Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

How to add multiple LDAP groups in Jazz Authorization Server?

Questions
Tags
Users
Badges
Sanjeet Pattnaik
(1515) Apr 22 '18, 11:22 p.m.

 Hello! I have JAS configured with 2 CLM(6.0.2) instances. But I have 2  different LDAP groups and admins. How do I configure JAS to support different LDAP groups and admins? I have approached with merging the LDAP admins and groups in the appConfig.xml but that didn't work. Could anyone please guide me on how to achieve this scenario? Or is it not possible for JAS to support multiple LDAPs?

0 votes

Comments
Spoidy jan
Dec 04 '24, 5:37 a.m.

You can try using an LDAP proxy to combine both LDAP groups into a single virtual directory. This way, JAS will treat it as one LDAP source, simplifying the configuration. Directly supporting multiple LDAPs isn’t possible in JAS, so merging or proxying is the best approach.

1 answer
2,054 views
0 votes

Accepted answer

Permanent link
Shubjit Naik
(1.5k1613) edited
Apr 23 '18, 12:56 a.m.

 Hi Sanjeet


When CLM is configured with JAS (Jazz Authorization Server), the group mappings is read from the configurations present in JTS. The group mappings in appConfig.xml is not considered.

When you access JTS/Admin -> Advanced Properties > LDAP configuration
You can enter the groups in the property Jazz To LDAP Group Mapping
For multiple groups, you can separate it by ";" for example: JazzAdmins=LDAPAdmins1;LDAPAdmins2

If you want to configure Multiple LDAP Servers with JAS, then you need to configure JAS with SCIM:

Best Regards
Shubjit

Sanjeet Pattnaik selected this answer as the correct answer

1 vote

Comments
Sanjeet Pattnaik
Apr 23 '18, 1:42 a.m.

Hello Shubjit. Thanks for writing in. Since I am quite new on JAS and its limits. Please make me understand better. 


Let us say that we have 1 JAS server configured with 2 CLM instances whose LDAP admins are different. 
CLM1 has a different set of users
CLM2 has another set of users.
Is JAS intelligent enough to distinguish between the two LDAPs? If yes, then how do I configure them? In ldapuserregistry.xml file? That is the only XML file we are going to make the changes right? Just adding the other LDAP? Or do I need to do something else? 

Shubjit Naik
Apr 23 '18, 2:10 a.m.

Hi Sanjeet


In your case the LDAP server is the same and only the Groups for each CLM instances are different, right?

In that case JAS would be use for Authentication. The Group Mappings for Admins would be taken care by JTS. So if both CLMs have different JTS server, the Admins would be mapped by each JTS. Meaning, Admin of CLM1 would not be Admin of CLM2  provided the Group Name are different in each instance.

If you would want to configure each CLM with its own LDAP via JAS, then yes you can configure federated LDAPs in JAS (Liberty Config )

Best Regards
Shubjit

Sanjeet Pattnaik
Apr 23 '18, 2:25 a.m.

Hello Shubjit. My LDAP servers are different. One server is in EU and the other LDAP server is in US. Both have different group names and admins are also different. I have configured proper groups in the respective CLM instances. But my JAS doesn't authenticate to 1 instance. From what I conclude the reason could be that I have not configured the other LDAP in the ldapuserregistryxml. Is my assumption correct? 


Also please verify the actions I need to perform:-

1. I will add the other LDAP in the XMl.
2. And in appConfig.xml, I will add the other JazzAdmins.
3. And in the ldapuserregistryXML for Microsoft AD(the link which you provided), there is a section where in the end we have configured the <administrator-role> tag. We don't have any specific user. We have a Admin group. So is it okay if I mention the group name with <group> tag instead of <user> tag? 

Shubjit Naik
Apr 23 '18, 2:44 a.m.

Hi Sanjeet


Generally, if you configure multiple LDAPs with JAS you need to use it with SCIM. the admin role is used for SCIM configuration.

However, in your case, you are using 1 LDAP per CLM, so you should be able to configure multiple LDAPs in ldapregistry.xml for JAS. 

Best Regards
Shubjit

Krzysztof Kaźmierczyk
Dec 03 '24, 8:55 a.m.

Please notice, that with multiple ldaps you cannot use ldap sync task to synchronise users is ELM. For synchronising users you can only set one ldap server there.

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,503
× 85

Question asked: Apr 22 '18, 11:22 p.m.

Question was seen: 2,054 times

Last updated: Dec 04 '24, 5:37 a.m.

Confirmation Cancel Confirm