It's all about the answers!

Ask a question

Enabling LDAP on WebSphere Application Server after using JAZZ as user managment


Lior Peled (179) | asked Feb 05 '18, 7:31 a.m.
retagged Mar 14 '18, 10:54 a.m. by Ken Tessier (84117)

 Hi,


we are currently managing users in CLM and would like to enable LDAP for user management.
2 questions:
1. Is there any specific configuration during WebSphere installation that we had to set on intial installation?
2. what are the exact steps to follow in order to enable LDAP on WebSphere  ?

Current CLM version 6.0.4 , WebSphere 8.5.5.11

Lior

3 answers



permanent link
Donald Nong (14.4k314) | answered Feb 06 '18, 1:02 a.m.

It should be fine. Just follow the standard documents.
1.https://www.ibm.com/support/knowledgecenter/en/SSYMRC_6.0.4/com.ibm.jazz.install.doc/topics/c_admin_was_console.html
2. https://www.ibm.com/support/knowledgecenter/en/SS2L6K_6.0.4/com.ibm.jazz.install.doc/topics/t_instl_config_ldap_on_was.html
https://jazz.net/library/article/96

You need to make sure there are matching users on the LDAP server.


Comments
Lior Peled commented Feb 10 '18, 3:39 p.m.

Hi, 


I was able to have a successful test connection to the  AD after follwing The steps in the article, now when I try to login with the one user I added to the JazzAdmins group in the active directory as a test, I get a permissions denied message saying the user is not part of a group membership (can't remember the exact message).
Is there anything else I need to do besides adding the users to the relevant active directory Jazz group I created?
Is the successful connection test I received enough or are there any other mandatory steps I need to take? 


Donald Nong commented Feb 12 '18, 1:27 a.m.

You need to re-do the role mapping every time you change the user registry - step 9 in the below document.
https://www.ibm.com/support/knowledgecenter/en/SS2L6K_6.0.4/com.ibm.jazz.install.doc/topics/t_deploy_was.html

If you cannot get into the WAS admin console anymore, follow the steps below.
http://www-01.ibm.com/support/docview.wss?uid=swg21405302


Lior Peled commented Feb 14 '18, 4:48 a.m.

Hi, 


The role mapping solved the problem. 
The issui now is that I can't login to the websphere console.. I can turn the security flag off but then the clm web is unavailable. 
How do I create another websphere user so I can login to WAS console when security flag is once I enable LDAP? 


Georg Kellner commented Feb 14 '18, 12:29 p.m.

Hi,
you have to define a primary admin account in the WebSphere configuration which is existing in the LDAP.
 And you can also map LDAP accounts to WebSphere roles.

Should be all on top Level of WebSphere Security section.

Greetings Georg.


permanent link
Lior Peled (179) | answered Feb 19 '18, 2:09 a.m.

 hi,


the user for LDAP was configured I just didn't realize it.. thanks.
I have another issue now. 
the JazzUsers group is mapped to the relevant team in the active directory but for some reason I get the permission denied message when trying to login with one of the users that is a member in the group , users in JazzAdmins group are able to login (strange thing is that one a user from the admins group is logged in the user profile that is recognized is the Admin name and not the users'.. any idea why?)

please advise.


permanent link
Lior Peled (179) | answered Feb 19 '18, 8:23 a.m.

 Hi,


I was able to solve the login issue from JazzUsers group but have a few questions,
I found out that the User ID in active directory and RTC current users list was the same but not in reference to lower/uper case so in the advanced properties  I changed the flag for the case sensitive option and that solved the problem.
the thing is that the User Registry type is set to unsupported ever since I enabled LDAP (I read somewhere that it is supposed to be set to LDAP).
my question now is what does that flag means? considering that I was able to login using the credentials from the active directory.
another question, now if a new user needs to have access to CLM applications, is it enough that the user is added to the relevant group in Active Directory? do I need to create the new user in JTS as well? what is the proper flow?

thanks.. Lior



Comments
Donald Nong commented Feb 21 '18, 12:45 a.m.

You need to set the User Registry Type in JTS to LDAP in order to synchronize the users. If you create a new LDAP user in the appropriate LDAP group, it should be added to JTS automatically during the nightly user synchronization. You can also add the user manually on the Active Users page of the Web GUI.


Lior Peled commented Feb 21 '18, 3:18 a.m.

Thanks Donald,


I did that yesterday and the user I added to the JazzUsers group in Active Directory wasn't created.
I tried also running the manuall sync using repotools command  but that didn't work as well.
when I try to use the import users option, once I search for one I get an error "CRJAZ0742E A connection to the LDAP directory server could not be established. Verify the configuration and availability of the LDAP server"
how is this possible considering I'm able to login using my credentials from LDAP?


Donald Nong commented Mar 07 '18, 1:26 a.m. | edited Mar 07 '18, 1:29 a.m.

Check the advanced property LDAP Registry Location under com.ibm.team.repository.service.jts.internal.userregistry.ldap.LDAPUserRegistryProvider, or the com.ibm.team.repository.ldap.registryLocation line in server/conf/jts/teamserver.properties (they are the same thing).

Authentication uses the LDAP configuration in WAS, while the user synchronization uses the LDAP configuration in JTS - different places, and configuration can be different although not recommended.

Your answer


Register or to post your answer.