issue regarding Liberty's integrated LDAP server
Can the administrator help to take a look at this issue regarding Liberty's integrated LDAP server?
I have found several methods, but I don't feel that they are very detailed on the official website. I always feel that there are missing steps, so I finally decided to refer to the methods on the forum. Please refer to the link below
https://jazz.net/wiki/bin/view/Deployment/ConfigureLDAPforLibertyProfile?sortcol=6 ; table=1; up=2#sorted_ table
The reference method provided by this link is to go to the step of registering the user table during the new installation process, select LDAP, configure the information, test the link successfully, and click to save the ldap configuration file information. Then assign the license and click Next (the purpose is to save the ldap information locally, and the method specifies the necessary operation); The second step is to modify server.xml and select ldapUserRegistry.xml; Then return to configuring other applications
The problems and doubts encountered are as follows:
1. In this installation mode of Liberty, the default elm administrator is ADMIN. Do I need to add this account to the LDAP server in advance (I tried before and encountered a problem where ADMIN cannot be mapped to the setup program)?
After selecting LDAP in the registry and restarting the server, the ELM program will no longer allow access to this account, which is not present in LDAP
1.2 I have disabled this account before, and that's even worse
1.3 Error reported when clicking Next using ADMIN account
Before selecting the registry, do you need to create a new LDAP administrator account in the system?
2.1 Due to the lack of ADMIN account in LDAP, when configuring LDAP information, an administrator account in the LDAP account was used for authentication. As a result, accessing ELM, whether it is the setup program or the admin program, ADMIN, or users in their newly created LDAP are no longer authorized to access it
2.2 After modifying server.xml, restarting the server resulted in two accounts not being able to log in to the ELM system directly (assuming the first registration page configuration is completed, click the next button. Although an error was reported, it still meets the requirements)
I hope everyone can help guide us in the direction. Thank you very much
|
2 answers
Ralph Schoon (63.4k●3●36●46)
| answered May 08 '23, 3:21 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER edited May 08 '23, 3:22 a.m. I would suggest to follow the installation guide: https://www.ibm.com/docs/en/elms/elm/7.0.2?topic=guides-interactive-installation-upgrade-setup .
My understanding is, that you initially log into jts/setup using the file based authentication. In this setup you have the user ADMIN available. This user is by default disabled during the initial setup, when you create your real administration user. The user ADMIN does not have to be in the LDAP.
In Jazz, users have an ID. For this ID a user record is created that contains information such as name and e-mail. The new administration user is created in the JTS database and also in the basicUserRegistry.xml. In addition, when configuring to use LDAP, you must add the new admin user to the LDAP system. When you switch LDAP on, you change the user registry to LDAP and for this to work, the new administration user needs to be available in LDAP, so you can log in when you activated the LDAP settings.
In the setup step 6, you can follow the documented hint http://www.ibm.com/support/docview.wss?uid=swg21445366 to test your LDAP settings. |
|
Thank you very much for your reply. I will try your method later to see if it is the same as before and verify it. After trying multiple times today, I found that one method was successful. The operation method is as follows:
1. Integrate AD after Liberty deployment is completed
a. Switch to the setup page and go to the registry selection page (it is recommended to create an AD administrator role user in advance)
b. Select LDAP, configure corresponding information, and test successful connection
c. After successfully connecting, click Save ldap config Files
d. Reassign the license and click Next
e. Successfully skip to the next step, successful, no need to restart
Finally: Although this method was successful, it was not the best result. The best effect is to directly implement the coexistence of user and external user registries in LDAP through some operations and steps during the installation process. If you have a similar official guidance path, please also help provide it
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.