LDAP auth with nested groups
Has anyone tested LDAP auth with nested bluegroups with Websphere? Only users in a top level group can succesfully authenticate on my server at this time. Users in a subgroup fail with the error message "Your account does not belong to the groups that are authorized to access the Web UI. Please contact your server administrator."
Have I missed a setting in Websphere to make this work? Thanks |
7 answers
mmartin wrote:
Has anyone tested LDAP auth with nested bluegroups with Websphere? I'm not sure but I think this is a general problem with bluegroups. I haven't been to get that to work with GSA either. As a work around I've mapped multiple groups to a single Jazz_Users role for instance. -Mark |
I just tried nested LDAP user groups for one of my RTC instance - using Microsoft Active Directory server. Users in the nested groups were not 'recognized' by RTC.
The LDAP groups looked like this: MyJazzAdminUsers ....user1 ....user2 ....Group1 .......user3 .......user4 ....Group2 MyJazzUsers Users 3 and 4 in this case do not have admin right for the Jazz repo. We may be able to map more than one LDAP group to JazzAdminUser role, for example. But, this needs restarting Tomcat (needs to update web.xml file), I think. Is it possible for the RTC-LDAP configuration to recursively search users under a specific LDAP group? Thanks. |
I'm not sure about the details about how Active Directory implements
nested groups, but we don't know anything about them from the LDAP perspective. RTC will ask 'is user A in group JazzAdmins', and it sounds like ActiveDirectory does not consider subgroups when it returns it's answer. yanli wrote: I just tried nested LDAP user groups for one of my RTC instance - |
|
I 'think' RTC lacks the capability to define the search scope on LDAP servers. Take ClearQuest as an example, CQ-LDAP configuration has one parameter to deifne ".... the scope of the search from the base DN?: sub (subtree); one (one level below); or base (base DN only). ..." (quote from Rational ClearQuest document). A parameter for searching scope seems missing in RTC.
Could you please confirm? Thanks. |
|
You are right, RTC does not support changing the search scope like you
described. Can you open a workitem that describes the missing function in RTC? If you do, you can assign it to the 'Repository' component. yanli wrote: I 'think' RTC lacks the capability to define the search scope on LDAP |
|
Thanks. Created the work item: https://jazz.net/jazz/web/projects/Jazz%20Project#action=com.ibm.team.workitem.viewWorkItem&id=59463
|
RTC always uses subtree scope so that we can retrieve the members contained in a subgroup. Thats the reason we don't have it as a configuration parameter.
I will test with a subgroup in MS active directory. |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.