It's all about the answers!

Ask a question

How to add multiple LDAP groups in Jazz Authorization Server?

Sanjeet Pattnaik (1514) | asked Apr 22 '18, 11:22 p.m.

 Hello! I have JAS configured with 2 CLM(6.0.2) instances. But I have 2  different LDAP groups and admins. How do I configure JAS to support different LDAP groups and admins? I have approached with merging the LDAP admins and groups in the appConfig.xml but that didn't work. Could anyone please guide me on how to achieve this scenario? Or is it not possible for JAS to support multiple LDAPs?

Accepted answer

permanent link
Shubjit Naik (1.5k1613) | answered Apr 23 '18, 12:49 a.m.
edited Apr 23 '18, 12:56 a.m.

 Hi Sanjeet

When CLM is configured with JAS (Jazz Authorization Server), the group mappings is read from the configurations present in JTS. The group mappings in appConfig.xml is not considered.

When you access JTS/Admin -> Advanced Properties > LDAP configuration
You can enter the groups in the property Jazz To LDAP Group Mapping
For multiple groups, you can separate it by ";" for example: JazzAdmins=LDAPAdmins1;LDAPAdmins2

If you want to configure Multiple LDAP Servers with JAS, then you need to configure JAS with SCIM:

Best Regards

Sanjeet Pattnaik selected this answer as the correct answer

Sanjeet Pattnaik commented Apr 23 '18, 1:42 a.m.

Hello Shubjit. Thanks for writing in. Since I am quite new on JAS and its limits. Please make me understand better. 

Let us say that we have 1 JAS server configured with 2 CLM instances whose LDAP admins are different. 
CLM1 has a different set of users
CLM2 has another set of users.
Is JAS intelligent enough to distinguish between the two LDAPs? If yes, then how do I configure them? In ldapuserregistry.xml file? That is the only XML file we are going to make the changes right? Just adding the other LDAP? Or do I need to do something else? 

Shubjit Naik commented Apr 23 '18, 2:09 a.m. | edited Apr 23 '18, 2:10 a.m.

Hi Sanjeet

In your case the LDAP server is the same and only the Groups for each CLM instances are different, right?

In that case JAS would be use for Authentication. The Group Mappings for Admins would be taken care by JTS. So if both CLMs have different JTS server, the Admins would be mapped by each JTS. Meaning, Admin of CLM1 would not be Admin of CLM2  provided the Group Name are different in each instance.

If you would want to configure each CLM with its own LDAP via JAS, then yes you can configure federated LDAPs in JAS (Liberty Config )

Best Regards

Sanjeet Pattnaik commented Apr 23 '18, 2:25 a.m.

Hello Shubjit. My LDAP servers are different. One server is in EU and the other LDAP server is in US. Both have different group names and admins are also different. I have configured proper groups in the respective CLM instances. But my JAS doesn't authenticate to 1 instance. From what I conclude the reason could be that I have not configured the other LDAP in the ldapuserregistryxml. Is my assumption correct? 

Also please verify the actions I need to perform:-

1. I will add the other LDAP in the XMl.
2. And in appConfig.xml, I will add the other JazzAdmins.
3. And in the ldapuserregistryXML for Microsoft AD(the link which you provided), there is a section where in the end we have configured the <administrator-role> tag. We don't have any specific user. We have a Admin group. So is it okay if I mention the group name with <group> tag instead of <user> tag? 

Shubjit Naik commented Apr 23 '18, 2:43 a.m. | edited Apr 23 '18, 2:44 a.m.

Hi Sanjeet

Generally, if you configure multiple LDAPs with JAS you need to use it with SCIM. the admin role is used for SCIM configuration.

However, in your case, you are using 1 LDAP per CLM, so you should be able to configure multiple LDAPs in ldapregistry.xml for JAS. 

Best Regards

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.