It's all about the answers!

Ask a question

LDAP user not authorized with admin rights


Eoghan Considine (101139) | asked Aug 26 '09, 8:22 a.m.
Hi,

I have setup LDAP authentication with our Windows Domain using the following realm in server.xml:

Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://xxxx.domain.com:xxx"
userPattern="(uid={0},ou=People,dc=domain,dc=com)"
roleBase="(members={0},ou=People,dc=domain,dc=com)"
roleSubtree="false"




I have created groups in LDAP and mapped them in the web.xml file. My userid is a member of both the admin and user group in LDAP.

It authenticates my ID with LDAP ok but only allows me to login as a user - if I try and login to the setup page at https://..../jazz/setup its says "You are not authorized to access Jazz Team Server Setup"

Sometime when I restart the server and try to login I get a 'Access to the requested resource has been denied' but pressing the 'Back' button in the brower opens RTC at the Project Area's page.

Using JExplorer I can browse LDAP and see the following attributes set in my LDAP entry:

memberOf CN=azgEntJazzAdmins,OU=AutoGroups,DC=entdirADAM,DC=domain,DC=com
memberOf
CN=azgEntJazzUsers,OU=AutoGroups,DC=entdirADAM,DC=domain,DC=com

Is my real definition above valid?

Thanks!

6 answers



permanent link
Eoghan Considine (101139) | answered Aug 27 '09, 8:36 a.m.
I find this very strange. Its allows user but not admin access. This tells me its is querying and Authenticating the user against ldap but not giving it admin rights? This would suggest a problem in web.xml?

# cat ./tomcat/webapps/jazz/WEB-INF/web.xml
<xml>
<Licensed>

<Note>
<web>

<servlet>
<description>Equinox Bridge Servlet</description>
<display>Equinox Bridge Servlet</display>
<servlet>equinoxbridgeservlet</servlet>
<servlet>com.ibm.team.repository.server.servletbridge.JazzServlet</servlet>
<init>
<param>enableFrameworkControls</param>
<param>false</param>
</init>
<!--
<init>
<param>commandline</param>
<param>-console</param>
</init>
-->
<init>
<param>extendedFrameworkExports</param>
<param>com.ibm.team.repository.server.servletbridge</param>
</init>
<init>
<param>frameworkLauncherClass</param>
<param>com.ibm.team.repository.server.servletbridge.JazzFrameworkLauncher</param>
</init>
<load>1</load>

<Add>
<security>
<role>JazzAdmins</role>
<role>azgEntJazzAdmins</role>
</security>
<security>
<role>JazzDWAdmins</role>
<role>azgEntJazzDWAdmins</role>
</security>
<security>
<role>JazzGuests</role>
<role>azgEntJazzGuests</role>
</security>
<security>
<role>JazzUsers</role>
<role>azgEntJazzUsers</role>
</security>
<End>

</servlet>

<servlet>
<servlet>equinoxbridgeservlet</servlet>
<url>/*</url>
</servlet>

<set>
<session>
<session>0</session>
</session>

<mime>
<extension>ico</extension>
<mime>image/vnd.microsoft.icon</mime>
</mime>
<mime>
<extension>png</extension>
<mime>image/png</mime>
</mime>
<mime>
<extension>swf</extension>
<mime>application/x-shockwave-flash</mime>
</mime>

<secures>
<security>
<web>
<web>secure</web>
<url>/authenticated/identity</url>
<url>/secure/authenticated/identity</url>
<url>/web/loggedInUser</url>

<This>
<url>/secure/service/com.ibm.rqm.integration.service.IIntegrationService</url>
</web>

<auth>
<role>JazzUsers</role>
<role>JazzAdmins</role>
<role>JazzGuests</role>
<role>JazzDWAdmins</role>

<role>azgEntJazzUsers</role>
<role>azgEntJazzAdmins</role>
<role>azgEntJazzGuests</role>
<role>azgEntJazzDWAdmins</role>
</auth>



<user>
<transport>CONFIDENTIAL</transport>
</user>
</security>

</web>

<user>
<transport>CONFIDENTIAL</transport>
</user>
</security>

<Opens>
<security>
<web>
<web>open-unencrypted</web>
<url>/service/com.ibm.team.repository.service.internal.license.IFloatingLicenseService/*</url>
</web>

<!-- Leaving out the <auth> section means these resources don't require authentication -->

<!-- Leaving out the <user> section means these resources don't require SSL -->
</security>

<security>
<web>
<web>adminsecure</web>
<url>/admin/cmd/*</url>
</web>

<auth>
<role>JazzAdmins</role>
<role>azgEntJazzAdmins</role>
</auth>

<user>
<transport>CONFIDENTIAL</transport>
</user>
</security>
<!--
<login>
<auth>BASIC</auth>
<realm>Jazz</realm>
</login>
-->
<login>
<auth>FORM</auth>
<form>
<form>/auth/authrequired</form>
<form>/auth/authfailed</form>
</form>
</login>

<security>
<role>JazzAdmins</role>
<role>JazzDWAdmins</role>
<role>JazzUsers</role>
<role>JazzGuests</role>

<role>azgEntJazzAdmins</role>
<role>azgEntJazzDWAdmins</role>
<role>azgEntJazzUsers</role>
<role>azgEntJazzGuests</role>

</security>


</web>

permanent link
Balaji Krish (1.8k12) | answered Aug 27 '09, 5:22 p.m.
JAZZ DEVELOPER
The problem is with your realm definition in server.xml. "members" attribute you used might NOT be used in your ldap to define the membership..

You should be able to find the attribute used to represent membership in JXplorer (it should be either member / uniquemember )

Realm className="org.apache.catalina.realm.JNDIRealm"
debug="9"
connectionURL="ldap://ldapserver:389"
userBase="ou=People,dc=domain,dc=com"
userSearch="(uid={0})"
userSubtree="true"
roleBase="ou=People,dc=domain,dc=com"
roleSubtree="true"
roleSearch="(member={0})"
roleName="cn"
/>


--- Balaji

I find this very strange. Its allows user but not admin access. This tells me its is querying and Authenticating the user against ldap but not giving it admin rights? This would suggest a problem in web.xml?

# cat ./tomcat/webapps/jazz/WEB-INF/web.xml
<xml>
<Licensed>

<Note>
<web>

<servlet>
<description>Equinox Bridge Servlet</description>
<display>Equinox Bridge Servlet</display>
<servlet>equinoxbridgeservlet</servlet>
<servlet>com.ibm.team.repository.server.servletbridge.JazzServlet</servlet>
<init>
<param>enableFrameworkControls</param>
<param>false</param>
</init>
<!--
<init>
<param>commandline</param>
<param>-console</param>
</init>
-->
<init>
<param>extendedFrameworkExports</param>
<param>com.ibm.team.repository.server.servletbridge</param>
</init>
<init>
<param>frameworkLauncherClass</param>
<param>com.ibm.team.repository.server.servletbridge.JazzFrameworkLauncher</param>
</init>
<load>1</load>

<Add>
<security>
<role>JazzAdmins</role>
<role>azgEntJazzAdmins</role>
</security>
<security>
<role>JazzDWAdmins</role>
<role>azgEntJazzDWAdmins</role>
</security>
<security>
<role>JazzGuests</role>
<role>azgEntJazzGuests</role>
</security>
<security>
<role>JazzUsers</role>
<role>azgEntJazzUsers</role>
</security>
<End>

</servlet>

<servlet>
<servlet>equinoxbridgeservlet</servlet>
<url>/*</url>
</servlet>

<set>
<session>
<session>0</session>
</session>

<mime>
<extension>ico</extension>
<mime>image/vnd.microsoft.icon</mime>
</mime>
<mime>
<extension>png</extension>
<mime>image/png</mime>
</mime>
<mime>
<extension>swf</extension>
<mime>application/x-shockwave-flash</mime>
</mime>

<secures>
<security>
<web>
<web>secure</web>
<url>/authenticated/identity</url>
<url>/secure/authenticated/identity</url>
<url>/web/loggedInUser</url>

<This>
<url>/secure/service/com.ibm.rqm.integration.service.IIntegrationService</url>
</web>

<auth>
<role>JazzUsers</role>
<role>JazzAdmins</role>
<role>JazzGuests</role>
<role>JazzDWAdmins</role>

<role>azgEntJazzUsers</role>
<role>azgEntJazzAdmins</role>
<role>azgEntJazzGuests</role>
<role>azgEntJazzDWAdmins</role>
</auth>



<user>
<transport>CONFIDENTIAL</transport>
</user>
</security>

</web>

<user>
<transport>CONFIDENTIAL</transport>
</user>
</security>

<Opens>
<security>
<web>
<web>open-unencrypted</web>
<url>/service/com.ibm.team.repository.service.internal.license.IFloatingLicenseService/*</url>
</web>

<!-- Leaving out the <auth> section means these resources don't require authentication -->

<!-- Leaving out the <user> section means these resources don't require SSL -->
</security>

<security>
<web>
<web>adminsecure</web>
<url>/admin/cmd/*</url>
</web>

<auth>
<role>JazzAdmins</role>
<role>azgEntJazzAdmins</role>
</auth>

<user>
<transport>CONFIDENTIAL</transport>
</user>
</security>
<!--
<login>
<auth>BASIC</auth>
<realm>Jazz</realm>
</login>
-->
<login>
<auth>FORM</auth>
<form>
<form>/auth/authrequired</form>
<form>/auth/authfailed</form>
</form>
</login>

<security>
<role>JazzAdmins</role>
<role>JazzDWAdmins</role>
<role>JazzUsers</role>
<role>JazzGuests</role>

<role>azgEntJazzAdmins</role>
<role>azgEntJazzDWAdmins</role>
<role>azgEntJazzUsers</role>
<role>azgEntJazzGuests</role>

</security>

permanent link
Eoghan Considine (101139) | answered Sep 01 '09, 6:06 a.m.
Hi Balaji,

Thanks for your reply. I made the udpates you suggested to the realm and restarted the server. Unfortunetly the following still appears when the user with membership of the admin group tries to login.

type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.

They also get:

The user xxxx is not authorized to access Jazz Team Server Admin UI

I also tried removing the user from the 'users' group and just have them a member of the 'admins' group but this made no difference.

permanent link
Anthony Kesterton (7.5k7178136) | answered Sep 01 '09, 6:59 a.m.
JAZZ DEVELOPER
Hi Balaji,

Thanks for your reply. I made the udpates you suggested to the realm and restarted the server. Unfortunetly the following still appears when the user with membership of the admin group tries to login.

type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.

They also get:

The user xxxx is not authorized to access Jazz Team Server Admin UI

I also tried removing the user from the 'users' group and just have them a member of the 'admins' group but this made no difference.


Hi

I have only seen this error before when I have not gone into the RTC web client and for that user, and made sure the user has the JazzAdmin rights. That should give you access to the RTC Admin pages. I also tend to work with non-LDAP authentication, so this may not apply to your setup.

anthony

permanent link
Balaji Krish (1.8k12) | answered Sep 01 '09, 4:42 p.m.
JAZZ DEVELOPER
Can you check the group mapping you added in web.xml ? (jazz/server/tomcat/webapps/jazz/web-inf/web.xml)

The information you provided in comment 2 is not formatted correctly.

Please refer to technote to map the group information : http://jazz.net/library/technote/92

I will verify the changes if you send me the server.xml and web.xml files via email.

--- Balaji
Jazz Server Team


Hi Balaji,

Thanks for your reply. I made the udpates you suggested to the realm and restarted the server. Unfortunetly the following still appears when the user with membership of the admin group tries to login.

type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.

They also get:

The user xxxx is not authorized to access Jazz Team Server Admin UI

I also tried removing the user from the 'users' group and just have them a member of the 'admins' group but this made no difference.


Hi

I have only seen this error before when I have not gone into the RTC web client and for that user, and made sure the user has the JazzAdmin rights. That should give you access to the RTC Admin pages. I also tend to work with non-LDAP authentication, so this may not apply to your setup.

anthony

permanent link
Eoghan Considine (101139) | answered Sep 24 '09, 4:22 a.m.
Just to report back to the thread that my problem was that the baseUserDN in teamserver.properties and in server.xml was missing a dn.

so instead of

ou\=People,dc\=vds,dc\=xxx,dc\=com

I had

ou\=People,dc\=xxx,dc\=com

This was not obvious viewing the directory through JXplorer but after speakng with the LDAP team they identified the problem.

Your answer


Register or to post your answer.