It's all about the answers!

Ask a question

Repository group memberships not recognized after migration to JAS SSO(Jazz Authorisation Server)


Fabian GUERIF (132) | asked Mar 14, 12:43 p.m.

 Hello,


Exactly the same problem:

CLM V.7.0.2, JAS V.7.0.2

After migrating JTS to use JAS with help of repotool, I'm able to login to JTS, but I'm only recognized as guest and I'm not member of any repository group when login through JAS with an LDAP account.

Any idea what could be wrong? I'm using the same LDAP setup than before the migration.  A local file based registry is working. Local users defined and added to the local groups are working.

The LDAP setup in JAS is working. I can run the test on the /oidc/endpoint/jazzop/registration URL.
Also members are recognized in LDAP groups for the oauth-roles to manage application registrations within /jts/setup.

The Liberty AdminCenter for JAS is also able to work with the LDAP groups defined in the <administrator-role> section.

The Issue is that all CLM applications are NOT recognizing the repository groups through JAS.
The setting in appConfig.xml, <application> section, is just "ignored". As well as the settings in the application.xml of the CLM applications, which was working before with direct LDAP.

How does JTS recognize the group membership through JAS? What can I do to troubleshoot?
Any Idea or configuration example? I read many documents and help pages but I do not have an idea anymore.

Regards

Fabian.

Accepted answer


permanent link
Shubjit Naik (1.5k1613) | answered Mar 15, 1:37 a.m.

 Hi Fabian


User Group to Role mapping is done by JTS when deployed with JAS. 

Could you confirm that the User Registry Type in <JTS_Home>\server\conf\jts\teamserver.properties is set to LDAP and the LDAP configurations matches what is set with JAS?

Fabian GUERIF selected this answer as the correct answer

Comments
Fabian GUERIF commented Mar 15, 4:54 a.m. | edited Mar 15, 8:50 a.m.

 Thank Shubjit,


I will test your solution.

I keep you informed.

Regards.

Fabian.



1
Fabian GUERIF commented Mar 15, 6:08 a.m. | edited Mar 15, 8:48 a.m.

Shubjit,


Thank your help.
The LDAP SSO connection now works fine.

Have a good day.

Regards.

Fabian.

One other answer



permanent link
Fabian GUERIF (132) | answered Mar 15, 4:13 a.m.
edited Mar 15, 4:14 a.m.

 Hi Shubjit,


Thank for your answer.

I have no problems with LDAP for the JTS authentication, mapping users with groups with the good rights.

I have no problems executing this two steps after JAS installation:
Verify that the Jazz Authorization Server is running
https://<FQDN>:9643/oidc/endpoint/jazzop/.well-known/openid-configuration
Verify that the user registry is configured correctly
https://<FQDN>:9643/oidc/endpoint/jazzop/registration

I will modify JTS > Advanced Properties > com.ibm.team.repository.service.jts.internal.userregistry.ldap.LDAPUserRegistryProvider for User group to Jazz role mappings.

For file <JTS_Home>\server\conf\jts\teamserver.properties
com.ibm.team.repository.user.registry.type=DETECT

Should I modify this line by:
com.ibm.team.repository.user.registry.type=LDAP

Regards.

Fabian.




Comments
Shubjit Naik commented Mar 15, 4:24 a.m.

 HI Fabian


Yes, if your groups exist is LDAP then the following should be set
com.ibm.team.repository.user.registry.type=LDAP

Also the other LDAP properties and group mappings in teamserver.properties:
com.ibm.team.repository.ldap.baseGroupDN=ou\=Groups,dc\=example,dc\=com
com.ibm.team.repository.ldap.baseUserDN=ou\=Users,dc\=example,dc\=com
com.ibm.team.repository.ldap.findGroupsForUserQuery=uniquemember\={USER-DN}
com.ibm.team.repository.ldap.groupMapping=JazzAdmins\=JazzAdmins, JazzUsers\=JazzUsers, JazzProjectAdmins\=JazzProjectAdmins, JazzGuests\=JazzGuests
com.ibm.team.repository.ldap.membersOfGroup=uniquemember
com.ibm.team.repository.ldap.registryLocation=ldap\://localhost\:10389

Your answer


Register or to post your answer.