Aaron,

Configuring the LDAP settings in the Jazz Application are not required for
"logging in" but should be configured in order to enable you to query the
repository roles of individual users and to take advantage of the new Import
User feature.

In a previous posting I announced changes to user management; more info is
at the following WIKI topic:

https://jazz.net/wiki/bin/view/Main/RoleMigrationAndLdapConfiguration

This however is probably unrelated to the user mismatch/error logging in.
I'll contact the developer who added that code.

--
Ritchie

**********************************************
Ritchie Schacher
Jazz Repository/Server Team
"amcohen.us.ibm.com" <amcohen@us.ibm-dot-com.no-spam.invalid> wrote in
message news:fpv8v3$1rv$2@localhost.localdomain...

I get this error when logging into my new M5 repository:


"Error logging in. There is a User id Mistmatch between the
Jazz repository and the authentication server. Please Contact Your
System Administrator."

My ldap authenticaion in Beta 2 was via Websphere Application Server.
I checked "Enterprise Applications > jazz_war > Security
role to user/group mapping" in the WAS Admin console and
everything checks out. I also saw this in the Jazz Admin console:

com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider
Edit View
Property Current Value Default Value Description
Base DN of Jazz application group

ou=JazzGroups,dc=jazz,dc=net
ou=JazzGroups,dc=jazz,dc=net
Base DN of users in the registry

ou=people,dc=jazz,dc=net
ou=people,dc=jazz,dc=net
Find groups for user

member=uid=?1,ou=people,dc=jazz,dc=net
member=uid=?1,ou=people,dc=jazz,dc=net
Find users by any name query

(| (cn=* ?1*) (cn=*_?1*))
(| (cn=* ?1*) (cn=*_?1*))
Find users by name query

cn=?1*
cn=?1*
Is user a member of group query

(& (cn=?1) (member=uid=?2,ou=people,dc=jazz,dc=net))
(& (cn=?1) (member=uid=?2,ou=people,dc=jazz,dc=net))
Jazz Application group name attribute

cn
cn
Jazz user attributes to LDAP entry attributes mapping

userId=uid,name=cn,emailAddress=mail
userId=uid,name=cn,emailAddress=mail
LDAP registry location

ldap://localhost:389
ldap://localhost:389
Password to access LDAP registry

none
Query to find users by user id

uid=?1
uid=?1
User name to access LDAP registry

none
Do I need to set the Ldap in WAS and the Jazz Admin Console?

Thanks!

Aaron,

You will see this error message when the account you logged in as exists in the user registry (LDAP) but not in the repository. If you look at the wiki page Ritchie mentioned, there is information on importing users from an LDAP registry. Importing user accounts should solve your problem, but if you continue having trouble, please let me know.

Thanks,
Matt

Thanks.

Do I need to set com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider. if I already have the users mapped in WAS?

Hi Aaron,

If you are configuring an external LDAP registry in WAS, then you should
also set the properties for
com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider.
This should be configured in order to enable you to query the repository
roles of individual users and to take advantage of the new Import User
feature.

You should minimally just need to change the base DNs for users and groups,
and the LDAP registry location. As noted in the WIKI topic, you will need
the 4 groups defined under a configured OU.

If we can figure out how to introspect the LDAP settings in WAS in order to
adopt them automatically in Jazz that would be a nice enhancement, but there
is nothing planned at this time.

--
Ritchie

**********************************************
Ritchie Schacher
Jazz Repository/Server Team
"amcohen.us.ibm.com" <amcohen@us.ibm-dot-com.no-spam.invalid> wrote in
message news:fpvbsr$356$1@localhost.localdomain...

Thanks.

Do I need to set
com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider.
if I already have the users mapped in WAS?

Thanks! I created Enhancement 45660.

I'm about to upgrade from Beta2a to M5. Using Bluegroups and WAS
and everything's working well.

Did I understand correctly that M5 requires the LDAP group names (i.e.
blue group names) to match the Jazz roles ?

I don't see how that can be done if the LDAP server is shared by
multiple (separate) Jazz projects each with their own servers.

Any help appreciated

Ritchie Schacher wrote:

Hi Aaron,

If you are configuring an external LDAP registry in WAS, then you should
also set the properties for
com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider.
This should be configured in order to enable you to query the repository
roles of individual users and to take advantage of the new Import User
feature.

You should minimally just need to change the base DNs for users and groups,
and the LDAP registry location. As noted in the WIKI topic, you will need
the 4 groups defined under a configured OU.

If we can figure out how to introspect the LDAP settings in WAS in order to
adopt them automatically in Jazz that would be a nice enhancement, but there
is nothing planned at this time.

I created this enhancement request https://jazz.net/jazz/web/projects/Jazz%20Project#action=com.ibm.team.workitem.viewWorkItem&id=45900.

I created this enhancement request https://jazz.net/jazz/web/projects/Jazz%20Project#action=com.ibm.team.workitem.viewWorkItem&id=45900.

David,
We had plans to support mapping of Jazz group names to actual LDAP group
names. We did not get a chance to finish the implementation by M5. We might
provide this feature as a patch if this is a restriction for other groups at
IBM to move to M5.

I will keep you updated about our plans for a M5 patch.

------ Balaji

"David Ward" <davidward@us.ibm.com> wrote in message
news:fq2ii5$g9j$1@localhost.localdomain...

I'm about to upgrade from Beta2a to M5. Using Bluegroups and WAS
and everything's working well.

Did I understand correctly that M5 requires the LDAP group names (i.e.
blue group names) to match the Jazz roles ?

I don't see how that can be done if the LDAP server is shared by multiple
(separate) Jazz projects each with their own servers.

Any help appreciated

Ritchie Schacher wrote:
Hi Aaron,

If you are configuring an external LDAP registry in WAS, then you should
also set the properties for
com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider.
This should be configured in order to enable you to query the repository
roles of individual users and to take advantage of the new Import User
feature.

You should minimally just need to change the base DNs for users and
groups, and the LDAP registry location. As noted in the WIKI topic, you
will need the 4 groups defined under a configured OU.

If we can figure out how to introspect the LDAP settings in WAS in order
to adopt them automatically in Jazz that would be a nice enhancement, but
there is nothing planned at this time.

OK, so no IBM team using Jazz with bluepages for authentication will be
able to use M5 except for, perhaps, the first team who grabbed the
bluegroup names starting with Jazz*.

Is my understanding correct here ?

If so, I'll have to shelve my plans to use M5 until this patch is released.

Balaji Krish wrote:

David,
We had plans to support mapping of Jazz group names to actual LDAP group
names. We did not get a chance to finish the implementation by M5. We might
provide this feature as a patch if this is a restriction for other groups at
IBM to move to M5.

I will keep you updated about our plans for a M5 patch.

------ Balaji

"David Ward" <davidward@us.ibm.com> wrote in message
news:fq2ii5$g9j$1@localhost.localdomain...
I'm about to upgrade from Beta2a to M5. Using Bluegroups and WAS
and everything's working well.

Did I understand correctly that M5 requires the LDAP group names (i.e.
blue group names) to match the Jazz roles ?

I don't see how that can be done if the LDAP server is shared by multiple
(separate) Jazz projects each with their own servers.

Any help appreciated

Ritchie Schacher wrote:
Hi Aaron,

If you are configuring an external LDAP registry in WAS, then you should
also set the properties for
com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider.
This should be configured in order to enable you to query the repository
roles of individual users and to take advantage of the new Import User
feature.

You should minimally just need to change the base DNs for users and
groups, and the LDAP registry location. As noted in the WIKI topic, you
will need the 4 groups defined under a configured OU.

If we can figure out how to introspect the LDAP settings in WAS in order
to adopt them automatically in Jazz that would be a nice enhancement, but
there is nothing planned at this time.