Repository Permissions not picked up from WAS
Blaž Pintar (26●1)
| asked Sep 09 '19, 3:37 a.m.
edited Sep 09 '19, 4:11 a.m. by Ralph Schoon (63.4k●3●36●46)
Hi guys, could you please give me some clues what to look for.
I am having problems with Repository Permissions not picked up from WAS. We are using
6.0.1 RC1 (RJF-I20151030-2028) and we have a configured a LDAP federated repository Tivoli.
Since 14 days ago this worked without problems. But now this scenarion gives me problems.
- i can create a user in LDAP.
- Then i open WAS (Websphere Application Server) and navigate
Enterprise Applications > jts_war (qm.war, ccm.war) > Security role to user/group mapping
I map users to jazz group "JAzz users" and restart WAS
- then i open jts/admin and successfully import newly created user, i can assign user licenses and so on ...
I also click on command "Synchronize Jazz Team Server Users With External User Registry"
I also wait over night for possible nightly synchronization
The problem is in user section "Repository Permissions" which has no checkbox set at section "jazz users". This consiguently means that the new user in inoperative, log in does not work.
I would like to somehow get some traces. My questions are:
- in WAS where are stored these user to group mapings?
- how can i trace WAS user to groups mappings?
- how to trace jts user synchronization?
- anything else regarding this issue
blaž
showing 5 of 9
show 4 more comments
|
Accepted answer
Hi, I found a WAS trace
=info:com.ibm.ws.security.=all:com.ibm.websphere.security.=all:com.ibm.websphere.wim.=all:com.ibm.wsspi.wim.=all:com.ibm.ws.wim.=all
which kinda told me that i was in fact having problems logging into LDAP. So the issue was not with WAS permissions. I changed UID for this problematic users (which were duplicated) and i can now succesfully log in. Very usefull information that i received from you was
Blaž
Ralph Schoon selected this answer as the correct answer
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.
Comments
As far as I am aware, the repository permission is supposed to be managed in LDAP using group attributes. You do not have to do anything in WAS, if the configuration is done correctly. What am I missing? Is this about the "federated" part?
We do not have any LDAP group atributes. My atributes in LDAP are:
i cannot give you screenshots since i do not have 60 reputation points
Without more information why you do what you do, I can not help.
Sory for broken link, let try this way https://ibb.co/qRQnZT4
link is ok, beware of qRQnZT4%C2%A0 when opening link. ju need only qRQnZT4
It is possible to create valid links in comments. I can not answer your question, but I am pretty sure that you do NOT add individual users in the step, but use the LDAP capabilities. Consider consulting.