LDAP problem during upgrade 5.02 to 6.0.2 of Jazz RTC

Jean-Yves Buzenet

Aug 05 '16, 5:09 p.m.

Hello
I have the following configuration : Linux Redhat 6.x, Jazz 5.0.2 withTomcat.
OpenLDAP on another server
Run fine on 5.0.2
My tomcat-server.xml :
_______________________________________________________________
     <Realm className="org.apache.catalina.realm.JNDIRealm"
             connectionName=""
             connectionURL=ldap://ldapserver:389
             roleBase="ou=JazzGroups,ou=rtc,dc=cie,dc=corp"
             roleName="cn"
             roleSearch="(memberUid={1})"
             roleSubtree="true"
             userBase="ou=users,dc=cie,dc=corp"
             userSearch="(uid={0})"
             userSubtree="true"/>
_______________________________________________________________
We launched upgrade to 6.0.2 with this script : "upgrade/jts/jts_upgrade.sh -oldJTSHome /opt/IBM/JazzTeamServer/server/conf"
And we got the following message (extract) :
_______________________________________________________________
........
Backing up the Liberty user configuration file "/opt/IBM/RTC_602/server/liberty/servers/clm/conf/basicUserRegistry.xml" to "/opt/IBM/RTC_602/server/liberty/servers/clm/conf/basicUserRegistry1469525654128backup.xml"...
Merging Tomcat users xml file "/opt/IBM/JazzTeamServer/server/tomcat/conf/tomcat-users.xml"...
Backing up the Liberty Server xml file "/opt/IBM/RTC_602/server/liberty/servers/clm/server.xml" to "/opt/IBM/RTC_602/server/liberty/servers/clm/server1469525654225backup.xml"...
Merging Tomcat server xml file "/opt/IBM/JazzTeamServer/server/tomcat/conf/server.xml"...
Backing up web.xml file "/opt/IBM/RTC_602/server/liberty/servers/clm/apps/jts.war/WEB-INF/web.xml"...
Updating web.xml file "/opt/IBM/RTC_602/server/liberty/servers/clm/apps/jts.war/WEB-INF/web.xml"...
CRJAZ1365I The server is attempting to connect to the following database: "thin:JTS/xxxxxxxx@//orasrv:1521/db"
CRJAZ1840W The following driver could not be loaded and registered: oracle.jdbc.OracleDriver. This JDBC driver JAR file must be provided in a path that is configured by the server scripts. Verify that the driver is in the expected location of "/opt/IBM/RTC_602/server/oracle/ojdbc6.jar" or consult the product setup instructions to change the location and then restart the server.
CRJAZ1093E The "com.ibm.team.repository.service.internal.schemagen.PersistentMappingService" feature could not start.
CRJAZ1779I This server is configured as a JTS.
CRJAZ2558I Setting the local server rename state to false and the openServerDescriptionServiceTemporarily state to false.
Updating configuration files for LDAP...
Internal Error: The service configuration for com.ibm.team.repository.service.jts.internal.userregistry.ldap.LDAPUserRegistryProvider could not be found. If the service is an extension service, consider using /com.ibm.team.repository.service/schema/extensionServiceLocator.exsd for a quick and easy fix to this problem.
CRJAZ2963E The WebSphere Liberty configuration files could not be modified for LDAP authentication.
CRJAZ1868E There was an error merging configuration files. See log for details.
The jts upgrade failed at step 0. Correct the problem and run the script again starting at step 0.
_______________________________________________________________

I think that we must configure liberty for the LDAP setup before running the upgrade script.
Can you help on this ?
I have difficulties to feed the <customFilters> paragraph

I followed these URLs :
- official doc : https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.2/com.ibm.jazz.install.doc/topics/t_config_ldap_connection_liberty.html
- https://jazz.net/wiki/bin/view/Deployment/ConfigureLDAPforLibertyProfile
- https://jazz.net/forum/questions/214013/how-to-configure-ldap-with-rtc-601-on-linux-using-websphere-liberty?sort=oldest

Thanks a lot
JY

1 vote

4 answers

5,565 views

1 vote

4 answers

Permanent link

Sany Maamari

(132●4●38●51) edited

Aug 01 '16, 3:51 a.m.

Hello,

Same problem here,

Ldap connection migration from tomcat to liberty doesn't seem to work.

0 votes

Permanent link

Mathieu Defianas

(159●5●29●38) edited

Aug 03 '16, 3:06 a.m.

Hello,

I have had the same problem during my upgrade from 5.0.2. to 6.0.2.
Please note that I use OpenLDAP to save user credentials.
I have changed the authentication method on this file :

cat /opt/RTC_V6.0.2/server/liberty/servers/clm/server.xml
.........
< ! --include location="conf/basicUserRegistry.xml"/-->
<include location="conf/ldapUserRegistry.xml"/>
.........

Then I have add the LDAP configuration on this file

cat /opt/RTC_V6.0.2/server/liberty/servers/clm/conf/ldapUserRegistry.xml
<?xml version="1.0" encoding="UTF-8"?><server>
<featureManager>
   <feature>ldapRegistry-3.0</feature>
</featureManager>
<ldapRegistry   baseDN="dc=compagny,dc=com"
   bindDN="uid=root,cn=admins,dc=compagny,dc=com"
   bindPassword="clearPassword"
   host="myLdap"
   id="myLdap:389"
   ignoreCase="true"
   ldapType="Custom"
   port="389"
   realm="myLdap:389"
   recursiveSearch="true"
   sslEnabled="false">
   <customFilters
      groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)(objectclass=posixGroup)))"
      groupIdMap="*:cn"
      groupMemberIdMap="*:memberUid"
      userFilter="(&amp;(uid=%v)(objectclass=posixAccount))"
      userIdMap="*:uid">
   </customFilters>
</ldapRegistry>
</server>

After this modification, the upgrade has finished.

But, now login on the application is impossible ... User is correctly mapped with the LDAP but groups mapping should be impossible.
I have this message :

Permission Denied
Your account does not have the group memberships required to access the requested resource.

I think I have found my problem.
On tomcat, on the version 5.0.2., I have this configuration :

cat /opt/RTC_V5.0.2/server/tomcat/conf/server.xml
<Realm
   className="org.apache.catalina.realm.JNDIRealm"
   connectionName="uid=root,cn=admins,dc=compagny,dc=com"
   connectionPassword="clearPassword"
   connectionURL="ldap://myLdap:389"
   debug="99"
   roleBase="ou=JazzGroups,ou=groups,dc=compagny,dc=com"
   roleName="cn"
   roleSearch="(memberUid={1})"
   roleSubtree="true"
   userBase="ou=people,dc=compagny,dc=com"
   userSearch="(uid={0})"
   userSubtree="true"/>

I see that user definition is correctly reported from tomcat configuration to the liberty configuration.
But, group definition (For example attribute roleBase) is missing on the liberty configuration and I don't find on google the mapping attribute to RoleBase from tomcat to liberty ...

Thanks for your help

Mathieu

0 votes

Permanent link

Shubjit Naik

(1.5k●1●6●13) edited

Aug 03 '16, 5:13 a.m.

I have not tried OpenLdap but we have documented the config with ApacheDS, not sure if the setting are same.

Since it is the only that groups that seems to be affected , you could try using the ObjectClass from that of ApacheDS configuration and see if that works:



	<customfilters groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=groupOfNames)))" groupIdMap="*:cn" groupMemberIdMap="*:memberUid" userFilter="(&amp;(uid=%v)(|(objectclass=inetOrgPerson)(objectclass=posixAccount)))" userIdMap="*:uid"></customfilters>

In addition to this, if the groups are not the default name "JazzAdmins" etc, then you would have to change then in application.xml , same location as ldapUserRegistry.xml

Regards

Shubjit

0 votes

Comments

Mathieu Defianas

Aug 03 '16, 4:46 a.m.

Hello,
Thanks for your feedback.
I don't know ApacheDS but I think that the configuration should be almost the same thing ...
I understand your example but I don't see where the groups are searched ... In fact, you define anywhere the "ou" corresponding to the groups in the LDAP.
For example, on the tomcat configuration, this information is saved in the attribute roleBase.

Shubjit Naik

Aug 03 '16, 5:26 a.m.

It picks it from the baseDN. You could map Group DN directly for specific Groups in application.xml

Example, in application.xml for jts.war you can enter the Group name or directly a user:

group name="uid=JazzAdmins, dc=Groups, ou=example.com"

user name= "uid=clmadmin,dc=Users,ou=example.com"

However when running the setup for JTS, there you still have the entries for Base Group CN and Base User DN.

Mathieu Defianas

Aug 03 '16, 5:37 a.m.

I have tried your solution but it doesn't work ...

cat /opt/RTC_V6.0.2/server/liberty/servers/clm/conf/application.xml
<application id="jts" location="${server.config.dir}/apps/jts.war" name="jts" type="war">
<application-bnd>
  <security-role name="JazzAdmins">
    <group name="cn=JazzAdmins,ou=JazzGroups,ou=groups,dc=company,dc=com"/>
  </security-role>
  <security-role name="JazzProjectAdmins">
    <group name="cn=JazzProjectAdmins,ou=JazzGroups,ou=groups,dc=company,dc=com"/>
  </security-role>
  <security-role name="JazzUsers">
    <group name="cn=JazzUsers,ou=JazzGroups,ou=groups,dc=company,dc=com"/>
  </security-role>
  <security-role name="JazzGuests">
    <group name="cn=JazzGuests,ou=JazzGroups,ou=groups,dc=company,dc=com"/>
  </security-role>
</application-bnd>
</application>

I have the same error message.
I have also tried to use on the same file the attribute "access-id" on group tag but it fails ...
Have you got another idea ? Thanks for your help.

Regards
Mathieu

Shubjit Naik

Aug 03 '16, 6:09 a.m.

Can you share you ldapUserRegistry.xml as well? Is your baseDN set to dc=company,dc=com?

Mathieu Defianas

Aug 03 '16, 6:13 a.m.

My ldapUserRegistry.xml file is on my first post.
Yes the baseDN is set to dc=company,dc=co

Shubjit Naik

Aug 03 '16, 6:27 a.m.

I was looking for updated one.
Could you update the Group Filter and User filter with the ObjectClass I mentioned and try again? You may have to restart you Liberty server.

Mathieu Defianas

Aug 03 '16, 8:15 a.m.

I have tried with your ObjectClass and I have restarted the liberty server.
Groups continue to be unavailable and my user cannot log on the RTC server.

I think that my ObjectClass for user and group are correct because I have copied the classes used on tomcat.

To my mind, the problem continues to be on the search of groups on the LDAP server.

showing 5 of 7 show 2 more comments

Permanent link

John Carew

(13●2●4) Sep 06 '16, 7:20 p.m.

I used this in the ldapserverregistry.xml in liberty/conf...

working one

<ldapRegistry id="ldap" realm="myladap:3268"

host="server.company1.com" port="3268" ignoreCase="true"

baseDN="dc=company1,dc=com"

bindDN="cn=user1,cn=users,DC=company1,DC=com"

bindPassword="password"

ldapType="Microsoft Active Directory">

<activedFilters

userFilter="(&(sAMAccountName=%v)(objectcategory=user))"

groupFilter="(&(cn=%v)(objectcategory=group))"

userIdMap="user:sAMAccountName"

groupIdMap="*:cn"

groupMemberIdMap="memberOf:member">

</activedFilters>

</ldapRegistry>

I then removed in liberty/..apps/web.../jts.war and ccm.war directories

and recreated them and unzipped the jts.war.zip....etc into the recreated folder

then restarted the RTC server and all worked fine.

0 votes

Your answer

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers

Answers and Comments

Question details

rational-team-concert

× 42,899

configuration

× 6,122

doc-link

× 1,381

× 267

× 88

× 24

× 18

× 3

Question asked: Jul 26 '16, 6:07 a.m.

Question was seen: 5,565 times

Last updated: Sep 06 '16, 7:20 p.m.

LDAP problem during upgrade 5.02 to 6.0.2 of Jazz RTC

4 answers

5,565 views

1 vote

4 answers

Comments

Your answer

Follow this question

Question details

Related questions