It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Guidelines | FAQ
Follow this question
Question details

×42,882

question asked: Apr 07 '08, 10:36 a.m.
question was seen: 16,685 times
last updated: Apr 07 '08, 10:36 a.m.

Related questions

LDAP auth with nested groups

0
Mark Martin (4811815) | asked Apr 07 '08, 10:36 a.m.
Has anyone tested LDAP auth with nested bluegroups with Websphere? Only users in a top level group can succesfully authenticate on my server at this time. Users in a subgroup fail with the error message "Your account does not belong to the groups that are authorized to access the Web UI. Please contact your server administrator."

Have I missed a setting in Websphere to make this work?

Thanks

7 answers

Most liked answers ↑|Newest answers|Oldest answers

0
permanent link
Mark Parry (31121711) | answered Apr 07 '08, 10:54 a.m.
mmartin wrote:
Has anyone tested LDAP auth with nested bluegroups with Websphere?
Only users in a top level group can succesfully authenticate on my
server at this time. Users in a subgroup fail with the error message
"Your account does not belong to the groups that are authorized
to access the Web UI. Please contact your server
administrator."

Have I missed a setting in Websphere to make this work?

Thanks


I'm not sure but I think this is a general problem with bluegroups. I
haven't been to get that to work with GSA either. As a work around I've
mapped multiple groups to a single Jazz_Users role for instance.

-Mark
0
permanent link
Yanzhuang Li (31134126) | answered Jul 30 '08, 5:40 p.m.
I just tried nested LDAP user groups for one of my RTC instance - using Microsoft Active Directory server. Users in the nested groups were not 'recognized' by RTC.

The LDAP groups looked like this:
MyJazzAdminUsers
....user1
....user2
....Group1
.......user3
.......user4
....Group2
MyJazzUsers

Users 3 and 4 in this case do not have admin right for the Jazz repo.

We may be able to map more than one LDAP group to JazzAdminUser role, for example. But, this needs restarting Tomcat (needs to update web.xml file), I think.

Is it possible for the RTC-LDAP configuration to recursively search users under a specific LDAP group? Thanks.
0
permanent link
Matt Lavin (2.7k2) | answered Jul 31 '08, 8:30 a.m.
FORUM MODERATOR / JAZZ DEVELOPER
I'm not sure about the details about how Active Directory implements
nested groups, but we don't know anything about them from the LDAP
perspective. RTC will ask 'is user A in group JazzAdmins', and it
sounds like ActiveDirectory does not consider subgroups when it returns
it's answer.

yanli wrote:
I just tried nested LDAP user groups for one of my RTC instance -
using Microsoft Active Directory server. Users in the nested groups
were not 'recognized' by RTC.

The LDAP groups looked like this:
MyJazzAdminUsers
...user1
...user2
...Group1
......user3
......user4
...Group2
MyJazzUsers

Users 3 and 4 in this case do not have admin right for the Jazz repo.

We may be able to map more than one LDAP group to JazzAdminUser role,
for example. But, this needs restarting Tomcat, I think.

Is it possible for the RTC-LDAP configuration to recursively search
users under a specific LDAP group? Thanks.
0
permanent link
Yanzhuang Li (31134126) | answered Aug 01 '08, 7:01 p.m.
I 'think' RTC lacks the capability to define the search scope on LDAP servers. Take ClearQuest as an example, CQ-LDAP configuration has one parameter to deifne ".... the scope of the search from the base DN?: sub (subtree); one (one level below); or base (base DN only). ..." (quote from Rational ClearQuest document). A parameter for searching scope seems missing in RTC.

Could you please confirm? Thanks.
0
permanent link
Matt Lavin (2.7k2) | answered Aug 04 '08, 8:20 a.m.
FORUM MODERATOR / JAZZ DEVELOPER
You are right, RTC does not support changing the search scope like you
described. Can you open a workitem that describes the missing function
in RTC? If you do, you can assign it to the 'Repository' component.

yanli wrote:
I 'think' RTC lacks the capability to define the search scope on LDAP
servers. Take ClearQuest as an example, CQ-LDAP configuration has
one parameter to deifne ".... the scope of the search from the
base DN?: sub (subtree); one (one level below); or base (base DN
only). ..." (quote from Rational ClearQuest document). A
parameter for searching scope seems missing in RTC.

Could you please confirm? Thanks.
0
permanent link
Yanzhuang Li (31134126) | answered Aug 04 '08, 9:56 a.m.
Thanks. Created the work item: https://jazz.net/jazz/web/projects/Jazz%20Project#action=com.ibm.team.workitem.viewWorkItem&id=59463
0
permanent link
Balaji Krish (1.8k12) | answered Aug 04 '08, 11:31 a.m.
JAZZ DEVELOPER
RTC always uses subtree scope so that we can retrieve the members contained in a subgroup. Thats the reason we don't have it as a configuration parameter.

I will test with a subgroup in MS active directory.

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.