It's all about the answers!

Ask a question

Ldap breaks after moving to M5


Aaron Cohen (8107651) | asked Feb 25 '08, 3:33 p.m.
JAZZ DEVELOPER
I get this error when logging into my new M5 repository:


"Error logging in. There is a User id Mistmatch between the Jazz repository and the authentication server. Please Contact Your System Administrator."

My ldap authenticaion in Beta 2 was via Websphere Application Server. I checked "Enterprise Applications > jazz_war > Security role to user/group mapping" in the WAS Admin console and everything checks out. I also saw this in the Jazz Admin console:
com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider Edit View
Property Current Value Default Value Description
Base DN of Jazz application group

ou=JazzGroups,dc=jazz,dc=net
ou=JazzGroups,dc=jazz,dc=net
Base DN of users in the registry

ou=people,dc=jazz,dc=net
ou=people,dc=jazz,dc=net
Find groups for user

member=uid=?1,ou=people,dc=jazz,dc=net
member=uid=?1,ou=people,dc=jazz,dc=net
Find users by any name query

(| (cn=* ?1*) (cn=*_?1*))
(| (cn=* ?1*) (cn=*_?1*))
Find users by name query

cn=?1*
cn=?1*
Is user a member of group query

(& (cn=?1) (member=uid=?2,ou=people,dc=jazz,dc=net))
(& (cn=?1) (member=uid=?2,ou=people,dc=jazz,dc=net))
Jazz Application group name attribute

cn
cn
Jazz user attributes to LDAP entry attributes mapping

userId=uid,name=cn,emailAddress=mail
userId=uid,name=cn,emailAddress=mail
LDAP registry location

ldap://localhost:389
ldap://localhost:389
Password to access LDAP registry

none
Query to find users by user id

uid=?1
uid=?1
User name to access LDAP registry

none

Do I need to set the Ldap in WAS and the Jazz Admin Console?

Thanks!

15 answers



permanent link
Ritchie Schacher - IBM (47611) | answered Feb 25 '08, 3:58 p.m.
FORUM MODERATOR / JAZZ DEVELOPER
Aaron,

Configuring the LDAP settings in the Jazz Application are not required for
"logging in" but should be configured in order to enable you to query the
repository roles of individual users and to take advantage of the new Import
User feature.

In a previous posting I announced changes to user management; more info is
at the following WIKI topic:

https://jazz.net/wiki/bin/view/Main/RoleMigrationAndLdapConfiguration

This however is probably unrelated to the user mismatch/error logging in.
I'll contact the developer who added that code.

--
Ritchie

**********************************************
Ritchie Schacher
Jazz Repository/Server Team
"amcohen.us.ibm.com" <amcohen@us.ibm-dot-com.no-spam.invalid> wrote in
message news:fpv8v3$1rv$2@localhost.localdomain...
I get this error when logging into my new M5 repository:


"Error logging in. There is a User id Mistmatch between the
Jazz repository and the authentication server. Please Contact Your
System Administrator."

My ldap authenticaion in Beta 2 was via Websphere Application Server.
I checked "Enterprise Applications > jazz_war > Security
role to user/group mapping" in the WAS Admin console and
everything checks out. I also saw this in the Jazz Admin console:

com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider
Edit View
Property Current Value Default Value Description
Base DN of Jazz application group

ou=JazzGroups,dc=jazz,dc=net
ou=JazzGroups,dc=jazz,dc=net
Base DN of users in the registry

ou=people,dc=jazz,dc=net
ou=people,dc=jazz,dc=net
Find groups for user

member=uid=?1,ou=people,dc=jazz,dc=net
member=uid=?1,ou=people,dc=jazz,dc=net
Find users by any name query

(| (cn=* ?1*) (cn=*_?1*))
(| (cn=* ?1*) (cn=*_?1*))
Find users by name query

cn=?1*
cn=?1*
Is user a member of group query

(& (cn=?1) (member=uid=?2,ou=people,dc=jazz,dc=net))
(& (cn=?1) (member=uid=?2,ou=people,dc=jazz,dc=net))
Jazz Application group name attribute

cn
cn
Jazz user attributes to LDAP entry attributes mapping

userId=uid,name=cn,emailAddress=mail
userId=uid,name=cn,emailAddress=mail
LDAP registry location

ldap://localhost:389
ldap://localhost:389
Password to access LDAP registry

none
Query to find users by user id

uid=?1
uid=?1
User name to access LDAP registry

none
Do I need to set the Ldap in WAS and the Jazz Admin Console?

Thanks!

permanent link
Matthew Jarvis (2411) | answered Feb 25 '08, 4:14 p.m.
JAZZ DEVELOPER
Aaron,

You will see this error message when the account you logged in as exists in the user registry (LDAP) but not in the repository. If you look at the wiki page Ritchie mentioned, there is information on importing users from an LDAP registry. Importing user accounts should solve your problem, but if you continue having trouble, please let me know.

Thanks,
Matt

permanent link
Aaron Cohen (8107651) | answered Feb 25 '08, 4:22 p.m.
JAZZ DEVELOPER
Thanks.

Do I need to set com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider. if I already have the users mapped in WAS?

permanent link
Ritchie Schacher - IBM (47611) | answered Feb 25 '08, 5:08 p.m.
FORUM MODERATOR / JAZZ DEVELOPER
Hi Aaron,

If you are configuring an external LDAP registry in WAS, then you should
also set the properties for
com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider.
This should be configured in order to enable you to query the repository
roles of individual users and to take advantage of the new Import User
feature.

You should minimally just need to change the base DNs for users and groups,
and the LDAP registry location. As noted in the WIKI topic, you will need
the 4 groups defined under a configured OU.

If we can figure out how to introspect the LDAP settings in WAS in order to
adopt them automatically in Jazz that would be a nice enhancement, but there
is nothing planned at this time.

--
Ritchie

**********************************************
Ritchie Schacher
Jazz Repository/Server Team
"amcohen.us.ibm.com" <amcohen@us.ibm-dot-com.no-spam.invalid> wrote in
message news:fpvbsr$356$1@localhost.localdomain...
Thanks.

Do I need to set
com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider.
if I already have the users mapped in WAS?

permanent link
Aaron Cohen (8107651) | answered Feb 25 '08, 5:30 p.m.
JAZZ DEVELOPER
Thanks! I created Enhancement 45660.

permanent link
Tom Frauenhofer (1.3k38335) | answered Feb 26 '08, 9:48 p.m.
I'm about to upgrade from Beta2a to M5. Using Bluegroups and WAS
and everything's working well.

Did I understand correctly that M5 requires the LDAP group names (i.e.
blue group names) to match the Jazz roles ?

I don't see how that can be done if the LDAP server is shared by
multiple (separate) Jazz projects each with their own servers.

Any help appreciated

Ritchie Schacher wrote:
Hi Aaron,

If you are configuring an external LDAP registry in WAS, then you should
also set the properties for
com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider.
This should be configured in order to enable you to query the repository
roles of individual users and to take advantage of the new Import User
feature.

You should minimally just need to change the base DNs for users and groups,
and the LDAP registry location. As noted in the WIKI topic, you will need
the 4 groups defined under a configured OU.

If we can figure out how to introspect the LDAP settings in WAS in order to
adopt them automatically in Jazz that would be a nice enhancement, but there
is nothing planned at this time.

permanent link
Lorelei Ngooi (1.5k22) | answered Feb 27 '08, 10:54 a.m.
JAZZ DEVELOPER
I created this enhancement request https://jazz.net/jazz/web/projects/Jazz%20Project#action=com.ibm.team.workitem.viewWorkItem&id=45900.

permanent link
Lorelei Ngooi (1.5k22) | answered Feb 27 '08, 10:54 a.m.
JAZZ DEVELOPER
I created this enhancement request https://jazz.net/jazz/web/projects/Jazz%20Project#action=com.ibm.team.workitem.viewWorkItem&id=45900.

permanent link
Balaji Krish (1.8k12) | answered Feb 27 '08, 11:38 a.m.
JAZZ DEVELOPER
David,
We had plans to support mapping of Jazz group names to actual LDAP group
names. We did not get a chance to finish the implementation by M5. We might
provide this feature as a patch if this is a restriction for other groups at
IBM to move to M5.

I will keep you updated about our plans for a M5 patch.

------ Balaji

"David Ward" <davidward@us.ibm.com> wrote in message
news:fq2ii5$g9j$1@localhost.localdomain...
I'm about to upgrade from Beta2a to M5. Using Bluegroups and WAS
and everything's working well.

Did I understand correctly that M5 requires the LDAP group names (i.e.
blue group names) to match the Jazz roles ?

I don't see how that can be done if the LDAP server is shared by multiple
(separate) Jazz projects each with their own servers.

Any help appreciated

Ritchie Schacher wrote:
Hi Aaron,

If you are configuring an external LDAP registry in WAS, then you should
also set the properties for
com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider.
This should be configured in order to enable you to query the repository
roles of individual users and to take advantage of the new Import User
feature.

You should minimally just need to change the base DNs for users and
groups, and the LDAP registry location. As noted in the WIKI topic, you
will need the 4 groups defined under a configured OU.

If we can figure out how to introspect the LDAP settings in WAS in order
to adopt them automatically in Jazz that would be a nice enhancement, but
there is nothing planned at this time.

permanent link
Tom Frauenhofer (1.3k38335) | answered Feb 27 '08, 2:28 p.m.
OK, so no IBM team using Jazz with bluepages for authentication will be
able to use M5 except for, perhaps, the first team who grabbed the
bluegroup names starting with Jazz*.

Is my understanding correct here ?

If so, I'll have to shelve my plans to use M5 until this patch is released.

Balaji Krish wrote:
David,
We had plans to support mapping of Jazz group names to actual LDAP group
names. We did not get a chance to finish the implementation by M5. We might
provide this feature as a patch if this is a restriction for other groups at
IBM to move to M5.

I will keep you updated about our plans for a M5 patch.

------ Balaji

"David Ward" <davidward@us.ibm.com> wrote in message
news:fq2ii5$g9j$1@localhost.localdomain...
I'm about to upgrade from Beta2a to M5. Using Bluegroups and WAS
and everything's working well.

Did I understand correctly that M5 requires the LDAP group names (i.e.
blue group names) to match the Jazz roles ?

I don't see how that can be done if the LDAP server is shared by multiple
(separate) Jazz projects each with their own servers.

Any help appreciated

Ritchie Schacher wrote:
Hi Aaron,

If you are configuring an external LDAP registry in WAS, then you should
also set the properties for
com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider.
This should be configured in order to enable you to query the repository
roles of individual users and to take advantage of the new Import User
feature.

You should minimally just need to change the base DNs for users and
groups, and the LDAP registry location. As noted in the WIKI topic, you
will need the 4 groups defined under a configured OU.

If we can figure out how to introspect the LDAP settings in WAS in order
to adopt them automatically in Jazz that would be a nice enhancement, but
there is nothing planned at this time.


Your answer


Register or to post your answer.