Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Help Needed : Problems with User Auth with Non-LDAP Ext Reg

Background : I installed the latest RTC 2.0.0.2 iFix3 on the WebSphere 7.0.0.7. All the initial configuration went well and i could also bring up the https://localhost:9443/jazz/setup and https://localhost:9443/jazz/admin screens. I set up the user Registry as "Non-LDAP External Registry" during the setup step. Did define users and associated them to groups in the WebSphere (Users and Groups). I associated the respective groups in the Jazz Application Installation - Step 9 in WebSphere.

My Current problem 1 : I created my own login id "skrishna" and disabled the ADMIN username during the setup. I could login to the Web UI and create the users under the "User Management". However, on each user following items are shown.

On Jazz Web Application User Management -> "Suresh Krishna", i see the following warning on the top right.
"User details are read-only because this server uses an external user registry"

Under the Repository permissions, none of the options are selected and it displays a note
"Notice: You are using a directory service that is not writable. User roles cannot be modified."

My Current problem 2
: Some times randomly, i get the following error on the Web UI when i refresh page or navigate to another page.

Error!

You either did not provide login credentials or your account does not have permission to access the web ui. Click the button below to attempt to login again.
Login Again


After this, i click on the Logout. Nothing happens and the same above message comes up. Now, i just can not do anything else. Other than restart of the Jazz application from the WebSphere console.

My Current problem 3 : Before the problem 2, i launched the Eclipse client and tried to import the JUnit Example project. It asked for the autehntication and when i enter the same authetication that i enter for the Web UI, it throws an exception "Invalid user ID / password logging into 'localhost'. CRJAZ0105I The request for URL "/jazz/service/com.ibm.team.repository.common.internal.IRepositoryRemoteService" was denied with an Unauthorized status."

This means, i am not authenticated on the Jazz server from the Eclipse client. However, i can loginto the Eclipse Web UI with the same credentials.

Remember : I am NOT on Tomcat. I use WebSphere and Derby. I do not have LDAP and i am using (or precisely want to use) the "Non-LDAP External Registry" by defining the users in WebSphere (which is not working for me right now).

Any solutions are welcome. I am on the critical path, please do provide me some solution that i can move forward.

Thanks,
Krishna


I get this exception once i try to import he JUnit project. This user for sure is added in the Jazz-Admins group from WebSphere which is mapped to JazzzAdmins of Jazz role. Any help ?

com.ibm.team.repository.common.UnknownUserRegistryException: CRJAZ0799W The external user directory does not support the request feature.
at com.ibm.team.repository.service.internal.userregistry.UnsupportedUserRegistry.notSupported(UnsupportedUserRegistry.java:111)
at com.ibm.team.repository.service.internal.userregistry.UnsupportedUserRegistry.isMember(UnsupportedUserRegistry.java:52)
at com.ibm.team.repository.service.internal.userregistry.ExternalUserRegistryService.isMember(ExternalUserRegistryService.java:242)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:600)
at org.eclipse.soda.sat.core.internal.record.ExportProxyServiceRecord.invoke(ExportProxyServiceRecord.java:370)
at org.eclipse.soda.sat.core.internal.record.ExportProxyServiceRecord.access$0(ExportProxyServiceRecord.java:356)
at org.eclipse.soda.sat.core.internal.record.ExportProxyServiceRecord$ExportedServiceInvocationHandler.invoke(ExportProxyServiceRecord.java:56)
at $Proxy293.isMember(null)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:600)
at com.ibm.team.repository.servlet.AbstractTeamServerServlet.handleMethod(AbstractTeamServerServlet.java:1170)
at com.ibm.team.repository.servlet.AbstractTeamServerServlet.executeMethod(AbstractTeamServerServlet.java:926)
at com.ibm.team.repository.servlet.AbstractTeamServerServlet.doPost(AbstractTeamServerServlet.java:728)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:738)
at com.ibm.team.repository.servlet.AbstractTeamServerServlet.handleRequest2(AbstractTeamServerServlet.java:1773)
at com.ibm.team.repository.servlet.AbstractTeamServerServlet.handleRequest(AbstractTeamServerServlet.java:1642)
at com.ibm.team.repository.servlet.AbstractTeamServerServlet.service(AbstractTeamServerServlet.java:1555)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
at org.eclipse.equinox.http.registry.internal.ServletManager$ServletWrapper.service(ServletManager.java:180)
at org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:75)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
at org.eclipse.equinox.servletbridge.BridgeServlet.service(BridgeServlet.java:121)
at com.ibm.team.repository.server.servletbridge.JazzServlet.service(JazzServlet.java:54)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1655)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:937)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:500)
at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:91)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:864)
at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1583)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:183)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:455)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:384)
at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:83)
at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1772)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1550)
at com.ibm.team.repository.common.internal.marshal.util.MarshallerUtil.decodeExceptions(MarshallerUtil.java:326)
at com.ibm.team.repository.common.internal.marshal.util.MarshallerUtil.decodeExceptions(MarshallerUtil.java:296)
at com.ibm.team.repository.common.internal.marshal.util.MarshallerUtil.decodeFault(MarshallerUtil.java:261)
at com.ibm.team.repository.transport.client.RemoteTeamService.constructExceptionFromFault(RemoteTeamService.java:613)
at com.ibm.team.repository.transport.client.RemoteTeamService.executeMethod(RemoteTeamService.java:483)
at com.ibm.team.repository.transport.client.RemoteTeamService.invoke(RemoteTeamService.java:201)
at com.ibm.team.repository.transport.client.ServiceInvocationHandler.invoke(ServiceInvocationHandler.java:43)
at $Proxy3.isMember(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at com.ibm.team.repository.client.internal.ServiceInterfaceProxy.invokeServiceCall(ServiceInterfaceProxy.java:149)
at com.ibm.team.repository.client.internal.ServiceInterfaceProxy.invoke(ServiceInterfaceProxy.java:84)
at $Proxy3.isMember(Unknown Source)
at com.ibm.team.repository.client.internal.ExternalUserRegistryManager$6.run(ExternalUserRegistryManager.java:270)
at com.ibm.team.repository.client.internal.ExternalUserRegistryManager$6.run(ExternalUserRegistryManager.java:1)
at com.ibm.team.repository.client.internal.TeamRepository$3.run(TeamRepository.java:1169)
at com.ibm.team.repository.common.transport.CancelableCaller.call(CancelableCaller.java:79)
at com.ibm.team.repository.client.internal.TeamRepository.callCancelableService(TeamRepository.java:1162)
at com.ibm.team.repository.client.internal.TeamPlatformObject.callCancelableService(TeamPlatformObject.java:41)
at com.ibm.team.repository.client.internal.ExternalUserRegistryManager.callCancelableService(ExternalUserRegistryManager.java:392)
at com.ibm.team.repository.client.internal.ExternalUserRegistryManager.isMember(ExternalUserRegistryManager.java:268)
at com.ibm.team.apt.setup.ui.internal.wizard.SetupSampleRepositoryWizard$2.run(SetupSampleRepositoryWizard.java:227)
at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)

0 votes



11 answers

Permanent link
I filed work item https://jazz.net/jazz/resource/itemName/com.ibm.team.workitem.WorkItem/118134. The behavior you describe is not expected.

0 votes


Permanent link
Problem 1: Works as designed. You are using "Unsupported External User Registry". You need to manage the authentication and authorization in WebSphere. (i.e. create Users and associate them with groups in WebSphere). But since you are using an unsupported External user directory, you need to create the user in Jazz too. (Note: you will not be able to view / modify the group information in Jazz UI)

Problem 3: Eclipse client is case sensitive by default. Make sure the user id in WebSphere and user id in Jazz repo have the same case as your login id.


--- Balaji
Jazz Server Team

I filed work item https://jazz.net/jazz/resource/itemName/com.ibm.team.workitem.WorkItem/118134. The behavior you describe is not expected.

0 votes


Permanent link
Also, the JUnit sample will create example users and assign them system system roles. The system role assignments will only work when using the tomcat user registry, which is the only one in which we support writeback.

0 votes


Permanent link
Correction :

Problem 1:
"User details are read-only because this server uses an external user registry"
- This should not happen when you are using "Unsupported user registry". You should be able to edit the user's name and email address information.

"Notice: You are using a directory service that is not writable. User roles cannot be modified."
- This is working as designed. You cannot update the roles from the Jazz UI.

-- Balaji

Problem 1: Works as designed. You are using "Unsupported External User Registry". You need to manage the authentication and authorization in WebSphere. (i.e. create Users and associate them with groups in WebSphere). But since you are using an unsupported External user directory, you need to create the user in Jazz too. (Note: you will not be able to view / modify the group information in Jazz UI)

Problem 3: Eclipse client is case sensitive by default. Make sure the user id in WebSphere and user id in Jazz repo have the same case as your login id.


--- Balaji
Jazz Server Team

I filed work item https://jazz.net/jazz/resource/itemName/com.ibm.team.workitem.WorkItem/118134. The behavior you describe is not expected.

0 votes


Permanent link
Thank you all for the responses. Sorry, i am bit consufed now.

As you pointed out, I use a Non-LDAP User Registry and have Users/Roles configured in the WebSphere exactly as defined in http://jazz.net/library/techtip/321. I mapped the roles in Jazz app to roles from WebSphere too. I am assuming that this should be supported with the non-ldap external registry.

Of course, i can understand the message "Notice: You are using a directory service that is not writable. User roles cannot be modified.". However, i dont even see the Admin and User role selected in the UI for my user id - which should come from the WebSphere roles mapping.

In short, inspite of having all the users, roles defined in WebSphere user registry and mapped to the Jazz Roles, i am not able to see that these roles are reflected in the Jazz Web UI and also Client.

Any Solution or Workaround is appreciated.

Thanks,
Krishna

Correction :

Problem 1:
"User details are read-only because this server uses an external user registry"
- This should not happen when you are using "Unsupported user registry". You should be able to edit the user's name and email address information.

"Notice: You are using a directory service that is not writable. User roles cannot be modified."
- This is working as designed. You cannot update the roles from the Jazz UI.

-- Balaji

0 votes


Permanent link
Because the registry type is selected to be the unsupported type, we have no way to detect what roles a user is assigned within the WAS realm, thus that is why the assigned roles are not displayed. Unfortunately, JEE does not provide an API for querying roles of any user other than the current user. To query the WAS realm will require a new registry type. This would be a nice enhancement but has not been a priority in terms of planned features.

0 votes


Permanent link
Thank you. So it means the following for users.
Can you please confirm if my understanding is right.

#1 The JUnit example works only on Tomcat. WAS users has no way to make it work as it is with non-ldap external registry.

#2 Without programming effort, the "Non-LDAP External Registry" is not usable. (Unless Jazz has this as future enhancement).

#3 In my current situation, the only way i can work is to have a LDAP registry configured on WAS and Jazz.

#4 If someone does not have a LDAP (or does not want to use LDAP), the only safe way to go is to use Tomcat with Jazz.

0 votes


Permanent link
#1 - correct. The example is for evaluation and the automatic user registration will not work without a registry we can write to (tomcat).

#2 not really correct. it is usable, in limited capacity. You can still use the unsupported registry type for container managed authentication and security constraints in the server; it just means Jazz does not know how to read from it for display. This type is not just the WAS users and groups, but any custom auth realm a customer desires. The limitation is that we have no way to display what groups you are in from within Jazz. But the server admin can still determine that from the unsupported/custom registry configured externally.

#3 not really correct. See item 2. Depends on what you are trying to do. If you are having trouble editing a user at all, or logging in from the client, then either there is something missing in the configuration or we have a bug that needs to be fixed.

#4 Same as 2. You should be able to use any auth realm from WAS; we have an improved quality of service when you use LDAP.

0 votes


Permanent link
OK, when we use the Non-LDAP registry, there is not way Jazz understands about the Users and Roles from WAS. This is the reason, Jazz Web/Client UI can not display the User Roles (aslo we cant edit them).

Ideally, once i select the "Non-LDAP External Registry" and define the users and Roles in the WAS, i should be able to work from the Jazz Server/Client. Yes, user may not be able to see what roles he is assigned to, but he will be able to work. I also hope this will not pose issues with the ability of a team member to build the project.

Having said that, my original problem was that i could not import the JUnit project and now i understand that it would not work with WAS. Now i will try to do other operations from the Client and Web and see how it goes.

Could you also suggest any open source LDAP servers that are tested with Jazz and WAS ? (in case i need to use this). Perhaps if there is a easy way to setup LDAP, i could do that.

Thanks once again for following up. It really helps me a lot.

0 votes


Permanent link
You can use OpenLDAP as your LDAP server.

One of our customer is using it and I helped them set it up (about a year ago. I have not heard back from them. So, i guess it is working fine).

There are few LDAP articles on Jazz.net that you can read to understand how to set up RTC to work with LDAP. If you have configured Open LDAP correctly, it should not take a lot of time to setup RTC to work with LDAP server.

http://jazz.net/library/techtip/96

-- Balaji

OK, when we use the Non-LDAP registry, there is not way Jazz understands about the Users and Roles from WAS. This is the reason, Jazz Web/Client UI can not display the User Roles (aslo we cant edit them).

Ideally, once i select the "Non-LDAP External Registry" and define the users and Roles in the WAS, i should be able to work from the Jazz Server/Client. Yes, user may not be able to see what roles he is assigned to, but he will be able to work. I also hope this will not pose issues with the ability of a team member to build the project.

Having said that, my original problem was that i could not import the JUnit project and now i understand that it would not work with WAS. Now i will try to do other operations from the Client and Web and see how it goes.

Could you also suggest any open source LDAP servers that are tested with Jazz and WAS ? (in case i need to use this). Perhaps if there is a easy way to setup LDAP, i could do that.

Thanks once again for following up. It really helps me a lot.

0 votes

1–15 items
page 1of 1 pagesof 2 pages

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details

Question asked: Jun 14 '10, 2:56 a.m.

Question was seen: 11,564 times

Last updated: Jun 14 '10, 2:56 a.m.

Confirmation Cancel Confirm