Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

LDAP auth with nested groups

Has anyone tested LDAP auth with nested bluegroups with Websphere? Only users in a top level group can succesfully authenticate on my server at this time. Users in a subgroup fail with the error message "Your account does not belong to the groups that are authorized to access the Web UI. Please contact your server administrator."

Have I missed a setting in Websphere to make this work?

Thanks

0 votes



7 answers

Permanent link
mmartin wrote:
Has anyone tested LDAP auth with nested bluegroups with Websphere?
Only users in a top level group can succesfully authenticate on my
server at this time. Users in a subgroup fail with the error message
"Your account does not belong to the groups that are authorized
to access the Web UI. Please contact your server
administrator."

Have I missed a setting in Websphere to make this work?

Thanks


I'm not sure but I think this is a general problem with bluegroups. I
haven't been to get that to work with GSA either. As a work around I've
mapped multiple groups to a single Jazz_Users role for instance.

-Mark

0 votes


Permanent link
I just tried nested LDAP user groups for one of my RTC instance - using Microsoft Active Directory server. Users in the nested groups were not 'recognized' by RTC.

The LDAP groups looked like this:
MyJazzAdminUsers
....user1
....user2
....Group1
.......user3
.......user4
....Group2
MyJazzUsers

Users 3 and 4 in this case do not have admin right for the Jazz repo.

We may be able to map more than one LDAP group to JazzAdminUser role, for example. But, this needs restarting Tomcat (needs to update web.xml file), I think.

Is it possible for the RTC-LDAP configuration to recursively search users under a specific LDAP group? Thanks.

0 votes


Permanent link
I'm not sure about the details about how Active Directory implements
nested groups, but we don't know anything about them from the LDAP
perspective. RTC will ask 'is user A in group JazzAdmins', and it
sounds like ActiveDirectory does not consider subgroups when it returns
it's answer.

yanli wrote:
I just tried nested LDAP user groups for one of my RTC instance -
using Microsoft Active Directory server. Users in the nested groups
were not 'recognized' by RTC.

The LDAP groups looked like this:
MyJazzAdminUsers
...user1
...user2
...Group1
......user3
......user4
...Group2
MyJazzUsers

Users 3 and 4 in this case do not have admin right for the Jazz repo.

We may be able to map more than one LDAP group to JazzAdminUser role,
for example. But, this needs restarting Tomcat, I think.

Is it possible for the RTC-LDAP configuration to recursively search
users under a specific LDAP group? Thanks.

0 votes


Permanent link
I 'think' RTC lacks the capability to define the search scope on LDAP servers. Take ClearQuest as an example, CQ-LDAP configuration has one parameter to deifne ".... the scope of the search from the base DN?: sub (subtree); one (one level below); or base (base DN only). ..." (quote from Rational ClearQuest document). A parameter for searching scope seems missing in RTC.

Could you please confirm? Thanks.

0 votes


Permanent link
You are right, RTC does not support changing the search scope like you
described. Can you open a workitem that describes the missing function
in RTC? If you do, you can assign it to the 'Repository' component.

yanli wrote:
I 'think' RTC lacks the capability to define the search scope on LDAP
servers. Take ClearQuest as an example, CQ-LDAP configuration has
one parameter to deifne ".... the scope of the search from the
base DN?: sub (subtree); one (one level below); or base (base DN
only). ..." (quote from Rational ClearQuest document). A
parameter for searching scope seems missing in RTC.

Could you please confirm? Thanks.

0 votes


Permanent link
Thanks. Created the work item: https://jazz.net/jazz/web/projects/Jazz%20Project#action=com.ibm.team.workitem.viewWorkItem&id=59463

0 votes


Permanent link
RTC always uses subtree scope so that we can retrieve the members contained in a subgroup. Thats the reason we don't have it as a configuration parameter.

I will test with a subgroup in MS active directory.

0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details

Question asked: Apr 07 '08, 10:36 a.m.

Question was seen: 16,713 times

Last updated: Apr 07 '08, 10:36 a.m.

Confirmation Cancel Confirm