It's all about the answers!

Ask a question

Ldap breaks after moving to M5


Aaron Cohen (8207851) | asked Feb 25 '08, 3:33 p.m.
JAZZ DEVELOPER
I get this error when logging into my new M5 repository:


"Error logging in. There is a User id Mistmatch between the Jazz repository and the authentication server. Please Contact Your System Administrator."

My ldap authenticaion in Beta 2 was via Websphere Application Server. I checked "Enterprise Applications > jazz_war > Security role to user/group mapping" in the WAS Admin console and everything checks out. I also saw this in the Jazz Admin console:
com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider Edit View
Property Current Value Default Value Description
Base DN of Jazz application group

ou=JazzGroups,dc=jazz,dc=net
ou=JazzGroups,dc=jazz,dc=net
Base DN of users in the registry

ou=people,dc=jazz,dc=net
ou=people,dc=jazz,dc=net
Find groups for user

member=uid=?1,ou=people,dc=jazz,dc=net
member=uid=?1,ou=people,dc=jazz,dc=net
Find users by any name query

(| (cn=* ?1*) (cn=*_?1*))
(| (cn=* ?1*) (cn=*_?1*))
Find users by name query

cn=?1*
cn=?1*
Is user a member of group query

(& (cn=?1) (member=uid=?2,ou=people,dc=jazz,dc=net))
(& (cn=?1) (member=uid=?2,ou=people,dc=jazz,dc=net))
Jazz Application group name attribute

cn
cn
Jazz user attributes to LDAP entry attributes mapping

userId=uid,name=cn,emailAddress=mail
userId=uid,name=cn,emailAddress=mail
LDAP registry location

ldap://localhost:389
ldap://localhost:389
Password to access LDAP registry

none
Query to find users by user id

uid=?1
uid=?1
User name to access LDAP registry

none

Do I need to set the Ldap in WAS and the Jazz Admin Console?

Thanks!

15 answers



permanent link
Balaji Krish (1.8k12) | answered Mar 12 '08, 5:46 p.m.
JAZZ DEVELOPER
M5a is available at
https://jazz.net/downloads/DownloadItem.jsp?type=milestone&href=milestones/data/0.6M5a

-- Balaji

"David Ward" <davidward@us.ibm.com> wrote in message
news:fq6cv8$7ep$1@localhost.localdomain...
Thanks Ritchie

I'll wait for the patch

Ritchie Schacher wrote:
See Ability to map Jazz role names to LDAP group names in order to use
the Import users from LDAP feature (45900) (web).

permanent link
Tom Frauenhofer (1.3k58435) | answered Feb 28 '08, 8:38 a.m.
Thanks Ritchie

I'll wait for the patch

Ritchie Schacher wrote:
See Ability to map Jazz role names to LDAP group names in order to use the
Import users from LDAP feature (45900) (web).

permanent link
Ritchie Schacher - IBM (47611) | answered Feb 28 '08, 8:08 a.m.
FORUM MODERATOR / JAZZ DEVELOPER
See Ability to map Jazz role names to LDAP group names in order to use the
Import users from LDAP feature (45900) (web).

--
Ritchie

**********************************************
Ritchie Schacher
Jazz Repository/Server Team
"David Ward" <davidward@us.ibm.com> wrote in message
news:fq4d7n$bu5$1@localhost.localdomain...
OK, so no IBM team using Jazz with bluepages for authentication will be
able to use M5 except for, perhaps, the first team who grabbed the
bluegroup names starting with Jazz*.

Is my understanding correct here ?

If so, I'll have to shelve my plans to use M5 until this patch is
released.

Balaji Krish wrote:
David,
We had plans to support mapping of Jazz group names to actual LDAP group
names. We did not get a chance to finish the implementation by M5. We
might provide this feature as a patch if this is a restriction for other
groups at IBM to move to M5.

I will keep you updated about our plans for a M5 patch.

------ Balaji

"David Ward" <davidward@us.ibm.com> wrote in message
news:fq2ii5$g9j$1@localhost.localdomain...
I'm about to upgrade from Beta2a to M5. Using Bluegroups and WAS
and everything's working well.

Did I understand correctly that M5 requires the LDAP group names (i.e.
blue group names) to match the Jazz roles ?

I don't see how that can be done if the LDAP server is shared by
multiple (separate) Jazz projects each with their own servers.

Any help appreciated

Ritchie Schacher wrote:
Hi Aaron,

If you are configuring an external LDAP registry in WAS, then you
should also set the properties for
com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider.
This should be configured in order to enable you to query the
repository roles of individual users and to take advantage of the new
Import User feature.

You should minimally just need to change the base DNs for users and
groups, and the LDAP registry location. As noted in the WIKI topic,
you will need the 4 groups defined under a configured OU.

If we can figure out how to introspect the LDAP settings in WAS in
order to adopt them automatically in Jazz that would be a nice
enhancement, but there is nothing planned at this time.


permanent link
Aaron Cohen (8207851) | answered Feb 28 '08, 8:02 a.m.
JAZZ DEVELOPER
Daan,

There is a Defect (46090) that is tracking issues blocking adoption of LDAP import feature. Please make sure any blocking issues you may have are addressed in it.

permanent link
Daan van der Munnik (29113127) | answered Feb 28 '08, 7:45 a.m.
We currently use LDAP to authenticate Jazz users to a Windows-AD domain. Our corporate guidelines mandate strict naming conventions on active-directory user and group names.

So we should probably also wait for this patch before upgrading to M5 ?

regards

Daan.

permanent link
Tom Frauenhofer (1.3k58435) | answered Feb 27 '08, 2:28 p.m.
OK, so no IBM team using Jazz with bluepages for authentication will be
able to use M5 except for, perhaps, the first team who grabbed the
bluegroup names starting with Jazz*.

Is my understanding correct here ?

If so, I'll have to shelve my plans to use M5 until this patch is released.

Balaji Krish wrote:
David,
We had plans to support mapping of Jazz group names to actual LDAP group
names. We did not get a chance to finish the implementation by M5. We might
provide this feature as a patch if this is a restriction for other groups at
IBM to move to M5.

I will keep you updated about our plans for a M5 patch.

------ Balaji

"David Ward" <davidward@us.ibm.com> wrote in message
news:fq2ii5$g9j$1@localhost.localdomain...
I'm about to upgrade from Beta2a to M5. Using Bluegroups and WAS
and everything's working well.

Did I understand correctly that M5 requires the LDAP group names (i.e.
blue group names) to match the Jazz roles ?

I don't see how that can be done if the LDAP server is shared by multiple
(separate) Jazz projects each with their own servers.

Any help appreciated

Ritchie Schacher wrote:
Hi Aaron,

If you are configuring an external LDAP registry in WAS, then you should
also set the properties for
com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider.
This should be configured in order to enable you to query the repository
roles of individual users and to take advantage of the new Import User
feature.

You should minimally just need to change the base DNs for users and
groups, and the LDAP registry location. As noted in the WIKI topic, you
will need the 4 groups defined under a configured OU.

If we can figure out how to introspect the LDAP settings in WAS in order
to adopt them automatically in Jazz that would be a nice enhancement, but
there is nothing planned at this time.



permanent link
Balaji Krish (1.8k12) | answered Feb 27 '08, 11:38 a.m.
JAZZ DEVELOPER
David,
We had plans to support mapping of Jazz group names to actual LDAP group
names. We did not get a chance to finish the implementation by M5. We might
provide this feature as a patch if this is a restriction for other groups at
IBM to move to M5.

I will keep you updated about our plans for a M5 patch.

------ Balaji

"David Ward" <davidward@us.ibm.com> wrote in message
news:fq2ii5$g9j$1@localhost.localdomain...
I'm about to upgrade from Beta2a to M5. Using Bluegroups and WAS
and everything's working well.

Did I understand correctly that M5 requires the LDAP group names (i.e.
blue group names) to match the Jazz roles ?

I don't see how that can be done if the LDAP server is shared by multiple
(separate) Jazz projects each with their own servers.

Any help appreciated

Ritchie Schacher wrote:
Hi Aaron,

If you are configuring an external LDAP registry in WAS, then you should
also set the properties for
com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider.
This should be configured in order to enable you to query the repository
roles of individual users and to take advantage of the new Import User
feature.

You should minimally just need to change the base DNs for users and
groups, and the LDAP registry location. As noted in the WIKI topic, you
will need the 4 groups defined under a configured OU.

If we can figure out how to introspect the LDAP settings in WAS in order
to adopt them automatically in Jazz that would be a nice enhancement, but
there is nothing planned at this time.

permanent link
Lorelei Ngooi (1.5k22) | answered Feb 27 '08, 10:54 a.m.
JAZZ DEVELOPER
I created this enhancement request https://jazz.net/jazz/web/projects/Jazz%20Project#action=com.ibm.team.workitem.viewWorkItem&id=45900.

permanent link
Lorelei Ngooi (1.5k22) | answered Feb 27 '08, 10:54 a.m.
JAZZ DEVELOPER
I created this enhancement request https://jazz.net/jazz/web/projects/Jazz%20Project#action=com.ibm.team.workitem.viewWorkItem&id=45900.

permanent link
Tom Frauenhofer (1.3k58435) | answered Feb 26 '08, 9:48 p.m.
I'm about to upgrade from Beta2a to M5. Using Bluegroups and WAS
and everything's working well.

Did I understand correctly that M5 requires the LDAP group names (i.e.
blue group names) to match the Jazz roles ?

I don't see how that can be done if the LDAP server is shared by
multiple (separate) Jazz projects each with their own servers.

Any help appreciated

Ritchie Schacher wrote:
Hi Aaron,

If you are configuring an external LDAP registry in WAS, then you should
also set the properties for
com.ibm.team.repository.service.internal.userregistry.LDAPUserRegistryProvider.
This should be configured in order to enable you to query the repository
roles of individual users and to take advantage of the new Import User
feature.

You should minimally just need to change the base DNs for users and groups,
and the LDAP registry location. As noted in the WIKI topic, you will need
the 4 groups defined under a configured OU.

If we can figure out how to introspect the LDAP settings in WAS in order to
adopt them automatically in Jazz that would be a nice enhancement, but there
is nothing planned at this time.

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.