It's all about the answers!

Ask a question

[closed] How to authenticate using a LDAP server?


Jeffrey Liu (111131) | asked Jul 09 '07, 11:36 a.m.
closed Feb 17 '17, 5:40 a.m. by Ralph Schoon (58.2k23642)

Hi,

I followed the tutorials to setup my server, good stuffs. However, the tutorials don't seem to go into details about how to setup authentication. Specifically, I want to setup authentication with a LDAP server. Is there any documentation on this topic?

Thanks,

Jeff

The question has been closed for the following reason: "Problem is not reproducible or outdated" by rschoon Feb 17 '17, 5:40 a.m.

23 answers



permanent link
Christophe Elek (2.9k12921) | answered Jul 10 '07, 3:56 a.m.
JAZZ DEVELOPER
jeffliu@ca.ibm-dot-com.no-spam.invalid (jeffliu) wrote in news:f6tjfb$72s$1
@localhost.localdomain:

Hi,

I followed the tutorials to setup my server, good stuffs. However, the
tutorials don't seem to go into details about how to setup
authentication. Specifically, I want to setup authentication with a
LDAP server. Is there any documentation on this topic?

Thanks,

Jeff


Jeff, see my post on June 23rd
We put a link on how to setup Jazz server and LDAP inside WebSphere

--
Christophe Elek
Serviceability Architect
IBM Software Group - Rational

permanent link
Harleen Sahni (6642) | answered Jul 17 '07, 11:43 p.m.
Specifically, I want to setup authentication with a LDAP server. Is there any documentation on this topic?

Thanks,

Jeff


You can get tomcat to use ldap for authentication. Follow the guide at http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JNDIRealm
The only thing is that you won't be able to map whatever the ldap role is to the "jazzuser" role (unless you can add this to your ldap). So you have to edit jazz/server/webapps/jazz/web-inf/web.xml and replace both occurrence of "jazzusers" with whatever the role is that you are getting from ldap. Also make sure at least one of your uses has admin rights for the jazz respository before you turn ldap on.

permanent link
Shawn Lauzon (38174) | answered Aug 02 '07, 7:03 p.m.
Christophe:

I looked around, and didn't see a June 23rd post anywhere about LDAP. Could you provide a pointer? Thanks ...

shawn.

permanent link
Alex Akilov (19111) | answered Aug 03 '07, 9:25 a.m.
JAZZ DEVELOPER
Try
https://jazz.net/jazz/secure/service/com.ibm.team.workitem.common.internal.rest.IAttachmentRestService/repo/csid/Attachment/_Xs4SoRlvEdy2vqdpd5yTVQ
Christophe's post was actually from July 9.

permanent link
Christophe Elek (2.9k12921) | answered Aug 03 '07, 9:08 p.m.
JAZZ DEVELOPER
lauzon@us.ibm-dot-com.no-spam.invalid (shawnlauzon) wrote in news:f8to3q
$3f7$2@localhost.localdomain:

Christophe:

I looked around, and didn't see a June 23rd post anywhere about LDAP.
Could you provide a pointer? Thanks ...

shawn.


Shawn, we managed to make it work with the IBM internal LDAP.
We created an internal doc.

I cannot publish it because it contains IP addresses, LDAP schemas and
other magic trick to make it work inside IBM.

If you are interested, ping me directly.

If anyone has issues setting up LDAP with WebSphere, post your question
here... we *should* be able to help... Otherwise we will ask our friends in
WebSphere :)


--
Christophe Elek
Serviceability Architect
IBM Software Group - Rational

permanent link
Tom Frauenhofer (1.3k58435) | answered Dec 04 '07, 5:18 p.m.
Hi again

I've followed the LDAP doc you mentioned here and it works (kinda) but
as a WAS newbie I found the following problem:

I have the IBM internal LDAP defined and working for WAS 6.1. But ...
when setting the Security Roles for Jazz during jazz.war installation,
in the "Lookup Users or Groups" page, I can lookup LDAP User's without
difficulty, but I'm trying, without any success, to lookup one of our
LDAP groups (bluegroups). It seems no matter what I type in the search
string, the WAS Admin Console returns nothing.

Is there some magic format that must be used when using WAS Admin
Console to lookup LDAP groups.

Any help appreciated !!

Cheers

Christophe Elek wrote:
lauzon@us.ibm-dot-com.no-spam.invalid (shawnlauzon) wrote in news:f8to3q
$3f7$2@localhost.localdomain:

Christophe:

I looked around, and didn't see a June 23rd post anywhere about LDAP.
Could you provide a pointer? Thanks ...

shawn.


Shawn, we managed to make it work with the IBM internal LDAP.
We created an internal doc.

I cannot publish it because it contains IP addresses, LDAP schemas and
other magic trick to make it work inside IBM.

If you are interested, ping me directly.

If anyone has issues setting up LDAP with WebSphere, post your question
here... we *should* be able to help... Otherwise we will ask our friends in
WebSphere :)


permanent link
Tom Frauenhofer (1.3k58435) | answered Dec 04 '07, 5:38 p.m.
In case it helps, I see the following was errors in its error log:

SECJ0342E: Could not get the groups matching the pattern cn=mygroup*
because of the following exception {1}.
Make sure the groups matching the pattern exist in the registry. Contact
your service representative if the problem persists.


getUsersGroups return null
Message type
Runtime Error
Explanation
No explanation found for ID=getUsersGroups return null
User action
No user action found for ID=getUsersGroups return null
Message Originator
com.ibm.ws.console.appmanagement.action.MapRolesToUsersAction

Dave


David Ward wrote:
Hi again

I've followed the LDAP doc you mentioned here and it works (kinda) but
as a WAS newbie I found the following problem:

I have the IBM internal LDAP defined and working for WAS 6.1. But ...
when setting the Security Roles for Jazz during jazz.war installation,
in the "Lookup Users or Groups" page, I can lookup LDAP User's without
difficulty, but I'm trying, without any success, to lookup one of our
LDAP groups (bluegroups). It seems no matter what I type in the search
string, the WAS Admin Console returns nothing.

Is there some magic format that must be used when using WAS Admin
Console to lookup LDAP groups.

Any help appreciated !!

Cheers

Christophe Elek wrote:
lauzon@us.ibm-dot-com.no-spam.invalid (shawnlauzon) wrote in news:f8to3q
$3f7$2@localhost.localdomain:

Christophe:

I looked around, and didn't see a June 23rd post anywhere about LDAP.
Could you provide a pointer? Thanks ...

shawn.


Shawn, we managed to make it work with the IBM internal LDAP.
We created an internal doc.

I cannot publish it because it contains IP addresses, LDAP schemas and
other magic trick to make it work inside IBM.

If you are interested, ping me directly.

If anyone has issues setting up LDAP with WebSphere, post your
question here... we *should* be able to help... Otherwise we will ask
our friends in WebSphere :)


permanent link
Christophe Elek (2.9k12921) | answered Dec 05 '07, 4:58 a.m.
JAZZ DEVELOPER
David Ward <davidward@us.ibm.com> wrote in news:fj4kb5$bio$1
@localhost.localdomain:

getUsersGroups return null

K, based on the symptom and the signs, I am wondering if
-1 - we get the credentials and we pass that to the session
-2 - we are able to get the LDAP group

Check the group filter in WebSphere, mine is:
(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)
(objectclass=groupOfURLs)))

If this doesn't work, ping me directly :)

--
Christophe Elek
Serviceability Architect
IBM Software Group - Rational

permanent link
Christophe Elek (2.9k12921) | answered Dec 05 '07, 6:11 a.m.
JAZZ DEVELOPER
David Ward <davidward@us.ibm.com> wrote in news:fj6do1$43a$1
@localhost.localdomain:

Hi again

Dave and I will work using email as we now need to exchange info about
internal IBM LDAP infrastructure
I will post our findings here :)

--
Christophe Elek
Serviceability Architect
IBM Software Group - Rational

permanent link
Christophe Elek (2.9k12921) | answered Dec 05 '07, 8:38 a.m.
JAZZ DEVELOPER
Christophe Elek <Christophe.Elek@gmail.com> wrote in
news:Xns99FD67AE3FD01celekcaibmcom@199.246.40.53:

David realized the Base Distinguished Name was different in my case. He
fixed the DBN and it works:


Symptoms: Unable to log on as Admin or User

Signs: The log shows
SECJ0129E: Authorization failed for fred while invoking GET on
default_host:/jazz/admin/cmd/isRepositoryAvailable, Authorization
failed, Not granted any of the required roles: JazzAdmins

Possible solutions:
The user is not in the group
The group setup in LDAP is not found because it has a different name or the
LDAP query did not return it.

Check:
Verify spelling of user and group
Test LDAP making sure the query returns the Group and thetthe group
contains the user

--
Christophe Elek
Serviceability Architect
IBM Software Group - Rational