LDAPLocalGroup with Tomcat
We are considering using the LDAPLocalGroup for Tomcat as described in this article: https://jazz.net/library/article/457
If a user is a member of an LDAP AutoGroup and is also defined in the mapping.csv file, will the LDAP AutoGroup permissions be used or the permissions from the csv file, or will be both be used? In other words, if User A has JazzAdmins permission in an LDAPAutoGroup but is listed in the mapping.csv file without JazzAdmins permissions, would we expect this user to have JazzAdmins permissions or not? Also, is there any information on the performance testing that was done for this feature? Is the mapping.csv file is going to be read in and parsed at every user login or only when it has changed since the last access? If the mapping file becomes very large and there is a high volume of user logins are there any performance concerns that we should be aware of? |
5 answers
Hi Laura,
LDAPLocalGroup feature only works with the local mapping file to determine the group information. I guess "LDAPAutoGroup" you mentioned is a group in LDAP directory. We don't support a hybrid feature, you have to either use mapping defined in mapping.csv or use the groups defined in LDAP. We have not done extensive performance testing. But we are using smart caching and you should not see performance issues even when the csv file has lot of entries. -- Balaji Jazz Foundation Team We are considering using the LDAPLocalGroup for Tomcat as described in this article: https://jazz.net/library/article/457 |
Thank you. I see that the mapping.csv is being refreshed and is picking up changes without needing to restart the server and this is good.
Can you tell us how frequently the mapping.csv is being read in? Is it refreshed periodically or when a new user logs in or when the timestamp changes? Also, from the (minimal) testing that I have done it looks like the behavior is hybrid, which was a bit of a surprise, but is not an issue. |
We are considering using the LDAPLocalGroup for Tomcat as described in this article: https://jazz.net/library/article/457
When testing access using a local mapping.csv file, we find that users who are defined in the mapping.csv file like so: rtcbuild1, or like so rtcbuild2, are able to authenticate and login but do not have access to the Project page. The display indicates Error! You are not authorized to view this page. Forbidden There are no errors in the log files, but it looks like the initializationData call is returning a 403 from /ccm/service/com.ibm.team.repository.service.internal.webuiInitializer.IWebUIInitializerRestService |
We are considering using the LDAPLocalGroup for Tomcat as described in this article: https://jazz.net/library/article/457 Your error does not sound like an LDAP problem. Are rtcbuild1 and rtcbuild2 members of the project you are trying to access? They need to be members of the project. regards anthony |
I am not attempting to access any particular project via a project related URL. I am simply logging into the WEB UI (https://<server>/jazz) and trying to get the default initial page for the given role.
In the case of JazzUsers, the initial default is the "Project Areas" page. In the case of JazzAdmins, the initial default is the Admin UI "Status Summary" page. When users who have JazzProjectAdmins Role in LDAP login, they are directed to the "Projects Areas" page. But the users who are not defined in LDAP (ie. assigned exclusively in the mapping.csv file) login, they get this Error page. When these users have JazzAdmins permissions assigned they do get to the Admin page, so the configuration itself (in the server.xml file) is definitely set up correctly and is being picked up. |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.