RTC user authentication/LDAP issue
My customer created user account using user management in JAZZ Team Server. They may configure the realm for Tomcat application server later with LDAP User Directory.
If the user id is same as the user id in LDAP, can it be achieved with the assumption that the content of the jazz server will not affected |
10 answers
we did this with success with about 800 users.
You have to be very careful that the userids in RTC match exactly the userids in the LDAP source -- they are case sensitive. We authenticate against Bluepages and it works fine, but found that the case sensitivity caused a small number of accounts to need to be archived and new ones created for those users. If my memory serves correctly it was 10 or less. The most painful part was populating the LDAP group with the 800 users we had in tomcat_users.xml |
|
I have two more questions for this topic.
1. After using LDAP for user authentication, how about the existing users already created in Jazz Team Server? 2. After I configured Tomcat and used the user created in LDAP for user authenticate, I would create some new users in Jazz Team server. How about the new users created in Jazz Team Server we did this with success with about 800 users. |
|
I don't understand the first question, but on the second I assume you are talking about manually creating users in RTC.
You don't really want to manually create users if you are using LDAP as authentication -- add the users to the appropriate group in the LDAP source and import them into RTC. If you manually add them you can end up with mismatches due to case sensitivity, or you add what you think is the appropriate UID, but it is actually not correct for the user based on what is defined in LDAP. |
Note that case insensitive login is supported in RTC 2.0.0.1.
>> How to import the users from LDAP to Jazz.. 1. You can either import individual user records from LDAP using Import Users action in user management page or let the nightly LDAP sync synchronize the user records between LDAP and Jazz. --- Balaji I don't understand the first question, but on the second I assume you are talking about manually creating users in RTC. |
|
yes case insensitive login is available but if LDAP sync is running it will import the actual user id from the ldap store and you could end up with same id different cases--this prevents login because of ambiguity
Go ahead and ask me how I know. |
|
Brian,
This should not be the case.. I just tested the following scenario : 1. Case insensitive logon is turned on. (using config property). Note: Case insensitive login is "not turned on" by default 2. Jazz repo has a user id "BALaJIK" with name "Balaji" 3. Choose user registry as "LDAP" 4. LDAP has a user called "balajik" with name "Balaji Krish" 5. Try running an LDAP sync operation (repotools -syncUsers) Result from ldap sync : "BALaJIK" user's name is changed to "Balaji Krish" I tested this with the latest Foundation 1.0.0.2 RC0 build. We have not made any changes to LDAP code since 1.0.0.1. So, you should see the same result with Foundation 1.0.0.1 or RTC 2.0.0.1 builds. --- Balaji yes case insensitive login is available but if LDAP sync is running it will import the actual user id from the ldap store and you could end up with same id different cases--this prevents login because of ambiguity |
Brian, yes case insensitive login is available but if LDAP sync is running it will import the actual user id from the ldap store and you could end up with same id different cases--this prevents login because of ambiguity I have encountered this issue as well. Is there a method of creating users in RTC programmatically to ensure the names are an exact match? I have seen cases where there is one use who ends up with two user accounts in RTC. Or, where I receive the message that another user with that userid already exists. In that case the two users are one in the same. Cheers - Bryan |
After re-reading my post it struck me that repotools could be used to programmatically import users into RTC via -createuser or -importusers. Has anyone tried this approach? |
Yes, I replicated the DB from production over to a test Jazz server and executed repo tools with sync users. This is better than using import or create option.
The report that Jazz generates after the sync identifies which user IDs already match and which ones don't. Now when ready to convert the actual production server simply rename the problem user IDs to the correct case before using report sync tool. You can also practice on the test server as many times as needed to feel confident. Simply disable LDAP back to Tomcat user file and make another duplicate copy of the production database to start from scratch. Lots of work but at least it is clear what the result will be.
After re-reading my post it struck me that repotools could be used to programmatically import users into RTC via -createuser or -importusers. Has anyone tried this approach? |
Yes, I replicated the DB from production over to a test Jazz server and executed repo tools with sync users. This is better than using import or create option.
After re-reading my post it struck me that repotools could be used to programmatically import users into RTC via -createuser or -importusers. Has anyone tried this approach? Great post! Thank you. |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.