It's all about the answers!

Ask a question

Repository Permissions not picked up from WAS


Blaž Pintar (26) | asked Sep 09, 3:37 a.m.
edited Sep 09, 4:11 a.m. by Ralph Schoon (55.3k23642)
Hi guys, could you please give me some clues what to look for.  
I am having problems with Repository Permissions not picked up from WAS. We are using
6.0.1 RC1 (RJF-I20151030-2028) and we have a configured a LDAP federated repository Tivoli.

Since 14 days ago this worked without problems. But now this scenarion gives me problems.
- i can create a user in LDAP. 
- Then i open WAS (Websphere Application Server) and navigate 
Enterprise Applications > jts_war (qm.war, ccm.war) > Security role to user/group mapping
I map users to jazz group "JAzz users" and restart WAS
- then i open jts/admin and successfully import newly created user, i can assign user licenses and so on ...
I also click on command "Synchronize Jazz Team Server Users With External User Registry" 
I also wait over night for possible nightly synchronization

The problem is in user section "Repository Permissions" which has no checkbox set at section "jazz users". This consiguently means that the new user in inoperative, log in does not work.
I would like to somehow get some traces. My questions are:
- in WAS where are stored these user to group mapings?
- how can i trace WAS user to groups mappings?
- how to trace jts user synchronization?
- anything else regarding this issue

blaž

Comments
Ralph Schoon commented Sep 09, 4:10 a.m. | edited Sep 09, 4:20 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

As far as I am aware, the repository permission is supposed to be managed in LDAP using group attributes. You do not have to do anything in WAS, if the configuration is done correctly. What am I missing? Is this about the "federated" part?


Also why are you even working on a release candidate?


Blaž Pintar commented Sep 09, 4:21 a.m. | edited Sep 09, 7:13 a.m.

 We do not have any LDAP group atributes. My atributes in LDAP are:

- uid
- mail
- userPassword

Mapping is done via WAS. Screenshot attached
Blaž



Blaž Pintar commented Sep 09, 4:23 a.m.

i cannot give you screenshots since i do not have 60 reputation points


Ralph Schoon commented Sep 09, 7:21 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
You can upload to another site and add the link.

Without more information why you do what you do, I can not help. 

For all I know you should have special LDAP attributes to reflect the membership of a user in a group. The attribute is set for a user that should be in that group. 

https://jazz.net/library/article/96 section Assigning Group Roles shows how you would do that. 

In any other case, there are sometimes problems with displaying the check box for the repository group. Sometimes it only shows a gray square and no check mark.


Blaž Pintar commented Sep 10, 2:01 a.m. | edited Sep 10, 2:49 a.m.
Hi,
Here is my follow up. 
I uploaded a WAS screen shot to https://we.tl/t-xHCq593fvD 
i also investigated grayed out checkboxes, no success. Your article makes sense but following it would mean that any mapped LDAP user could log in to WAS (i dont want that). So my coworker (which by the was does not work here any more) has mapped users to groups using "Security role to user/group mapping" (uploaded picture). This is also the reason for release candidate. And it is important, this scenario worked until 14 days ago. At that point we had to restore an LDAP backup from a tape.

So again, is there any trace option that i can configure inside WAS which will me point me to point of failure. From my perspective configuration is done properly!
Thanks in advance,
Blaž



Ralph Schoon commented Sep 10, 2:51 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
  1. Understand answers and comments and the difference in this forum
  2. The link does not work
  3. You only make the few people WAS ADMIN that need that. Any other person does not even show up in WAS, because they are pulled from LDAP
  4. You might want to consider consulting  

Blaž Pintar commented Sep 10, 3:19 a.m. | edited Sep 10, 4:07 a.m.

Sory for broken link, let try this way https://ibb.co/qRQnZT4



Blaž Pintar commented Sep 10, 3:50 a.m.

link is ok, beware of qRQnZT4%C2%A0 when opening link. ju need only qRQnZT4


Ralph Schoon commented Sep 10, 4:08 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

It is possible to create valid links in comments.  I can not answer your question, but I am pretty sure that you do NOT add individual users in the step, but use the LDAP capabilities. Consider consulting. 

showing 5 of 9 show 4 more comments

Accepted answer


permanent link
Blaž Pintar (26) | answered Sep 11, 3:13 a.m.

Hi, I found a WAS trace 


=info:com.ibm.ws.security.=all:com.ibm.websphere.security.=all:com.ibm.websphere.wim.=all:com.ibm.wsspi.wim.=all:com.ibm.ws.wim.=all

which kinda told me that i was in fact having problems logging into LDAP. So the issue was not with WAS permissions. I changed UID for this problematic users (which were duplicated) and i can now succesfully log in. Very usefull information that i received from you was 

In any other case, there are sometimes problems with displaying the check box for the repository group. Sometimes it only shows a gray square and no check mark.

Blaž

Ralph Schoon selected this answer as the correct answer

Your answer


Register or to post your answer.