LDAP configuration question

I'm at a customer trying to configure LDAP authentication with Tomcat for RTC.

Is it mandatory that they have special groups in their LDAP repository that map to the Jazz roles (JazzUsers, JazzAdmins, etc.)? He doesn't think that he can get the LDAP administrators to add any Jazz-specific fields (or any other new fields, for that matter).

Can we still use LDAP to just pull the user information, and configure their roles within RTC admin itself?

Thanks, Gary

I did LDAP with WebSphere and I added groups for the roles information and just assigned the users to the appropriate groups. I didnt add and fields.

What if we can't even add new groups? That's what I meant, just didn't explain well enough.

Thanks, Gary

What if we can't even add new groups? That's what I meant, just didn't explain well enough.

Thanks, Gary

You are now beyond my expertise, I am not even sure that the group information was even utilized by WebSphere I basically had to duplicate it there to get it recognized. So I am not sure what the benefits of having the groups in LDAP.

What if we can't even add new groups? That's what I meant, just didn't explain well enough.

Thanks, Gary

You are now beyond my expertise, I am not even sure that the group information was even utilized by WebSphere I basically had to duplicate it there to get it recognized. So I am not sure what the benefits of having the groups in LDAP.

LDAP can be used for simple authentication (am I who I say I am) and also for role based authorization. If you don't want to create groups or are unable to do so then you can use LDAP for authentication and manage roles internally. Mapping RTC groups to LDAP groups has many advantages but are not required - especially for small teams.

Mapping RTC groups to LDAP groups has many advantages but are not required - especially for small teams.

Can you elaborate on that? How can I configure WebSphere to just use the LDAP authentication part and not require any RTC specific groups defined in LDAP?
Our customer also has an LDAP setup where we cannot modify the additional groups as we would like to and rather had all group configuration outside of LDAP for that reason...

Mapping RTC groups to LDAP groups has many advantages but are not required - especially for small teams.

Can you elaborate on that? How can I configure WebSphere to just use the LDAP authentication part and not require any RTC specific groups defined in LDAP?
Our customer also has an LDAP setup where we cannot modify the additional groups as we would like to and rather had all group configuration outside of LDAP for that reason...

RTC was not really designed to do this since it relies upon the J2EE authentication mechanisms on the application server. I have not tried it with WAS but in Tomcat you can tell it to authenticate users against LDAP and then use additional realm configurations to manage the groups of users (JazzAdmins, JazzUsers, etc). If there are any WAS experts lurking please feel free to jump in.

Caveat: I have not tried this since very early versions of RTC and never with WAS.

Mapping RTC groups to LDAP groups has many advantages but are not required - especially for small teams.

Can you elaborate on that? How can I configure WebSphere to just use the LDAP authentication part and not require any RTC specific groups defined in LDAP?
Our customer also has an LDAP setup where we cannot modify the additional groups as we would like to and rather had all group configuration outside of LDAP for that reason...

RTC was not really designed to do this since it relies upon the J2EE authentication mechanisms on the application server. I have not tried it with WAS but in Tomcat you can tell it to authenticate users against LDAP and then use additional realm configurations to manage the groups of users (JazzAdmins, JazzUsers, etc). If there are any WAS experts lurking please feel free to jump in.

Caveat: I have not tried this since very early versions of RTC and never with WAS.

I need to make a correction to my post. The Authorization portion of RTC has always been internal to RTC. We use LDAP for Authentication purposes only.

The "Jazz to LDAP Group Mapping" field cannot be empty. If you don't use groups at all, how do you fill in that field?

Thanks, Gary

I'm at a customer trying to configure LDAP authentication with Tomcat for RTC.

Is it mandatory that they have special groups in their LDAP repository that map to the Jazz roles (JazzUsers, JazzAdmins, etc.)? He doesn't think that he can get the LDAP administrators to add any Jazz-specific fields (or any other new fields, for that matter).

Can we still use LDAP to just pull the user information, and configure their roles within RTC admin itself?

Thanks, Gary

We use LDAP to connect to a Active Directory server. We had to add the two groups. If a user was "Imported" from LDAP but didn't appear in the JazzUsers group, the login would fail. Also the JazzAdmin group is used to distinguish if a user has admin rights.

Jas

Thank for the information, Jas.

I'm still wondering if the groups are mandatory. I could envision using LDAP just for pure authentication, and then applying roles (admin, etc.) from Jazz itself. Can someone "in the know" please quickly let us know?

Jas - could you possibly send me your configuration inside the Jazz server for Active Directory?

Thanks, Gary