The user is not granted access to any of the required roles: [JazzUsers, JazzAdmins, JazzGuests, JazzProjectAdmins] no matter what I try?
Hey all,
EDIT - Pasted images do not working apparently
I have been stuck on setting up LDAP registry for Liberty and JTS for weeks.
I am using a fresh install of Jazz Team Server on Liberty connecting to an external LDAP.
The error I get is:
[5/23/22 22:24:53:546 EDT] 0000004f .ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl A CWWKS9104A: Authorization failed for user cn=ELM Admin,ou=People,ou=TestOrganisation,ou=Organisations,dc=elm,dc=***,dc=com while invoking jts on /secure/authenticated/identity. The user is not granted access to any of the required roles: [JazzUsers, JazzAdmins, JazzGuests, JazzProjectAdmins].
This seems to indicate that there is something wrong with the LDAP configuration, but there is not.
The ELM Admin user is a member of JazzAdmins LDAP group. To spare confusion all Jazz groups are the same in LDAP.
ldapUserRegistry.xml:
ldapUserRegistry.xml:
<ldapRegistry
id="sample_ldap" realm="192.168.11.27:389" ignoreCase="true"
host="192.168.11.27" port="389"
baseDN="ou=TestOrganisation,ou=Organisations,dc=elm,dc=****,dc=com"
ldapType="IBM Tivoli Directory Server">
<idsFilters
userFilter="(&(|(uid=%v)(mail=%v))(objectclass=inetOrgPerson))"
groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))"
userIdMap="*:uid"
groupIdMap="*:cn"
groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember">
</idsFilters>
</ldapRegistry>
These same settings WORK for another deployment using WAS and an exact copy of the LDAP config.
Interestingly, when I go through jts/setup with the default ADMIN user and set up LDAP user registry through there, I enter all the same information and the test succeeds.
It then tells me to log out and back in as an LDAP user however I cannot log in with the user I just had a successful test with.
Here is the ldapUserRegistry.xml from setting it up through jts/setup:
<ldapRegistry
baseDN="ou=TestOrganisation,ou=Organisations,dc=elm,dc=****,dc=com"
bindDN="cn=ldapadmin,dc=elm,dc=****,dc=com" bindPassword="{aes}ADjte7cNYv9Q0oLdBnzVf5PWbUZOgyFP0XuCgcAukJDqyt04la/SjK3VVFK3DAsRMA=="
host="192.168.11.27" id="192.168.11.27:389" ignoreCase="false" ldapType="Custom" port="389" realm="192.168.11.27:389" recursiveSearch="true" sslEnabled="false">
<idsFilters
groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))"
groupIdMap="*:cn"
groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember"
userFilter="(&(|(uid=%v)(mail=%v)(objectclass=inetOrgPerson))"
userIdMap="*:uid">
</idsFilters>
<customFilters
groupIdMap="*:cn"
groupMemberIdMap="*:member"
userIdMap="*:uid"
/>
</ldapRegistry>
And when I try to log in with these settings I get:
[5/23/22 23:32:25:762 EDT] 0000016f y.authentication.jaas.modules.UsernameAndPasswordLoginModule A CWWKS1100A: Authentication did not succeed for user ID f3c99b64-d5c6-4e3e-bbd4-38d93f6a0c3b. An invalid user ID or password was specified.
Yes I am enabling the ldapUserRegistry.xml location in server.xml.
Does anyone have any suggestions of what I can try?
Thanks.
One answer
As far as can tell from the error message, you do not have a problem with the LDAP Group mapping (yet), you have a problem with the mapping of the user ID and password to the LDAP attributes. The user login fails because of the user ID or password not matching. Try to follow https://www.ibm.com/support/pages/how-verify-ldap-parameters-jazz-team-server-configuration to get the LDAP settings working. The link is provided in the Setup User Registry step 2, unfortunately the html tag is incorrectly generated.