Multiple branches in LDAP
Our company has a dedicated branch for keeping employee data in active directory.
We also have a dedicated jazz user group to which we added all jazz users and it works pretty well. But we also have a tool account in our project that today is used for various automated activities. The tool account data is located in another branch in active directory. In order to let the tool operate on RTC through rest API we added the tool to the jazz user group. The problem is that tool and users reside in different active directory branches and RTC even it synchronized correctly with the users group content, is not able to resolve tool account data, searching for it in employees branch. What would be your advice to this problem? Thank you |
5 answers
Can you not set the base user dn to a parent branch that contains both the tool and employees branches.
Note that the nightly sync task creates / updates only the users that are members of one of the Jazz groups. So, other users under the parent branch will not be created by the nightly sync task. Other users present under the parent branch will not be able to login to web / eclipse UI because they are not present in any of the 5 Jazz groups. --- Balaji Jazz Server Team Our company has a dedicated branch for keeping employee data in active directory. |
hey Pawel,
What we want is to have the LDAPSynch find user in 2 different branches of the same AD ? ummm, I will need to check as I thought we were getting the full DN and also that in AD we could retrieve the group from the user... Could you attach (or send me direct if this is confidential :) the trace of the server of sych when all LDAP debug options in log4j are set to DEBUG ? You can reload the log4j by using https://server:port/jazz/admin?internal=true and click on reload log4j button (menu on the left) ################################ # LDAP access from jazz # ################################ # Turn on INFO messages from LDAP nightly sync task log4j.logger.com.ibm.team.repository.service.internal.userregistry.ldap=DEBUG #Turn on query trace against the LDAP server log4j.logger.com.ibm.team.repository.service.internal.userregistry.ldap.LDAPUserRegistry=DEBUG log4j.logger.com.ibm.team.repository.service.internal.userregistry.ldap.LDAPNightlySyncService=DEBUG log4j.logger.com.ibm.team.repository.service.internal.userregistry.ldap.LDAPNightlySyncTask=DEBUG |
|
I have no problems with synchronization.
I have a dedicated jazz group which contains both: employees from employee branch and automated account from automated accounts branch. So, RTC is synchronized correctly and shows the automated account in user management panel. The problem is when querying parameters of automated user account or authenticating this user. I assume in this case account ID is glued with Base User DN to construct a query. Since users belong to two branches and I can configure only one Base User DN, I can authenticate only those users that are located in the branch pointed to by Base User DN. Pawel hey Pawel, |
|
Hey Pawel,
Ok so as Bala was suggesting above, can we have the baseDN as the root of the two trees ? Maybe a diagram could help us reproduce the issue.... :) |
Hey Pawel, It works, thanks for your help. Please note that LDAP accepts global queries on other port than standard (I don't remember which), so I needed to modify port number for LDAP address or it did not work. |