RTC 3.0 : LDAP for password authentication only

Good news -- RTC 3.0 supports the ability to use the LDAP for authentication but manage the roles in a file based approach.

See this article for setting up Tomcat with this file based groups + LDAP:
http://jazz.net/library/article/457

Not perfect, but better. See this enhancement request and add your opinion:
https://jazz.net/jazz/web/projects/Jazz%20Foundation#action=com.ibm.team.workitem.viewWorkItem&id=149463

In order to do any type of LDAP authentication, you need the LDAP groups. This is because there is no way to manage the roles inside of the RTC applications -- this information is determined by which group in the LDAP the user is a part of. When only using tomcat authentication, it manages these groups outside of the application in the tomcat-users.xml file.

I don't like this so I created a workaround that might work for you...

In WAS, it is possible to map a WAR file's roles to various LDAP groups. You could, for example, map the entire LDAP base to JazzUsers and then select individual users to be JazzAdmins, JazzProjectAdmins, etc. This would mean no new groups would have to be created in the LDAP and your users get LDAP authentication.

You might then use a script like this inside of a web application to allow people to create themselves inside of RTC -- so you don't have to run the nightly LDAP synchronizer :)

#!/bin/bash

LDAP="yourldapserverhere:389"

SEARCHBASE="ou=bluepages,o=ibm.com"

REPOSITORYURL="https://chodroff-laptop:9444/jts"

ADMINUSER="benjamin.chodroff@us.ibm.com"

ADMINPASS=""



IFS="@"

email=$1

set -- $email

if [ "${#@}" -ne 2 ];then

    echo "Invalid email"

    exit -100

fi



echo "Searching for user $email in the LDAP"

ldapsearch -x -H ldap://$LDAP -b $SEARCHBASE -LLL mail="$email" hrFirstName hrLastName > dn.txt



dn=`cat dn.txt`

first=`cat dn.txt |grep First|awk '{ print $2 }'`

last=`cat dn.txt |grep Last|awk '{ print $2 }'`



if [ "$dn" == "" ] ; then

        echo "User $email was not found in the LDAP"

        exit -1

else

        echo "User $email was found in the LDAP"

        echo "Adding user $email to RTC with a license"

        cd /opt/IBM/JazzTeamServer/server

        ./repotools-jts.sh -createUser userId="$email" name="$first $last" emailaddress="$email" licenseId=com.ibm.team.rtc.developer repositoryURL="$REPOSITORYURL" adminUserId="$ADMINUSER" adminPassword="$ADMINPASS"

fi

echo "Completed Successfully!"

exit 0

Hello Benjamin,

This seems to be a very nice and useful script, but would you explain a little bit more? Can I execute this script in Wondows 2008 environment and how exactly this works when I want to add one or more users?

I have RTC setup with WAS and LDAP (AD). JazzGroups has been configured properly in the LDAP server. But I don;t want to request the Back Office Admin every time I need to maintain (add/remove) users into the LDAP user's registry.

I read somewhere that there is a script that you can imlpement to do that by yourself? Does your script do the same?

Thanks again.

Ah, sadly my script only works in Linux but with a little Windows batch scripting it could be implemented in Windows. Sadly, I'm no batch script expert -- maybe you could help? :)

Basically what the script does is:
1. Check to see if the user exists in the LDAP (could be AD) using an open source utility called "ldapsearch". The command allows me to look up their first and last name too.
2. If the user exists, then they should be created in RTC. I call the command line utility for the server -- repotools-jts.sh/bat, to create a user in the Jazz team server

Repotools-jts.bat can be called in Windows 2008.
There is a ldp.exe from Microsoft that performs the same as ldapsearch:
ldp.exe is a Microsoft Windows LDAP search tool which has the same basic features as ldapsearch. It can be downloaded from Microsoft Website for your version of windows. ldp.exe is included in the Windows Server 2003 CD support tools. For information on using Microsoft Windows ldp command, see http://support.microsoft.com/kb/224543.

Or, you might be able to find a developer to whip up a .NET webpage or have it available in SharePoint so people could join automatically without bothering the RTC or AD admins.

Alternatively, you could request your AD admin to grant you permission to administer the Jazz Groups... but that might require a lot of bribes/beer :)

Thank you benjamin. I have used ldapsearch, ldap browser and ldp.exe before, unfortunately I don't have permission to administer the Jazz Groups in LDAP. My BO team is in another location, so I don't think the bribes will come to play here, but I am hopeful :)

Regards,
Manik

Understood :)

I'd suggest opening up a Jazz work item or APAR on this -- I have other customers with similar constraints in managing users. I'd propose the ability to use LDAP, but manage the repository roles internally in the application instead of using LDAP groups. I don't see the harm... only benefit.

Thanks a lot for the info. Reading all the doc I still don't understand if I may map the 4 JAzz groups (JazzAdmins, JAzzDWAdmins, JazzUsers and JazzGuests) to the same LDAP group (I just need password authentication)....

Thanks a lot for the info. Reading all the doc I still don't understand if I may map the 4 JAzz groups (JazzAdmins, JAzzDWAdmins, JazzUsers and JazzGuests) to the same LDAP group (I just need password authentication)....

You *could* but I wouldn't recommend it! It would mean everyone is then an administrator! The repository permissions work as the union of all the capabilities -- and since JazzAdmin has the highest level you would get all of those permissions. If everyone is JazzAdmin, your system is completely open to a user accidentally archiving an entire project -- which is not easily reversible.

If this is a problem, I would suggest opening up an enhancement request to moderate these permissions in the application rather than map groups to the LDAP.

 At the end we just defined in Active Directory the same groups requested by rtc (exactly jazzusers, jazzadmins,...)