It's all about the answers!

Ask a question

RTC 3.0 : LDAP for password authentication only

Stefano Antoniazzi (1701711) | asked Jan 07 '11, 3:09 a.m.
I've installed RTC 3.0 on a Windows server and using Oracle as DB without using LDAP and everything works now.

I don't want to manage user passwords and let the user mantain their domain password.
At the moment I don't care about having RTC roles managed by LDAP.

I'm reading the docs about RTC and LDAP but I don't understand how I can use LDAP for password authentication only.

Should I set up LDAP groups for RTC even for password authentication only?


Accepted answer

permanent link
Benjamin Chodroff (8985231) | answered Jan 19 '11, 6:16 p.m.
Good news -- RTC 3.0 supports the ability to use the LDAP for authentication but manage the roles in a file based approach.

See this article for setting up Tomcat with this file based groups + LDAP:

Not perfect, but better. See this enhancement request and add your opinion:
Stefano Antoniazzi selected this answer as the correct answer

8 other answers

permanent link
Benjamin Chodroff (8985231) | answered Jan 15 '11, 12:18 p.m.
In order to do any type of LDAP authentication, you need the LDAP groups. This is because there is no way to manage the roles inside of the RTC applications -- this information is determined by which group in the LDAP the user is a part of. When only using tomcat authentication, it manages these groups outside of the application in the tomcat-users.xml file.

I don't like this so I created a workaround that might work for you...

In WAS, it is possible to map a WAR file's roles to various LDAP groups. You could, for example, map the entire LDAP base to JazzUsers and then select individual users to be JazzAdmins, JazzProjectAdmins, etc. This would mean no new groups would have to be created in the LDAP and your users get LDAP authentication.

You might then use a script like this inside of a web application to allow people to create themselves inside of RTC -- so you don't have to run the nightly LDAP synchronizer :)


set -- $email
if [ "${#@}" -ne 2 ];then
echo "Invalid email"
exit -100

echo "Searching for user $email in the LDAP"
ldapsearch -x -H ldap://$LDAP -b $SEARCHBASE -LLL mail="$email" hrFirstName hrLastName > dn.txt

dn=`cat dn.txt`
first=`cat dn.txt |grep First|awk '{ print $2 }'`
last=`cat dn.txt |grep Last|awk '{ print $2 }'`

if [ "$dn" == "" ] ; then
echo "User $email was not found in the LDAP"
exit -1
echo "User $email was found in the LDAP"
echo "Adding user $email to RTC with a license"
cd /opt/IBM/JazzTeamServer/server
./ -createUser userId="$email" name="$first $last" emailaddress="$email" repositoryURL="$REPOSITORYURL" adminUserId="$ADMINUSER" adminPassword="$ADMINPASS"
echo "Completed Successfully!"
exit 0

permanent link
Manik K (10133) | answered Jan 17 '11, 9:45 a.m.
Hello Benjamin,

This seems to be a very nice and useful script, but would you explain a little bit more? Can I execute this script in Wondows 2008 environment and how exactly this works when I want to add one or more users?

I have RTC setup with WAS and LDAP (AD). JazzGroups has been configured properly in the LDAP server. But I don;t want to request the Back Office Admin every time I need to maintain (add/remove) users into the LDAP user's registry.

I read somewhere that there is a script that you can imlpement to do that by yourself? Does your script do the same?

Thanks again.

permanent link
Benjamin Chodroff (8985231) | answered Jan 17 '11, 10:04 a.m.
Ah, sadly my script only works in Linux but with a little Windows batch scripting it could be implemented in Windows. Sadly, I'm no batch script expert -- maybe you could help? :)

Basically what the script does is:
1. Check to see if the user exists in the LDAP (could be AD) using an open source utility called "ldapsearch". The command allows me to look up their first and last name too.
2. If the user exists, then they should be created in RTC. I call the command line utility for the server --, to create a user in the Jazz team server

Repotools-jts.bat can be called in Windows 2008.
There is a ldp.exe from Microsoft that performs the same as ldapsearch:
ldp.exe is a Microsoft Windows LDAP search tool which has the same basic features as ldapsearch. It can be downloaded from Microsoft Website for your version of windows. ldp.exe is included in the Windows Server 2003 CD support tools. For information on using Microsoft Windows ldp command, see

Or, you might be able to find a developer to whip up a .NET webpage or have it available in SharePoint so people could join automatically without bothering the RTC or AD admins.

Alternatively, you could request your AD admin to grant you permission to administer the Jazz Groups... but that might require a lot of bribes/beer :)

permanent link
Manik K (10133) | answered Jan 17 '11, 12:03 p.m.
Thank you benjamin. I have used ldapsearch, ldap browser and ldp.exe before, unfortunately I don't have permission to administer the Jazz Groups in LDAP. My BO team is in another location, so I don't think the bribes will come to play here, but I am hopeful :)


permanent link
Benjamin Chodroff (8985231) | answered Jan 17 '11, 12:34 p.m.
Understood :)

I'd suggest opening up a Jazz work item or APAR on this -- I have other customers with similar constraints in managing users. I'd propose the ability to use LDAP, but manage the repository roles internally in the application instead of using LDAP groups. I don't see the harm... only benefit.

permanent link
Stefano Antoniazzi (1701711) | answered Jan 19 '11, 5:49 a.m.
Thanks a lot for the info. Reading all the doc I still don't understand if I may map the 4 JAzz groups (JazzAdmins, JAzzDWAdmins, JazzUsers and JazzGuests) to the same LDAP group (I just need password authentication)....

permanent link
Benjamin Chodroff (8985231) | answered Jan 19 '11, 10:04 a.m.
Thanks a lot for the info. Reading all the doc I still don't understand if I may map the 4 JAzz groups (JazzAdmins, JAzzDWAdmins, JazzUsers and JazzGuests) to the same LDAP group (I just need password authentication)....

You *could* but I wouldn't recommend it! It would mean everyone is then an administrator! The repository permissions work as the union of all the capabilities -- and since JazzAdmin has the highest level you would get all of those permissions. If everyone is JazzAdmin, your system is completely open to a user accidentally archiving an entire project -- which is not easily reversible.

If this is a problem, I would suggest opening up an enhancement request to moderate these permissions in the application rather than map groups to the LDAP.

permanent link
Stefano Antoniazzi (1701711) | answered Sep 25 '12, 11:08 a.m.
 At the end we just defined in Active Directory the same groups requested by rtc (exactly jazzusers, jazzadmins,...) 

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.