Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Struggling to setup an LDAP User Registry

I am trying to install JTS v6.0.6 and am struggling to setup an LDAP User Registry.

At the moment my Liberty “server.xml” file has <include location=”conf/basicUserRegistry.xml” which means that I can log on as the initial ADMIN account.

I know that I eventually need to have <include location=”conf/ldapUserRegistry.xml” but at the moment I can’t log on with that setting.

My progress so far with the ‘jts/setup’ is that I have configured the Public url, configured the ‘jts’ database and created its tables, and I’ve registered Applications.

On the “Setup User Registry” page at Step 1 I have specified User Registry Type = LDAP.

At Step 2 I’ve entered LDAP Registry Location details and the “Base User DN”, “Base Group DN”, “Group Member Property”  details which are copied from  another Jazz Team Server (using Apache Tomcat) we have that works fine, so I’m fairly confident I’ve got them all set up correctly.

When I select “Test Connection” I get
“An LDAP connection was established but generated warnings. Resolve the warnings or click Next to continue.
ID
CRJAZ1559W
Unable to validate the user information. Ldap://<our-server-name>:3268

And the “liberty\servers\clm\logs\jts.log” has CRJAZ2149W An error occurred while validating the LDAP configuration.

What’s my best way forward from here ?

Thanks

                 Peter

0 votes


Accepted answer

Permanent link

Stupid, stupid, stupid !!!!!
It's always something daft :

When I was editing "server.xml" to go from basicUserRegistry to ldapUserRegistry I got rid of the "!--" at the start of the include block but I forgot to get rid of the "--" at the end.

So my "server.xml" didn't know about           <include location="conf/ldapUserRegistry.xml"/> and obviously I couldn't get any user to log in.

Now I've corrected that I have managed to log on to jts admin home page as my LDAP user who is also a JazzAdmin.

I'm going home now, but I'll no doubt be back soon with another daft question. (probably about managing licenses)
Thanks for all your help
                                          Peter

Ralph Schoon selected this answer as the correct answer

0 votes


4 other answers

Permanent link

Thanks for your help so far everyone.
It feels like I’m making progress, but I’m not there yet.

I am trying to install JTS v6.0.6 and setup the LDAP User Registry to point to an Active Directory.
This new Jazz Team Server has been installed using the default websphere  Liberty profile

This Active Directory / LDAP that I am attempting to use is already being used by another Jazz Team Server (JTS v6.0.2) which has an Apache Tomcat application server.

Starting off with the basicUserRegistry and logged in as ADMIN I have run the jts/setup and configured the Public url, configured the ‘jts’ database and created its tables, and I’ve registered the Applications.

At the “Setup User Registry” page I have got the green “You have successfully configured the User Registry” message.

“ldapUserRegistry.xml” and “application.xml” were written when I hit the “Save LDAP Config Files” button.

If I stay logged on using the basicUserRegistry as ADMIN I can go to the Users page and see a list of 182 Active Users.
Which I assume must mean the LDAP Server connection is OK.

I clicked on one of these users ‘rtc.admin’ and confirmed that he had “Jazz Admins” repository permissions.
He did not have a Client Access License assigned yet so I gave him one of my RTC - Developer trial licenses that I have on this new Server. Then I saved the rtc.admin user settings.

Having done all that I stopped the server, changed the “server.xml” to use “ldapUserRegistry” and restarted the Server.

I tried to log on as ‘rtc.user’ but I still get “Login failed”

What have I forgotten to do ?

Thanks
                   Peter

0 votes


Permanent link

 In addition on the setup page where you specify LDAP there is a link to some tooling that I found helpful in the past to find out the client settings and to make sure LDAP can be connected. Carefully read that page when you switch back and forth.


0 votes

Comments

Ah that looks useful.
I've run out of steam today so I'll take a look in the morning and report back.

I have made some progress on this and have now got the green”LDAP connection is established” message.

And jts/setup says that the user registry setup has been completed successfully.

I clicked on the Save LDAP Config files button and then selected Next.
Then I edited server.xml to use the LDAP user registry.
Restarted the server.
Tried to access the jts/admin page using the Username / password that I entered when I established the LDAP connection but the login failed.

I probably need to take a closer look at application.xml and/or ldapuseregistry.xml because I haven’t made any manual edits to those files at all. I think the only time they changed was when I clicked “save ldap config files” immediately after I got the “Test connection” bit working.

You need to have a Jazz user with JazzAdmin repository role.
Once LDAP is enabled, the user with the (case sensitive) user ID needs to be in LDAP, have the JazzAdmin repo role in LDAP and you need to be able to log in using the ID and password.


Permanent link

 Here's also the link to the version 6.0.6 knowledge center: https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.6/com.ibm.jazz.install.doc/topics/t_config_ldap_connection_liberty.html


Michael

0 votes

Comments

Thanks Michael


Permanent link
 Hi Peter, 
This wiki page has more details about how to configure LDAP with Liberty and some samples for each Active Directory vendor.
There are some manual steps - you do need to edit ldapUserRegistry.xml and adjust the filters.

Also, for performance, please check this work item: 
It explains how to define separate Base DN for user and groups. 
Isabel

1 vote

Comments

Thanks for that Isobel,
I'll take a look at that and let you know how I get on.

Peter

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,486
× 2,353

Question asked: Oct 25 '18, 11:18 a.m.

Question was seen: 3,918 times

Last updated: Oct 29 '18, 2:13 p.m.

Confirmation Cancel Confirm