Help Needed : Problems with User Auth with Non-LDAP Ext Reg
Background : I installed the latest RTC 2.0.0.2 iFix3 on the WebSphere 7.0.0.7. All the initial configuration went well and i could also bring up the https://localhost:9443/jazz/setup and https://localhost:9443/jazz/admin screens. I set up the user Registry as "Non-LDAP External Registry" during the setup step. Did define users and associated them to groups in the WebSphere (Users and Groups). I associated the respective groups in the Jazz Application Installation - Step 9 in WebSphere.
On Jazz Web Application User Management -> "Suresh Krishna", i see the following warning on the top right. Under the Repository permissions, none of the options are selected and it displays a note My Current problem 2 Error! After this, i click on the Logout. Nothing happens and the same above message comes up. Now, i just can not do anything else. Other than restart of the Jazz application from the WebSphere console. This means, i am not authenticated on the Jazz server from the Eclipse client. However, i can loginto the Eclipse Web UI with the same credentials. Remember : I am NOT on Tomcat. I use WebSphere and Derby. I do not have LDAP and i am using (or precisely want to use) the "Non-LDAP External Registry" by defining the users in WebSphere (which is not working for me right now). Any solutions are welcome. I am on the critical path, please do provide me some solution that i can move forward. Thanks, Krishna I get this exception once i try to import he JUnit project. This user for sure is added in the Jazz-Admins group from WebSphere which is mapped to JazzzAdmins of Jazz role. Any help ? com.ibm.team.repository.common.UnknownUserRegistryException: CRJAZ0799W The external user directory does not support the request feature. at com.ibm.team.repository.service.internal.userregistry.UnsupportedUserRegistry.notSupported(UnsupportedUserRegistry.java:111) at com.ibm.team.repository.service.internal.userregistry.UnsupportedUserRegistry.isMember(UnsupportedUserRegistry.java:52) at com.ibm.team.repository.service.internal.userregistry.ExternalUserRegistryService.isMember(ExternalUserRegistryService.java:242) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) at java.lang.reflect.Method.invoke(Method.java:600) at org.eclipse.soda.sat.core.internal.record.ExportProxyServiceRecord.invoke(ExportProxyServiceRecord.java:370) at org.eclipse.soda.sat.core.internal.record.ExportProxyServiceRecord.access$0(ExportProxyServiceRecord.java:356) at org.eclipse.soda.sat.core.internal.record.ExportProxyServiceRecord$ExportedServiceInvocationHandler.invoke(ExportProxyServiceRecord.java:56) at $Proxy293.isMember(null) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) at java.lang.reflect.Method.invoke(Method.java:600) at com.ibm.team.repository.servlet.AbstractTeamServerServlet.handleMethod(AbstractTeamServerServlet.java:1170) at com.ibm.team.repository.servlet.AbstractTeamServerServlet.executeMethod(AbstractTeamServerServlet.java:926) at com.ibm.team.repository.servlet.AbstractTeamServerServlet.doPost(AbstractTeamServerServlet.java:728) at javax.servlet.http.HttpServlet.service(HttpServlet.java:738) at com.ibm.team.repository.servlet.AbstractTeamServerServlet.handleRequest2(AbstractTeamServerServlet.java:1773) at com.ibm.team.repository.servlet.AbstractTeamServerServlet.handleRequest(AbstractTeamServerServlet.java:1642) at com.ibm.team.repository.servlet.AbstractTeamServerServlet.service(AbstractTeamServerServlet.java:1555) at javax.servlet.http.HttpServlet.service(HttpServlet.java:831) at org.eclipse.equinox.http.registry.internal.ServletManager$ServletWrapper.service(ServletManager.java:180) at org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111) at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:75) at javax.servlet.http.HttpServlet.service(HttpServlet.java:831) at org.eclipse.equinox.servletbridge.BridgeServlet.service(BridgeServlet.java:121) at com.ibm.team.repository.server.servletbridge.JazzServlet.service(JazzServlet.java:54) at javax.servlet.http.HttpServlet.service(HttpServlet.java:831) at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1655) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:937) at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:500) at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178) at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:91) at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:864) at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1583) at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:183) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:455) at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:384) at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:83) at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1772) at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165) at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217) at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161) at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138) at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204) at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775) at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1550) at com.ibm.team.repository.common.internal.marshal.util.MarshallerUtil.decodeExceptions(MarshallerUtil.java:326) at com.ibm.team.repository.common.internal.marshal.util.MarshallerUtil.decodeExceptions(MarshallerUtil.java:296) at com.ibm.team.repository.common.internal.marshal.util.MarshallerUtil.decodeFault(MarshallerUtil.java:261) at com.ibm.team.repository.transport.client.RemoteTeamService.constructExceptionFromFault(RemoteTeamService.java:613) at com.ibm.team.repository.transport.client.RemoteTeamService.executeMethod(RemoteTeamService.java:483) at com.ibm.team.repository.transport.client.RemoteTeamService.invoke(RemoteTeamService.java:201) at com.ibm.team.repository.transport.client.ServiceInvocationHandler.invoke(ServiceInvocationHandler.java:43) at $Proxy3.isMember(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:618) at com.ibm.team.repository.client.internal.ServiceInterfaceProxy.invokeServiceCall(ServiceInterfaceProxy.java:149) at com.ibm.team.repository.client.internal.ServiceInterfaceProxy.invoke(ServiceInterfaceProxy.java:84) at $Proxy3.isMember(Unknown Source) at com.ibm.team.repository.client.internal.ExternalUserRegistryManager$6.run(ExternalUserRegistryManager.java:270) at com.ibm.team.repository.client.internal.ExternalUserRegistryManager$6.run(ExternalUserRegistryManager.java:1) at com.ibm.team.repository.client.internal.TeamRepository$3.run(TeamRepository.java:1169) at com.ibm.team.repository.common.transport.CancelableCaller.call(CancelableCaller.java:79) at com.ibm.team.repository.client.internal.TeamRepository.callCancelableService(TeamRepository.java:1162) at com.ibm.team.repository.client.internal.TeamPlatformObject.callCancelableService(TeamPlatformObject.java:41) at com.ibm.team.repository.client.internal.ExternalUserRegistryManager.callCancelableService(ExternalUserRegistryManager.java:392) at com.ibm.team.repository.client.internal.ExternalUserRegistryManager.isMember(ExternalUserRegistryManager.java:268) at com.ibm.team.apt.setup.ui.internal.wizard.SetupSampleRepositoryWizard$2.run(SetupSampleRepositoryWizard.java:227) at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121) |
11 answers
I filed work item https://jazz.net/jazz/resource/itemName/com.ibm.team.workitem.WorkItem/118134. The behavior you describe is not expected.
|
Problem 1: Works as designed. You are using "Unsupported External User Registry". You need to manage the authentication and authorization in WebSphere. (i.e. create Users and associate them with groups in WebSphere). But since you are using an unsupported External user directory, you need to create the user in Jazz too. (Note: you will not be able to view / modify the group information in Jazz UI)
Problem 3: Eclipse client is case sensitive by default. Make sure the user id in WebSphere and user id in Jazz repo have the same case as your login id. --- Balaji Jazz Server Team I filed work item https://jazz.net/jazz/resource/itemName/com.ibm.team.workitem.WorkItem/118134. The behavior you describe is not expected. |
|
Also, the JUnit sample will create example users and assign them system system roles. The system role assignments will only work when using the tomcat user registry, which is the only one in which we support writeback.
|
|
Correction :
Problem 1: "User details are read-only because this server uses an external user registry" - This should not happen when you are using "Unsupported user registry". You should be able to edit the user's name and email address information. "Notice: You are using a directory service that is not writable. User roles cannot be modified." - This is working as designed. You cannot update the roles from the Jazz UI. -- Balaji Problem 1: Works as designed. You are using "Unsupported External User Registry". You need to manage the authentication and authorization in WebSphere. (i.e. create Users and associate them with groups in WebSphere). But since you are using an unsupported External user directory, you need to create the user in Jazz too. (Note: you will not be able to view / modify the group information in Jazz UI) I filed work item https://jazz.net/jazz/resource/itemName/com.ibm.team.workitem.WorkItem/118134. The behavior you describe is not expected. |
|
Thank you all for the responses. Sorry, i am bit consufed now.
As you pointed out, I use a Non-LDAP User Registry and have Users/Roles configured in the WebSphere exactly as defined in http://jazz.net/library/techtip/321. I mapped the roles in Jazz app to roles from WebSphere too. I am assuming that this should be supported with the non-ldap external registry. Of course, i can understand the message "Notice: You are using a directory service that is not writable. User roles cannot be modified.". However, i dont even see the Admin and User role selected in the UI for my user id - which should come from the WebSphere roles mapping. In short, inspite of having all the users, roles defined in WebSphere user registry and mapped to the Jazz Roles, i am not able to see that these roles are reflected in the Jazz Web UI and also Client. Any Solution or Workaround is appreciated. Thanks, Krishna Correction : |
|
Because the registry type is selected to be the unsupported type, we have no way to detect what roles a user is assigned within the WAS realm, thus that is why the assigned roles are not displayed. Unfortunately, JEE does not provide an API for querying roles of any user other than the current user. To query the WAS realm will require a new registry type. This would be a nice enhancement but has not been a priority in terms of planned features.
|
|
Thank you. So it means the following for users.
Can you please confirm if my understanding is right. #1 The JUnit example works only on Tomcat. WAS users has no way to make it work as it is with non-ldap external registry. #2 Without programming effort, the "Non-LDAP External Registry" is not usable. (Unless Jazz has this as future enhancement). #3 In my current situation, the only way i can work is to have a LDAP registry configured on WAS and Jazz. #4 If someone does not have a LDAP (or does not want to use LDAP), the only safe way to go is to use Tomcat with Jazz. |
|
#1 - correct. The example is for evaluation and the automatic user registration will not work without a registry we can write to (tomcat).
#2 not really correct. it is usable, in limited capacity. You can still use the unsupported registry type for container managed authentication and security constraints in the server; it just means Jazz does not know how to read from it for display. This type is not just the WAS users and groups, but any custom auth realm a customer desires. The limitation is that we have no way to display what groups you are in from within Jazz. But the server admin can still determine that from the unsupported/custom registry configured externally. #3 not really correct. See item 2. Depends on what you are trying to do. If you are having trouble editing a user at all, or logging in from the client, then either there is something missing in the configuration or we have a bug that needs to be fixed. #4 Same as 2. You should be able to use any auth realm from WAS; we have an improved quality of service when you use LDAP. |
|
OK, when we use the Non-LDAP registry, there is not way Jazz understands about the Users and Roles from WAS. This is the reason, Jazz Web/Client UI can not display the User Roles (aslo we cant edit them).
Ideally, once i select the "Non-LDAP External Registry" and define the users and Roles in the WAS, i should be able to work from the Jazz Server/Client. Yes, user may not be able to see what roles he is assigned to, but he will be able to work. I also hope this will not pose issues with the ability of a team member to build the project. Having said that, my original problem was that i could not import the JUnit project and now i understand that it would not work with WAS. Now i will try to do other operations from the Client and Web and see how it goes. Could you also suggest any open source LDAP servers that are tested with Jazz and WAS ? (in case i need to use this). Perhaps if there is a easy way to setup LDAP, i could do that. Thanks once again for following up. It really helps me a lot. |
|
You can use OpenLDAP as your LDAP server.
One of our customer is using it and I helped them set it up (about a year ago. I have not heard back from them. So, i guess it is working fine). There are few LDAP articles on Jazz.net that you can read to understand how to set up RTC to work with LDAP. If you have configured Open LDAP correctly, it should not take a lot of time to setup RTC to work with LDAP server. http://jazz.net/library/techtip/96 -- Balaji OK, when we use the Non-LDAP registry, there is not way Jazz understands about the Users and Roles from WAS. This is the reason, Jazz Web/Client UI can not display the User Roles (aslo we cant edit them). |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.