It's all about the answers!

Ask a question

Updates to LDAP JazzAdmins group not getting populated


Chris Errichetti (7173) | asked Aug 06 '08, 2:39 p.m.
Hi, all.

We are running Jazz server with WebSphere 6.1.0.15 and DB2 9.5. I have created a group on our LDAP environment for JazzAdmins and a group for JazzUsers, both of which are mapped to the admins and users groups in the LDAP configuration of our Jazz server. I initially populated the JazzAdmins group only on the LDAP server with a few LDAP users. When LDAPNightlySyncTask ran on the Jazz server, the LDAP users were added to the local Jazz repository. I then added one user and removed one from the JazzAdmins group on the LDAP server. When LDAPNightlySyncTask ran on the Jazz server, nothing was updated in the local Jazz repository. Then, I added LDAP users to the JazzUsers group on the LDAP server. When LDAPNightlySyncTask ran on the Jazz server, these new JazzUsers group additions were populated to the local Jazz repository.

Does anybody have any ideas why the JazzUsers group updates are getting populated but the JazzAdmins group updates aren't?

Thanks in advance.
Chris

9 answers



permanent link
Matt Lavin (2.7k2) | answered Aug 06 '08, 3:18 p.m.
FORUM MODERATOR / JAZZ DEVELOPER
When talking about the LDAP nightly sync, it's important to remember
that only the user data is sync'd, and not the role assignments. The
role assignments are always kept in the LDAP server, and queried when
needed.

Are you describing that new users added to the JazzAdmins role are not
automatically created in the RTC server?

cerrichetti wrote:
Hi, all.

We are running Jazz server with WebSphere 6.1.0.15 and DB2 9.5. I
have created a group on our LDAP environment for JazzAdmins and a
group for JazzUsers, both of which are mapped to the admins and users
groups in the LDAP configuration of our Jazz server. I initially
populated the JazzAdmins group only on the LDAP server with a few
LDAP users. When LDAPNightlySyncTask ran on the Jazz server, the
LDAP users were added to the local Jazz repository. I then added one
user and removed one from the JazzAdmins group on the LDAP server.
When LDAPNightlySyncTask ran on the Jazz server, nothing was updated
in the local Jazz repository. Then, I added LDAP users to the
JazzUsers group on the LDAP server. When LDAPNightlySyncTask ran on
the Jazz server, these new JazzUsers group additions were populated
to the local Jazz repository.

Does anybody have any ideas why the JazzUsers group updates are
getting populated but the JazzAdmins group updates aren't?

Thanks in advance.
Chris

permanent link
Balaji Krish (1.8k12) | answered Aug 06 '08, 5:03 p.m.
JAZZ DEVELOPER
When you remove a user from LDAP (that is already present in Jazz repo), we
don't automatically archive the user in Jazz repository. You need to archive
the user manually. For new users created in LDAP, we create the user in
Jazz repository.

------- Balaji

"cerrichetti" <chris_errichetti> wrote in
message news:g7crks$duu$1@localhost.localdomain...
Hi, all.

We are running Jazz server with WebSphere 6.1.0.15 and DB2 9.5. I
have created a group on our LDAP environment for JazzAdmins and a
group for JazzUsers, both of which are mapped to the admins and users
groups in the LDAP configuration of our Jazz server. I initially
populated the JazzAdmins group only on the LDAP server with a few
LDAP users. When LDAPNightlySyncTask ran on the Jazz server, the
LDAP users were added to the local Jazz repository. I then added one
user and removed one from the JazzAdmins group on the LDAP server.
When LDAPNightlySyncTask ran on the Jazz server, nothing was updated
in the local Jazz repository. Then, I added LDAP users to the
JazzUsers group on the LDAP server. When LDAPNightlySyncTask ran on
the Jazz server, these new JazzUsers group additions were populated
to the local Jazz repository.

Does anybody have any ideas why the JazzUsers group updates are
getting populated but the JazzAdmins group updates aren't?

Thanks in advance.
Chris

permanent link
Chris Errichetti (7173) | answered Aug 07 '08, 4:16 p.m.

When talking about the LDAP nightly sync, it's important to remember that only the user data is sync'd, and not the role assignments. The role assignments are always kept in the LDAP server, and queried when needed.

Are you describing that new users added to the JazzAdmins role are not automatically created in the RTC server?


On the LDAP server, I have two groups: one called LDAPJazzAdmins and one called LDAPJazzUsers. Both of these groups exist on the LDAP server only. In the Jazz server configuration, I have mapped the LDAPJazzAdmins LDAP group to the JazzAdmins local repository group and the LDAPJazzUsers LDAP group to the JazzUsers local repository group. When I log on to the LDAP server and add a new user to the LDAPJazzUsers group, the user gets populated to the JazzUsers group in the local repository. However, when I log on to the LDAP server and add a new user to the LDAPJazzAdmins group, the user does not get populated to the JazzAdmins group in the local repository. In my particular issue, the roles assigned to the user accounts are irrelevant.

Thanks.
Chris


permanent link
Ritchie Schacher - IBM (47611) | answered Aug 07 '08, 4:32 p.m.
FORUM MODERATOR / JAZZ DEVELOPER
Chris,

In case you are not aware, the server provides a feed you can subscribe to
to view events from the LDAP sync. This is in the docs at
https://jazz.net/jazzdocs/topic/com.ibm.team.repository.web.admin.doc/topics/cldapsynctaskfeed.html

You might want to try the following:
-Check the feed to see if you see any events or errors related to the users
you expect to be added
-Check your LDAP properties in the Jazz server admin web UI advanced
configuration page. Make sure that your group mappings are correctly
configured. Remember that the group mappings are configured in the
container (WAS) for authentication and authorization, and are also
configured in Jazz for user import.

--
Ritchie Schacher
Jazz Server Development

"cerrichetti" <chris_errichetti> wrote in
message news:g7fl9j$lhm$1@localhost.localdomain...

When talking about the LDAP nightly sync, it's important to remember
that only the user data is sync'd, and not the role assignments. The
role assignments are always kept in the LDAP server, and queried when
needed.

Are you describing that new users added to the JazzAdmins role are
not automatically created in the RTC server?


On the LDAP server, I have two groups: one called LDAPJazzAdmins and
one called LDAPJazzUsers. Both of these groups exist on the LDAP
server only. In the Jazz server configuration, I have mapped the
LDAPJazzAdmins LDAP group to the JazzAdmins local repository group
and the LDAPJazzUsers LDAP group to the JazzUsers local repository
group. When I log on to the LDAP server and add a new user to the
LDAPJazzUsers group, the user gets populated to the JazzUsers group
in the local repository. However, when I log on to the LDAP server
and add a new user to the LDAPJazzAdmins group, the user does not get
populated to the JazzAdmins group in the local repository. In my
particular issue, the roles assigned to the user accounts are
irrelevant.

Thanks.
Chris



permanent link
Chris Errichetti (7173) | answered Sep 15 '08, 11:58 a.m.
Hi, all.

Still having some issues with syncing up the repository with the LDAP groups that I have defined. Several valid user IDs were added to our JazzUsers group that was created on the LDAP server and is linked to the configuration on the Jazz server. All but one of the user IDs was populated to the repository at the next LDAP Nightly sync task run. I checked the events feed and see the following error in regards to the ID that didn't get populated to the repository:

The user "uid=xxxxxxxx,c=xx,ou=xxxxxxx,o=xxx" is invalid...
This user has more than one user id.

However, this ID doesn't show up in the admin console view of the users. I also get this error for another user ID that I had to archive and then create by importing through the admin console. FYI, I see the same user ID info in IE 6 and Firefox 3.

Any ideas on what is happening here?

Thanks.
Chris

permanent link
Balaji Krish (1.8k12) | answered Sep 17 '08, 3:32 p.m.
JAZZ DEVELOPER
The user id must be mapped to a single attribute value. Can you check with your LDAP administrator and map the user id to an attribute that contains single value.

permanent link
Balaji Krish (1.8k12) | answered Sep 17 '08, 5:23 p.m.
JAZZ DEVELOPER
If you are using IBM bluegroups, you need to map userId to preferredIdentity

--- Balaji
Jazz Server Team

permanent link
Chris Errichetti (7173) | answered Sep 18 '08, 6:30 a.m.
Thanks, Balaji. I am using IBM BlueGroups. Which property would this be for in the Advanced Properties section of the admin console? Would it be User Property Names Mapping? Or would I make the change at the WebSphere global security level? Or maybe both?

Chris

permanent link
Balaji Krish (1.8k12) | answered Sep 18 '08, 8:31 a.m.
JAZZ DEVELOPER
The correct solution is to fix both WebSphere LDAP configuration and user property mapping in advanced properties.

But IBM bluepages authentication is tolerant to multiple email addresses associated with an user.

So to fix your problem, edit Advanced properties->LDAPUserRegistryProvider->UserProperty mapping.. The mapping value must be userId=preferredIdentity,name=cn,emailAddress=mail

Your answer


Register or to post your answer.