It's all about the answers!

Ask a question

LDAP authentication example Microsoft Active Directory


Kim Soederhamn (1.5k34348) | asked Jan 14 '10, 4:33 a.m.
These tips and the sample apply for both RQM and RTC

Here is a working sample of the realm to be added as a replacement of the existing in the server.xml

<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://ldapserver1.mycomp.net:389"
authentication="simple"
referrals="follow"
connectionName="cn=LDAPLookupUser,OU=MYCOMP Recipients,OU=DENMARK,dc=mycomp,dc=net"
connectionPassword="1234pass"
userSearch="(sAMAccountName={0})"
userBase="OU=MYCOMP Recipients,OU=DENMARK,dc=mycomp,dc=net"
userSubtree="true"
roleSearch="(member={0})"
roleName="cn"
roleSubtree="true"
roleBase="dc=mycomp,dc=net"/>

Notice that you may have set up a set of values when logged in to RQM and RTC on the /setup url where you configured LDAP. Athentication will NOT happen against LDAP until the realm is changed in the server.xml. Keeping a backup of the server.xml lets you go back to log in as before.

Trouble shooting problems with LDAP:

I had the follwing 3 problems when guessing my way to the LDAP values for the realm:

1)
SEVERE: Exception performing authentication
javax.naming.NamingException: ; remaining name 'OU=Rational,OU=DENMARK,dc=dako,dc=net'

This was caused by the fact that the sample I had used did not use a user for logging in to the AD when doing AD lookups. Solution : added the lines of connectionname and passowrd as well as authentication and referrels.

2)
avax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030B

This error was caused by a typo in the full name of the user to login. The error actually means wrong credentials (for the lookupuser)

3)
No error but none of the users could log in
This error was caused by my role base being too specific and the users that tried to log in could not be found. Solution would be to verify that the users you which to validate can actually be found in groups where you are looking for them

Finally - Be aware that any users you try to log in with using LDAP must ofcourse have assigned a license and access to a project area like any other user.

more info:
http://jazz.net/help-dev/rational-quality-manager/index.jsp?topic=%2Fcom.ibm.rational.test.qm.doc%2Ftopics%2Fc_plan_identity_management.html%3Fresultof%3D%22LDAP%22%20%22ldap%22

and

https://jazz.net/wiki/bin/view/Main/LDAP4Dummies

One answer



permanent link
KrishnaKanth Naik (76511015) | answered Jan 07 '14, 3:47 a.m.
JAZZ DEVELOPER
 Just wanted to addin an interesting observation wrt AD on Windows 2008.

The Windows 2008 AD Administrative View, provides an option to assign timestamps when the user can be authenticated. See the below screenshot for the user's profile in the AD. 

During these intervals, he would not be able to login to RTC, and the error would be as follows:

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.