LDAP auth with nested groups
Has anyone tested LDAP auth with nested bluegroups with Websphere? Only users in a top level group can succesfully authenticate on my server at this time. Users in a subgroup fail with the error message "Your account does not belong to the groups that are authorized to access the Web UI. Please contact your server administrator."
Have I missed a setting in Websphere to make this work?
Thanks
Have I missed a setting in Websphere to make this work?
Thanks
7 answers
mmartin wrote:
I'm not sure but I think this is a general problem with bluegroups. I
haven't been to get that to work with GSA either. As a work around I've
mapped multiple groups to a single Jazz_Users role for instance.
-Mark
Has anyone tested LDAP auth with nested bluegroups with Websphere?
Only users in a top level group can succesfully authenticate on my
server at this time. Users in a subgroup fail with the error message
"Your account does not belong to the groups that are authorized
to access the Web UI. Please contact your server
administrator."
Have I missed a setting in Websphere to make this work?
Thanks
I'm not sure but I think this is a general problem with bluegroups. I
haven't been to get that to work with GSA either. As a work around I've
mapped multiple groups to a single Jazz_Users role for instance.
-Mark
I just tried nested LDAP user groups for one of my RTC instance - using Microsoft Active Directory server. Users in the nested groups were not 'recognized' by RTC.
The LDAP groups looked like this:
MyJazzAdminUsers
....user1
....user2
....Group1
.......user3
.......user4
....Group2
MyJazzUsers
Users 3 and 4 in this case do not have admin right for the Jazz repo.
We may be able to map more than one LDAP group to JazzAdminUser role, for example. But, this needs restarting Tomcat (needs to update web.xml file), I think.
Is it possible for the RTC-LDAP configuration to recursively search users under a specific LDAP group? Thanks.
The LDAP groups looked like this:
MyJazzAdminUsers
....user1
....user2
....Group1
.......user3
.......user4
....Group2
MyJazzUsers
Users 3 and 4 in this case do not have admin right for the Jazz repo.
We may be able to map more than one LDAP group to JazzAdminUser role, for example. But, this needs restarting Tomcat (needs to update web.xml file), I think.
Is it possible for the RTC-LDAP configuration to recursively search users under a specific LDAP group? Thanks.
I'm not sure about the details about how Active Directory implements
nested groups, but we don't know anything about them from the LDAP
perspective. RTC will ask 'is user A in group JazzAdmins', and it
sounds like ActiveDirectory does not consider subgroups when it returns
it's answer.
yanli wrote:
nested groups, but we don't know anything about them from the LDAP
perspective. RTC will ask 'is user A in group JazzAdmins', and it
sounds like ActiveDirectory does not consider subgroups when it returns
it's answer.
yanli wrote:
I just tried nested LDAP user groups for one of my RTC instance -
using Microsoft Active Directory server. Users in the nested groups
were not 'recognized' by RTC.
The LDAP groups looked like this:
MyJazzAdminUsers
...user1
...user2
...Group1
......user3
......user4
...Group2
MyJazzUsers
Users 3 and 4 in this case do not have admin right for the Jazz repo.
We may be able to map more than one LDAP group to JazzAdminUser role,
for example. But, this needs restarting Tomcat, I think.
Is it possible for the RTC-LDAP configuration to recursively search
users under a specific LDAP group? Thanks.
I 'think' RTC lacks the capability to define the search scope on LDAP servers. Take ClearQuest as an example, CQ-LDAP configuration has one parameter to deifne ".... the scope of the search from the base DN?: sub (subtree); one (one level below); or base (base DN only). ..." (quote from Rational ClearQuest document). A parameter for searching scope seems missing in RTC.
Could you please confirm? Thanks.
Could you please confirm? Thanks.
You are right, RTC does not support changing the search scope like you
described. Can you open a workitem that describes the missing function
in RTC? If you do, you can assign it to the 'Repository' component.
yanli wrote:
described. Can you open a workitem that describes the missing function
in RTC? If you do, you can assign it to the 'Repository' component.
yanli wrote:
I 'think' RTC lacks the capability to define the search scope on LDAP
servers. Take ClearQuest as an example, CQ-LDAP configuration has
one parameter to deifne ".... the scope of the search from the
base DN?: sub (subtree); one (one level below); or base (base DN
only). ..." (quote from Rational ClearQuest document). A
parameter for searching scope seems missing in RTC.
Could you please confirm? Thanks.