Struggling to setup an LDAP User Registry
I am trying to install JTS v6.0.6 and am struggling to setup an LDAP User Registry. At the moment my Liberty “server.xml” file has <include location=”conf/basicUserRegistry.xml” which means that I can log on as the initial ADMIN account. I know that I eventually need to have <include location=”conf/ldapUserRegistry.xml” but at the moment I can’t log on with that setting. My progress so far with the ‘jts/setup’ is that I have configured the Public url, configured the ‘jts’ database and created its tables, and I’ve registered Applications. On the “Setup User Registry” page at Step 1 I have specified User Registry Type = LDAP. At Step 2 I’ve entered LDAP Registry Location details and the “Base User DN”, “Base Group DN”, “Group Member Property” details which are copied from another Jazz Team Server (using Apache Tomcat) we have that works fine, so I’m fairly confident I’ve got them all set up correctly.
When I select “Test Connection” I get
And the “liberty\servers\clm\logs\jts.log” has CRJAZ2149W An error occurred while validating the LDAP configuration. What’s my best way forward from here ? Thanks Peter |
Accepted answer
Stupid, stupid, stupid !!!!!
When I was editing "server.xml" to go from basicUserRegistry to ldapUserRegistry I got rid of the "!--" at the start of the include block but I forgot to get rid of the "--" at the end. So my "server.xml" didn't know about <include location="conf/ldapUserRegistry.xml"/> and obviously I couldn't get any user to log in. Now I've corrected that I have managed to log on to jts admin home page as my LDAP user who is also a JazzAdmin.
I'm going home now, but I'll no doubt be back soon with another daft question. (probably about managing licenses)
Ralph Schoon selected this answer as the correct answer
|
4 other answers
Hi Peter,
Please check the instructions at https://jazz.net/wiki/bin/view/Deployment/ConfigureLDAPforLibertyProfile
This wiki page has more details about how to configure LDAP with Liberty and some samples for each Active Directory vendor.
There are some manual steps - you do need to edit ldapUserRegistry.xml and adjust the filters.
Also, for performance, please check this work item:
It explains how to define separate Base DN for user and groups.
Isabel
Comments
Peter Turvey
commented Oct 25 '18, 11:30 a.m.
Thanks for that Isobel,
Peter |
Here's also the link to the version 6.0.6 knowledge center: https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.6/com.ibm.jazz.install.doc/topics/t_config_ldap_connection_liberty.html
Michael
|
Ralph Schoon (63.5k●3●36●46)
| answered Oct 25 '18, 12:10 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER In addition on the setup page where you specify LDAP there is a link to some tooling that I found helpful in the past to find out the client settings and to make sure LDAP can be connected. Carefully read that page when you switch back and forth. Comments
Peter Turvey
commented Oct 25 '18, 12:22 p.m.
Ah that looks useful.
Peter Turvey
commented Oct 26 '18, 5:24 p.m.
I have made some progress on this and have now got the green”LDAP connection is established” message.
And jts/setup says that the user registry setup has been completed successfully.
I clicked on the Save LDAP Config files button and then selected Next.
Then I edited server.xml to use the LDAP user registry.
Restarted the server.
Tried to access the jts/admin page using the Username / password that I entered when I established the LDAP connection but the login failed.
I probably need to take a closer look at application.xml and/or ldapuseregistry.xml because I haven’t made any manual edits to those files at all. I think the only time they changed was when I clicked “save ldap config files” immediately after I got the “Test connection” bit working.
Ralph Schoon
commented Oct 27 '18, 10:36 a.m.
| edited Oct 27 '18, 10:37 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
You need to have a Jazz user with JazzAdmin repository role.
Once LDAP is enabled, the user with the (case sensitive) user ID needs to be in LDAP, have the JazzAdmin repo role in LDAP and you need to be able to log in using the ID and password.
|
Thanks for your help so far everyone.
I am trying to install JTS v6.0.6 and setup the LDAP User Registry to point to an Active Directory.
This Active Directory / LDAP that I am attempting to use is already being used by another Jazz Team Server (JTS v6.0.2) which has an Apache Tomcat application server. Starting off with the basicUserRegistry and logged in as ADMIN I have run the jts/setup and configured the Public url, configured the ‘jts’ database and created its tables, and I’ve registered the Applications. At the “Setup User Registry” page I have got the green “You have successfully configured the User Registry” message. “ldapUserRegistry.xml” and “application.xml” were written when I hit the “Save LDAP Config Files” button.
If I stay logged on using the basicUserRegistry as ADMIN I can go to the Users page and see a list of 182 Active Users.
I clicked on one of these users ‘rtc.admin’ and confirmed that he had “Jazz Admins” repository permissions.
Having done all that I stopped the server, changed the “server.xml” to use “ldapUserRegistry” and restarted the Server. I tried to log on as ‘rtc.user’ but I still get “Login failed” What have I forgotten to do ?
Thanks
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.