It's all about the answers!

Ask a question

Where is a recipe for the from-scratch configuration of Jazz CLM with JAS and LDAP?


Lonnie VanZandt (88517) | asked Mar 24 '21, 9:24 p.m.
edited Mar 25 '21, 4:56 a.m. by Fariz Saracevic (904613)

 When installing Jazz CLM 7 along with an LDAP server and Jazz Authentication Server, what is the necessary configuration on the server.xml, ldapUserRegistry.xml, and teamserver.properties for the CLM server and the settings for the server.xml, appConfig.xml, and ldapUserRegistry.xml files for the jazzop server such that at the conclusion of the userinstc and retools-jts.sh setup operations (along with any other XML configurations and script executions) the users of the LDAP repository which are in the JazzAdmins LDAP group can perform administration operations within the jts/admin and jts/setup service endpoints?


Every piece of the complex puzzle appears to be working individually (servers start without complaints, web pages appear, OIDC protocols complete, authentication of users that were unknown to Jazz but are present in the LDAP base DN hierarchy succeeds, etc and etc) Scripts such as prepareMigrationToJsaSso and migrateToJsaSso all authenticate with both JTS CLM and JAS. LDAP ldapsearch queries all return expected results. ldapRegistry filters look proper and appear to be working.

Nevertheless, whenever a JazzUser that is also a JazzAdmins attempts to do anything in Jazz CLM that requires JazzAdmin group membership, that authenticated member is shown to be only a Jazz Guest and is denied admin access.

Where is Jazz attempting to map users to groups and why is it failing when everything else is successful?


Comments
Lonnie VanZandt commented Mar 24 '21, 9:25 p.m.

Jim Amsden sought. 


Ralph Schoon commented Mar 25 '21, 3:13 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

The role mapping is done in the LDAP group mapping as documented. As far as I know JAS is just doing the authentication nothing else. 


Ralph Schoon commented Mar 25 '21, 10:53 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Lonnie VanZandt commented Mar 25 '21, 2:19 p.m.

Ralph, I am pretty sure that you are correct: JAS just does authentication. Some other tactics are used to populate JTS's set of users and how it maps users and groups. 


Lonnie VanZandt commented Mar 25 '21, 2:26 p.m.

 It might be the case, too, that the Advanced setting for


com.ibm.team.repository.ldap.findGroupsForUserQuery=uniqueMember\={USER-DN}

is the root cause.

It happens that the particular LDAP server being queried puts admin accounts into a separate tree from regular users and has groups in yet another tree.

This means that baseDN has to be wider than the scoped DN for the users.
So the query for groups of a uniqueMember may be forming an incomplete DN for the uids.
If so, that would explain why everything except this determination of groups for a user appears to be working.
Any ldapsearch, too, would not throw an error, it would just return an empty set. So logging isn't going to be helpful.


Lonnie VanZandt commented Mar 25 '21, 2:35 p.m.

I hope, also, that with the registry type set as LDAP (not UNSUPPORTED), that the nightly userSync service is then able to run and updates occuring in the LDAP server will flow into the Jazz User registry, automagically.

showing 5 of 6 show 1 more comments

One answer



permanent link
Ralph Schoon (63.1k33645) | answered Mar 26 '21, 3:34 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

In the JTS setup wizard in the setup LDAP step is a link to a description how to test the LDAP settings and what they find that you could try.

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.