have to change then in application.xml , same location as ldapUserRegistry.xml

Regards
Shubjit

Comments
Mathieu Defianas commented Aug 03 '16, 4:46 a.m.

Hello,
Thanks for your feedback.
I don't know ApacheDS but I think that the configuration should be almost the same thing ...
I understand your example but I don't see where the groups are searched ... In fact, you define anywhere the "ou" corresponding to the groups in the LDAP.
For example, on the tomcat configuration, this information is saved in the attribute roleBase.


Shubjit Naik commented Aug 03 '16, 5:12 a.m. | edited Aug 03 '16, 5:26 a.m.

 It picks it from the baseDN. You could map Group DN directly for specific Groups in application.xml


Example, in application.xml for jts.war you can enter the Group name or directly a user:

group name="uid=JazzAdmins, dc=Groups, ou=example.com"
user name= "uid=clmadmin,dc=Users,ou=example.com"

However when running the setup for JTS, there you still have the entries for Base Group CN and Base User DN.


Mathieu Defianas commented Aug 03 '16, 5:37 a.m.

I have tried your solution but it doesn't work ...

cat /opt/RTC_V6.0.2/server/liberty/servers/clm/conf/application.xml
<application id="jts" location="${server.config.dir}/apps/jts.war" name="jts" type="war">
<application-bnd>
  <security-role name="JazzAdmins">
    <group name="cn=JazzAdmins,ou=JazzGroups,ou=groups,dc=company,dc=com"/>
  </security-role>
  <security-role name="JazzProjectAdmins">
    <group name="cn=JazzProjectAdmins,ou=JazzGroups,ou=groups,dc=company,dc=com"/>
  </security-role>
  <security-role name="JazzUsers">
    <group name="cn=JazzUsers,ou=JazzGroups,ou=groups,dc=company,dc=com"/>
  </security-role>
  <security-role name="JazzGuests">
    <group name="cn=JazzGuests,ou=JazzGroups,ou=groups,dc=company,dc=com"/>
  </security-role>
</application-bnd>
</application>

I have the same error message.
I have also tried to use on the same file the attribute "access-id" on group tag but it fails ...
Have you got another idea ? Thanks for your help.

Regards
Mathieu


Shubjit Naik commented Aug 03 '16, 6:09 a.m.

 Can you share you ldapUserRegistry.xml as well? Is your baseDN set to dc=company,dc=com?



Mathieu Defianas commented Aug 03 '16, 6:13 a.m.

My ldapUserRegistry.xml file is on my first post.
Yes the baseDN is set to dc=company,dc=co


Shubjit Naik commented Aug 03 '16, 6:27 a.m.

I was looking for updated one.
Could you update the Group Filter and User filter with the ObjectClass I mentioned and try again? You may have to restart you Liberty server.


Mathieu Defianas commented Aug 03 '16, 8:15 a.m.

I have tried with your ObjectClass and I have restarted the liberty server.
Groups continue to be unavailable and my user cannot log on the RTC server.

I think that my ObjectClass for user and group are correct because I have copied the classes used on tomcat.

To my mind, the problem continues to be on the search of groups on the LDAP server.

showing 5 of 7 show 2 more comments

permanent link
John Carew (134) | answered Sep 06 '16, 7:20 p.m.
 I used this in the ldapserverregistry.xml in liberty/conf...
working one
<ldapRegistry id="ldap" realm="myladap:3268"
    host="server.company1.com" port="3268" ignoreCase="true" 
    baseDN="dc=company1,dc=com" 
    bindDN="cn=user1,cn=users,DC=company1,DC=com" 
    bindPassword="password"
    ldapType="Microsoft Active Directory"> 

    <activedFilters
          userFilter="(&amp;(sAMAccountName=%v)(objectcategory=user))"
          groupFilter="(&amp;(cn=%v)(objectcategory=group))"    
          userIdMap="user:sAMAccountName" 
          groupIdMap="*:cn" 
          groupMemberIdMap="memberOf:member"> 
    </activedFilters>
</ldapRegistry>

I then removed in liberty/..apps/web.../jts.war and ccm.war directories
and recreated them and unzipped the jts.war.zip....etc into the recreated folder
then restarted the RTC server and all worked fine.

Your answer


Register or to post your answer.