It's all about the answers!

Ask a question

Struggling to setup an LDAP User Registry

Peter Turvey (99234) | asked Oct 25 '18, 11:18 a.m.

I am trying to install JTS v6.0.6 and am struggling to setup an LDAP User Registry.

At the moment my Liberty “server.xml” file has <include location=”conf/basicUserRegistry.xml” which means that I can log on as the initial ADMIN account.

I know that I eventually need to have <include location=”conf/ldapUserRegistry.xml” but at the moment I can’t log on with that setting.

My progress so far with the ‘jts/setup’ is that I have configured the Public url, configured the ‘jts’ database and created its tables, and I’ve registered Applications.

On the “Setup User Registry” page at Step 1 I have specified User Registry Type = LDAP.

At Step 2 I’ve entered LDAP Registry Location details and the “Base User DN”, “Base Group DN”, “Group Member Property”  details which are copied from  another Jazz Team Server (using Apache Tomcat) we have that works fine, so I’m fairly confident I’ve got them all set up correctly.

When I select “Test Connection” I get
“An LDAP connection was established but generated warnings. Resolve the warnings or click Next to continue.
Unable to validate the user information. Ldap://<our-server-name>:3268

And the “liberty\servers\clm\logs\jts.log” has CRJAZ2149W An error occurred while validating the LDAP configuration.

What’s my best way forward from here ?



Accepted answer

permanent link
Peter Turvey (99234) | answered Oct 29 '18, 2:13 p.m.

Stupid, stupid, stupid !!!!!
It's always something daft :

When I was editing "server.xml" to go from basicUserRegistry to ldapUserRegistry I got rid of the "!--" at the start of the include block but I forgot to get rid of the "--" at the end.

So my "server.xml" didn't know about           <include location="conf/ldapUserRegistry.xml"/> and obviously I couldn't get any user to log in.

Now I've corrected that I have managed to log on to jts admin home page as my LDAP user who is also a JazzAdmin.

I'm going home now, but I'll no doubt be back soon with another daft question. (probably about managing licenses)
Thanks for all your help

Ralph Schoon selected this answer as the correct answer

4 other answers

permanent link
Isabel Murakami (3811615) | answered Oct 25 '18, 11:27 a.m.
 Hi Peter, 
This wiki page has more details about how to configure LDAP with Liberty and some samples for each Active Directory vendor.
There are some manual steps - you do need to edit ldapUserRegistry.xml and adjust the filters.

Also, for performance, please check this work item: 
It explains how to define separate Base DN for user and groups. 

Peter Turvey commented Oct 25 '18, 11:30 a.m.

Thanks for that Isobel,
I'll take a look at that and let you know how I get on.


permanent link
Michael Afshar (7014) | answered Oct 25 '18, 12:02 p.m.

Peter Turvey commented Oct 25 '18, 12:06 p.m.

Thanks Michael

permanent link
Ralph Schoon (63.2k33646) | answered Oct 25 '18, 12:10 p.m.

 In addition on the setup page where you specify LDAP there is a link to some tooling that I found helpful in the past to find out the client settings and to make sure LDAP can be connected. Carefully read that page when you switch back and forth.

Peter Turvey commented Oct 25 '18, 12:22 p.m.

Ah that looks useful.
I've run out of steam today so I'll take a look in the morning and report back.

Peter Turvey commented Oct 26 '18, 5:24 p.m.

I have made some progress on this and have now got the green”LDAP connection is established” message.

And jts/setup says that the user registry setup has been completed successfully.

I clicked on the Save LDAP Config files button and then selected Next.
Then I edited server.xml to use the LDAP user registry.
Restarted the server.
Tried to access the jts/admin page using the Username / password that I entered when I established the LDAP connection but the login failed.

I probably need to take a closer look at application.xml and/or ldapuseregistry.xml because I haven’t made any manual edits to those files at all. I think the only time they changed was when I clicked “save ldap config files” immediately after I got the “Test connection” bit working.

Ralph Schoon commented Oct 27 '18, 10:36 a.m. | edited Oct 27 '18, 10:37 a.m.
You need to have a Jazz user with JazzAdmin repository role.
Once LDAP is enabled, the user with the (case sensitive) user ID needs to be in LDAP, have the JazzAdmin repo role in LDAP and you need to be able to log in using the ID and password.

permanent link
Peter Turvey (99234) | answered Oct 29 '18, 8:34 a.m.

Thanks for your help so far everyone.
It feels like I’m making progress, but I’m not there yet.

I am trying to install JTS v6.0.6 and setup the LDAP User Registry to point to an Active Directory.
This new Jazz Team Server has been installed using the default websphere  Liberty profile

This Active Directory / LDAP that I am attempting to use is already being used by another Jazz Team Server (JTS v6.0.2) which has an Apache Tomcat application server.

Starting off with the basicUserRegistry and logged in as ADMIN I have run the jts/setup and configured the Public url, configured the ‘jts’ database and created its tables, and I’ve registered the Applications.

At the “Setup User Registry” page I have got the green “You have successfully configured the User Registry” message.

“ldapUserRegistry.xml” and “application.xml” were written when I hit the “Save LDAP Config Files” button.

If I stay logged on using the basicUserRegistry as ADMIN I can go to the Users page and see a list of 182 Active Users.
Which I assume must mean the LDAP Server connection is OK.

I clicked on one of these users ‘rtc.admin’ and confirmed that he had “Jazz Admins” repository permissions.
He did not have a Client Access License assigned yet so I gave him one of my RTC - Developer trial licenses that I have on this new Server. Then I saved the rtc.admin user settings.

Having done all that I stopped the server, changed the “server.xml” to use “ldapUserRegistry” and restarted the Server.

I tried to log on as ‘rtc.user’ but I still get “Login failed”

What have I forgotten to do ?


Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.