LDAP user not authorized with admin rights
Hi,
I have setup LDAP authentication with our Windows Domain using the following realm in server.xml: Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://xxxx.domain.com:xxx" userPattern="(uid={0},ou=People,dc=domain,dc=com)" roleBase="(members={0},ou=People,dc=domain,dc=com)" roleSubtree="false" I have created groups in LDAP and mapped them in the web.xml file. My userid is a member of both the admin and user group in LDAP. It authenticates my ID with LDAP ok but only allows me to login as a user - if I try and login to the setup page at https://..../jazz/setup its says "You are not authorized to access Jazz Team Server Setup" Sometime when I restart the server and try to login I get a 'Access to the requested resource has been denied' but pressing the 'Back' button in the brower opens RTC at the Project Area's page. Using JExplorer I can browse LDAP and see the following attributes set in my LDAP entry: memberOf CN=azgEntJazzAdmins,OU=AutoGroups,DC=entdirADAM,DC=domain,DC=com memberOf CN=azgEntJazzUsers,OU=AutoGroups,DC=entdirADAM,DC=domain,DC=com Is my real definition above valid? Thanks! |
6 answers
|
I find this very strange. Its allows user but not admin access. This tells me its is querying and Authenticating the user against ldap but not giving it admin rights? This would suggest a problem in web.xml?
# cat ./tomcat/webapps/jazz/WEB-INF/web.xml <xml> <Licensed> <Note> <web> <servlet> <description>Equinox Bridge Servlet</description> <display>Equinox Bridge Servlet</display> <servlet>equinoxbridgeservlet</servlet> <servlet>com.ibm.team.repository.server.servletbridge.JazzServlet</servlet> <init> <param>enableFrameworkControls</param> <param>false</param> </init> <!-- <init> <param>commandline</param> <param>-console</param> </init> --> <init> <param>extendedFrameworkExports</param> <param>com.ibm.team.repository.server.servletbridge</param> </init> <init> <param>frameworkLauncherClass</param> <param>com.ibm.team.repository.server.servletbridge.JazzFrameworkLauncher</param> </init> <load>1</load> <Add> <security> <role>JazzAdmins</role> <role>azgEntJazzAdmins</role> </security> <security> <role>JazzDWAdmins</role> <role>azgEntJazzDWAdmins</role> </security> <security> <role>JazzGuests</role> <role>azgEntJazzGuests</role> </security> <security> <role>JazzUsers</role> <role>azgEntJazzUsers</role> </security> <End> </servlet> <servlet> <servlet>equinoxbridgeservlet</servlet> <url>/*</url> </servlet> <set> <session> <session>0</session> </session> <mime> <extension>ico</extension> <mime>image/vnd.microsoft.icon</mime> </mime> <mime> <extension>png</extension> <mime>image/png</mime> </mime> <mime> <extension>swf</extension> <mime>application/x-shockwave-flash</mime> </mime> <secures> <security> <web> <web>secure</web> <url>/authenticated/identity</url> <url>/secure/authenticated/identity</url> <url>/web/loggedInUser</url> <This> <url>/secure/service/com.ibm.rqm.integration.service.IIntegrationService</url> </web> <auth> <role>JazzUsers</role> <role>JazzAdmins</role> <role>JazzGuests</role> <role>JazzDWAdmins</role> <role>azgEntJazzUsers</role> <role>azgEntJazzAdmins</role> <role>azgEntJazzGuests</role> <role>azgEntJazzDWAdmins</role> </auth> <user> <transport>CONFIDENTIAL</transport> </user> </security> </web> <user> <transport>CONFIDENTIAL</transport> </user> </security> <Opens> <security> <web> <web>open-unencrypted</web> <url>/service/com.ibm.team.repository.service.internal.license.IFloatingLicenseService/*</url> </web> <!-- Leaving out the <auth> section means these resources don't require authentication --> <!-- Leaving out the <user> section means these resources don't require SSL --> </security> <security> <web> <web>adminsecure</web> <url>/admin/cmd/*</url> </web> <auth> <role>JazzAdmins</role> <role>azgEntJazzAdmins</role> </auth> <user> <transport>CONFIDENTIAL</transport> </user> </security> <!-- <login> <auth>BASIC</auth> <realm>Jazz</realm> </login> --> <login> <auth>FORM</auth> <form> <form>/auth/authrequired</form> <form>/auth/authfailed</form> </form> </login> <security> <role>JazzAdmins</role> <role>JazzDWAdmins</role> <role>JazzUsers</role> <role>JazzGuests</role> <role>azgEntJazzAdmins</role> <role>azgEntJazzDWAdmins</role> <role>azgEntJazzUsers</role> <role>azgEntJazzGuests</role> </security> </web> |
The problem is with your realm definition in server.xml. "members" attribute you used might NOT be used in your ldap to define the membership..
You should be able to find the attribute used to represent membership in JXplorer (it should be either member / uniquemember ) Realm className="org.apache.catalina.realm.JNDIRealm" debug="9" connectionURL="ldap://ldapserver:389" userBase="ou=People,dc=domain,dc=com" userSearch="(uid={0})" userSubtree="true" roleBase="ou=People,dc=domain,dc=com" roleSubtree="true" roleSearch="(member={0})" roleName="cn" /> --- Balaji I find this very strange. Its allows user but not admin access. This tells me its is querying and Authenticating the user against ldap but not giving it admin rights? This would suggest a problem in web.xml? |
|
Hi Balaji,
Thanks for your reply. I made the udpates you suggested to the realm and restarted the server. Unfortunetly the following still appears when the user with membership of the admin group tries to login. type Status report message Access to the requested resource has been denied description Access to the specified resource (Access to the requested resource has been denied) has been forbidden. They also get: The user xxxx is not authorized to access Jazz Team Server Admin UI I also tried removing the user from the 'users' group and just have them a member of the 'admins' group but this made no difference. |
Hi Balaji, Hi I have only seen this error before when I have not gone into the RTC web client and for that user, and made sure the user has the JazzAdmin rights. That should give you access to the RTC Admin pages. I also tend to work with non-LDAP authentication, so this may not apply to your setup. anthony |
|
Can you check the group mapping you added in web.xml ? (jazz/server/tomcat/webapps/jazz/web-inf/web.xml)
The information you provided in comment 2 is not formatted correctly. Please refer to technote to map the group information : http://jazz.net/library/technote/92 I will verify the changes if you send me the server.xml and web.xml files via email. --- Balaji Jazz Server Team Hi Balaji, Hi I have only seen this error before when I have not gone into the RTC web client and for that user, and made sure the user has the JazzAdmin rights. That should give you access to the RTC Admin pages. I also tend to work with non-LDAP authentication, so this may not apply to your setup. anthony |
|
Just to report back to the thread that my problem was that the baseUserDN in teamserver.properties and in server.xml was missing a dn.
so instead of ou\=People,dc\=vds,dc\=xxx,dc\=com I had ou\=People,dc\=xxx,dc\=com This was not obvious viewing the directory through JXplorer but after speakng with the LDAP team they identified the problem. |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.