Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Repository Permissions not picked up from WAS

Questions
Tags
Users
Badges
Blaž Pintar
(261) edited
Sep 09 '19, 4:11 a.m.
Hi guys, could you please give me some clues what to look for.  
I am having problems with Repository Permissions not picked up from WAS. We are using
6.0.1 RC1 (RJF-I20151030-2028) and we have a configured a LDAP federated repository Tivoli.

Since 14 days ago this worked without problems. But now this scenarion gives me problems.
- i can create a user in LDAP. 
- Then i open WAS (Websphere Application Server) and navigate 
Enterprise Applications > jts_war (qm.war, ccm.war) > Security role to user/group mapping
I map users to jazz group "JAzz users" and restart WAS
- then i open jts/admin and successfully import newly created user, i can assign user licenses and so on ...
I also click on command "Synchronize Jazz Team Server Users With External User Registry" 
I also wait over night for possible nightly synchronization

The problem is in user section "Repository Permissions" which has no checkbox set at section "jazz users". This consiguently means that the new user in inoperative, log in does not work.
I would like to somehow get some traces. My questions are:
- in WAS where are stored these user to group mapings?
- how can i trace WAS user to groups mappings?
- how to trace jts user synchronization?
- anything else regarding this issue

blaž

0 votes

Comments
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Sep 09 '19, 4:20 a.m.

As far as I am aware, the repository permission is supposed to be managed in LDAP using group attributes. You do not have to do anything in WAS, if the configuration is done correctly. What am I missing? Is this about the "federated" part?


Also why are you even working on a release candidate?

Blaž Pintar
Sep 09 '19, 7:13 a.m.

 We do not have any LDAP group atributes. My atributes in LDAP are:

- uid
- mail
- userPassword

Mapping is done via WAS. Screenshot attached
Blaž


Blaž Pintar
Sep 09 '19, 4:23 a.m.

i cannot give you screenshots since i do not have 60 reputation points

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Sep 09 '19, 7:21 a.m.
You can upload to another site and add the link.

Without more information why you do what you do, I can not help. 

For all I know you should have special LDAP attributes to reflect the membership of a user in a group. The attribute is set for a user that should be in that group. 

https://jazz.net/library/article/96 section Assigning Group Roles shows how you would do that. 

In any other case, there are sometimes problems with displaying the check box for the repository group. Sometimes it only shows a gray square and no check mark.

Blaž Pintar
Sep 10 '19, 2:49 a.m.
Hi,
Here is my follow up. 
I uploaded a WAS screen shot to https://we.tl/t-xHCq593fvD 
i also investigated grayed out checkboxes, no success. Your article makes sense but following it would mean that any mapped LDAP user could log in to WAS (i dont want that). So my coworker (which by the was does not work here any more) has mapped users to groups using "Security role to user/group mapping" (uploaded picture). This is also the reason for release candidate. And it is important, this scenario worked until 14 days ago. At that point we had to restore an LDAP backup from a tape.

So again, is there any trace option that i can configure inside WAS which will me point me to point of failure. From my perspective configuration is done properly!
Thanks in advance,
Blaž


Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Sep 10 '19, 2:51 a.m.
  1. Understand answers and comments and the difference in this forum
  2. The link does not work
  3. You only make the few people WAS ADMIN that need that. Any other person does not even show up in WAS, because they are pulled from LDAP
  4. You might want to consider consulting  

Blaž Pintar
Sep 10 '19, 4:07 a.m.

Sory for broken link, let try this way https://ibb.co/qRQnZT4


Blaž Pintar
Sep 10 '19, 3:50 a.m.

link is ok, beware of qRQnZT4%C2%A0 when opening link. ju need only qRQnZT4

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Sep 10 '19, 4:08 a.m.

It is possible to create valid links in comments.  I can not answer your question, but I am pretty sure that you do NOT add individual users in the step, but use the LDAP capabilities. Consider consulting. 

showing 5 of 9 show 4 more comments
1 answer
1,459 views
0 votes

Accepted answer

Permanent link
Blaž Pintar
(261) Sep 11 '19, 3:13 a.m.

Hi, I found a WAS trace 


=info:com.ibm.ws.security.=all:com.ibm.websphere.security.=all:com.ibm.websphere.wim.=all:com.ibm.wsspi.wim.=all:com.ibm.ws.wim.=all

which kinda told me that i was in fact having problems logging into LDAP. So the issue was not with WAS permissions. I changed UID for this problematic users (which were duplicated) and i can now succesfully log in. Very usefull information that i received from you was 

In any other case, there are sometimes problems with displaying the check box for the repository group. Sometimes it only shows a gray square and no check mark.

Blaž

Ralph Schoon selected this answer as the correct answer

0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details

Question asked: Sep 09 '19, 3:37 a.m.

Question was seen: 1,459 times

Last updated: Sep 11 '19, 3:13 a.m.

Confirmation Cancel Confirm