Where is a recipe for the from-scratch configuration of Jazz CLM with JAS and LDAP?

When installing Jazz CLM 7 along with an LDAP server and Jazz Authentication Server, what is the necessary configuration on the server.xml, ldapUserRegistry.xml, and teamserver.properties for the CLM server and the settings for the server.xml, appConfig.xml, and ldapUserRegistry.xml files for the jazzop server such that at the conclusion of the userinstc and retools-jts.sh setup operations (along with any other XML configurations and script executions) the users of the LDAP repository which are in the JazzAdmins LDAP group can perform administration operations within the jts/admin and jts/setup service endpoints?
Every piece of the complex puzzle appears to be working individually (servers start without complaints, web pages appear, OIDC protocols complete, authentication of users that were unknown to Jazz but are present in the LDAP base DN hierarchy succeeds, etc and etc) Scripts such as prepareMigrationToJsaSso and migrateToJsaSso all authenticate with both JTS CLM and JAS. LDAP ldapsearch queries all return expected results. ldapRegistry filters look proper and appear to be working.
Nevertheless, whenever a JazzUser that is also a JazzAdmins attempts to do anything in Jazz CLM that requires JazzAdmin group membership, that authenticated member is shown to be only a Jazz Guest and is denied admin access.
Where is Jazz attempting to map users to groups and why is it failing when everything else is successful?
Comments
Lonnie VanZandt
Mar 24 '21, 9:25 p.m.Jim Amsden sought.
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Mar 25 '21, 3:13 a.m.The role mapping is done in the LDAP group mapping as documented. As far as I know JAS is just doing the authentication nothing else.
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Mar 25 '21, 10:53 a.m.Not sure I I was right or wrong. Maybe this helps? https://jazz.net/forum/questions/233060/repository-group-memberships-not-recognized-after-migration-to-jas-jazz-authorisation-server/233078
Lonnie VanZandt
Mar 25 '21, 2:19 p.m.Ralph, I am pretty sure that you are correct: JAS just does authentication. Some other tactics are used to populate JTS's set of users and how it maps users and groups.
Lonnie VanZandt
Mar 25 '21, 2:26 p.m.It might be the case, too, that the Advanced setting for
Lonnie VanZandt
Mar 25 '21, 2:35 p.m.I hope, also, that with the registry type set as LDAP (not UNSUPPORTED), that the nightly userSync service is then able to run and updates occuring in the LDAP server will flow into the Jazz User registry, automagically.