[closed] How to authenticate using a LDAP server?
Jeffrey Liu (111●1●3●1)
| asked Jul 09 '07, 11:36 a.m.
closed Feb 17 '17, 5:40 a.m. by Ralph Schoon (63.1k●3●36●46) Hi,
|
The question has been closed for the following reason: "Problem is not reproducible or outdated" by rschoon Feb 17 '17, 5:40 a.m.
23 answers
jeffliu@ca.ibm-dot-com.no-spam.invalid (jeffliu) wrote in news:f6tjfb$72s$1
@localhost.localdomain: Hi, Jeff, see my post on June 23rd We put a link on how to setup Jazz server and LDAP inside WebSphere -- Christophe Elek Serviceability Architect IBM Software Group - Rational |
Specifically, I want to setup authentication with a LDAP server. Is there any documentation on this topic? You can get tomcat to use ldap for authentication. Follow the guide at http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JNDIRealm The only thing is that you won't be able to map whatever the ldap role is to the "jazzuser" role (unless you can add this to your ldap). So you have to edit jazz/server/webapps/jazz/web-inf/web.xml and replace both occurrence of "jazzusers" with whatever the role is that you are getting from ldap. Also make sure at least one of your uses has admin rights for the jazz respository before you turn ldap on. |
Christophe:
I looked around, and didn't see a June 23rd post anywhere about LDAP. Could you provide a pointer? Thanks ... shawn. |
Try
https://jazz.net/jazz/secure/service/com.ibm.team.workitem.common.internal.rest.IAttachmentRestService/repo/csid/Attachment/_Xs4SoRlvEdy2vqdpd5yTVQ Christophe's post was actually from July 9. |
lauzon@us.ibm-dot-com.no-spam.invalid (shawnlauzon) wrote in news:f8to3q
$3f7$2@localhost.localdomain: Christophe: Shawn, we managed to make it work with the IBM internal LDAP. We created an internal doc. I cannot publish it because it contains IP addresses, LDAP schemas and other magic trick to make it work inside IBM. If you are interested, ping me directly. If anyone has issues setting up LDAP with WebSphere, post your question here... we *should* be able to help... Otherwise we will ask our friends in WebSphere :) -- Christophe Elek Serviceability Architect IBM Software Group - Rational |
Hi again
I've followed the LDAP doc you mentioned here and it works (kinda) but as a WAS newbie I found the following problem: I have the IBM internal LDAP defined and working for WAS 6.1. But ... when setting the Security Roles for Jazz during jazz.war installation, in the "Lookup Users or Groups" page, I can lookup LDAP User's without difficulty, but I'm trying, without any success, to lookup one of our LDAP groups (bluegroups). It seems no matter what I type in the search string, the WAS Admin Console returns nothing. Is there some magic format that must be used when using WAS Admin Console to lookup LDAP groups. Any help appreciated !! Cheers Christophe Elek wrote: lauzon@us.ibm-dot-com.no-spam.invalid (shawnlauzon) wrote in news:f8to3q |
In case it helps, I see the following was errors in its error log:
SECJ0342E: Could not get the groups matching the pattern cn=mygroup* because of the following exception {1}. Make sure the groups matching the pattern exist in the registry. Contact your service representative if the problem persists. getUsersGroups return null Message type Runtime Error Explanation No explanation found for ID=getUsersGroups return null User action No user action found for ID=getUsersGroups return null Message Originator com.ibm.ws.console.appmanagement.action.MapRolesToUsersAction Dave David Ward wrote: Hi again |
David Ward <davidward@us.ibm.com> wrote in news:fj4kb5$bio$1
@localhost.localdomain: getUsersGroups return null K, based on the symptom and the signs, I am wondering if -1 - we get the credentials and we pass that to the session -2 - we are able to get the LDAP group Check the group filter in WebSphere, mine is: (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames) (objectclass=groupOfURLs))) If this doesn't work, ping me directly :) -- Christophe Elek Serviceability Architect IBM Software Group - Rational |
David Ward <davidward@us.ibm.com> wrote in news:fj6do1$43a$1
@localhost.localdomain: Hi again Dave and I will work using email as we now need to exchange info about internal IBM LDAP infrastructure I will post our findings here :) -- Christophe Elek Serviceability Architect IBM Software Group - Rational |
Christophe Elek <Christophe.Elek@gmail.com> wrote in
news:Xns99FD67AE3FD01celekcaibmcom@199.246.40.53: David realized the Base Distinguished Name was different in my case. He fixed the DBN and it works: Symptoms: Unable to log on as Admin or User Signs: The log shows SECJ0129E: Authorization failed for fred while invoking GET on default_host:/jazz/admin/cmd/isRepositoryAvailable, Authorization failed, Not granted any of the required roles: JazzAdmins Possible solutions: The user is not in the group The group setup in LDAP is not found because it has a different name or the LDAP query did not return it. Check: Verify spelling of user and group Test LDAP making sure the query returns the Group and thetthe group contains the user -- Christophe Elek Serviceability Architect IBM Software Group - Rational |