It's all about the answers!

Ask a question

How to configure "Federation of user registries" in WAS Liberty for CLM 6.0.1


Mallikarjuna Kandala (106212) | asked Sep 20 '16, 3:06 a.m.
edited Sep 20 '16, 3:13 a.m.
Hello!

We would like to use IBM LDAP and basic file user registry together to allow login from both LDAP and Non LDAP users of a CLM 6.0.1 instance, which was setup using IBM WebSphere Application Server(WAS) - Liberty server. Knowledge center covers this topic only in the context of WAS but not covers about Liberty.

Reference :
https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.doc/ae/cwlp_repository_federation.html

So here are few questions :
1) In server.xml of Liberty, can we use both of below user registries ?
<include location="conf/ldapUserRegistry.xml"/>
<include location="conf/basicUserRegistry.xml/>

So here basic registry federated with LDAP.
-bash-4.1$ ./productInfo version
Product name: WebSphere Application Server
Product version: 8.5.5.7
Product edition: LIBERTY_CORE

-bash-4.1$ pwd
/home/jazz/6.0.1/<install_path>/server/liberty/wlp/bin
-bash-4.1$
2) Is this a supported configuration for CLM 6.0.1.x?

Comments
Mallikarjuna Kandala commented Sep 20 '16, 3:14 a.m.

Some information from my original post is not visible so reposting here:

So here are few questions :
1) In server.xml of Liberty, can we use both of below user registries ?
<include location="conf/ldapUserRegistry.xml"/>
<include location="conf/basicUserRegistry.xml/>

So here basic registry federated with LDAP.
-bash-4.1$ ./productInfo version
Product name: WebSphere Application Server
Product version: 8.5.5.7
Product edition: LIBERTY_CORE

-bash-4.1$ pwd
/home/jazz/6.0.1/<install_path>/server/liberty/wlp/bin
-bash-4.1$
2) Is this a supported configuration for CLM 6.0.1.x?

Accepted answer


permanent link
Shubjit Naik (1.4k1613) | answered Sep 20 '16, 5:39 a.m.
edited Sep 23 '16, 1:19 a.m.
 Hi Mallikarjuna

The following forum question that was raised for WAS. 
 https://jazz.net/forum/questions/206291/ldap-integration-with-multiple-ldap-dns-mulitple-ad-forests-with-jazz-v60-and-later

It might work for Liberty as well as per Liberty Innocenter:

I did a quick test on CLM 6.0.2 and it seems to work.However, the process of adding new users in the Basic Registry is complex. Here is a high level of what I tried

- First change the group names for basicUserRegistry to make it different from the group names in LDAP registry
- Modify server.xml to enable both Basic and Ldapregistry.xmls
- Run and complete JTS Setup configuring to LDAP
- Add the JazzGroups from BasicUserRegitry to application.xml file
- Add the list of users in BasicUserRegistry
- Login to JTS as a user with JazzAdmin Role, 
- Go to Server > Advanced Properties search for "User Registry Type" and change it from LDAP to DETECT
- Click on Users > Active Users and Create Users with similar userids created in the Basic UserRegistry
- Go to Server > Advanced Properties , change "User Registry Type" and from DETECT to LDAP


Mallikarjuna Kandala selected this answer as the correct answer

Comments
Mallikarjuna Kandala commented Sep 22 '16, 10:21 a.m.

Hi Shubjit,

Thank you for the suggestions.

It seems to be failing with below error message :

Invalid path to authentication servlet.: /j_security_check

1) we already setup the new JTS+CLM

2) It was configured with Base User Registry first and completed JTS setup

3) Changed to LDAP user registry from Basic now

4) Shutdown the server

6) Enabled both Basic and LDAP user registries by modifying server.xml

7) Modified application.xml to update the base user registry related groups

8) Started the CLM/Liberty server

9) Try to login to JTS admin page using the LDAP credentials and I see below error :

Invalid path to authentication servlet.: /j_security_check


Shubjit Naik commented Sep 23 '16, 12:18 a.m.

 Hi Mallikarjuna


It would be best to first configure Liberty/JTS to LDAP and synchronize users, then enable Basic User Registry. Are you able to login as a user from your Basicregistry file?

In your case, 
- JTS would still not have the LDAP details
- Liberty has to be configured with LDAP with right parameters.


Mallikarjuna Kandala commented Sep 26 '16, 5:40 a.m.

Hi Shubjit,

Good Afternoon!

Yes, I tried to switch between LDAP and BASE already by commenting out corresponding lines in server.xml :


    <include location="conf/basicUserRegistry.xml"/>
    <!--include location="conf/ldapUserRegistry.xml"/-->

    <include location="conf/application.xml"/>


I am able to login with either BASE or LDAP so far but not successful with both. I observed that "ldapUserRegistry.xml" was updated after the JTS setup and I was able to login too till the time I tried to uncomment the BASE user registry as well.

I can retry the whole process but not really sure what's missing in current configuration.

Please suggest.

Thank you in advance!


Shubjit Naik commented Sep 26 '16, 6:36 a.m. | edited Sep 26 '16, 7:03 a.m.

 Hi Mallikarjuna


Might be to do with the version 6.0.1. Could be the bundled liberty config.
Is there a possibility to test the same config in 6.0.2 ?

I tried with 2 LDAPs and BASIC user registry and it seems to work well in 6.0.2


Mallikarjuna Kandala commented Sep 26 '16, 10:05 a.m.

Hi Shubjit,

Yes, it works fine in CLM 6.0.1 though bit time consuming.

Thank you for your help.

Your answer


Register or to post your answer.