Updates to LDAP JazzAdmins group not getting populated
Hi, all.
We are running Jazz server with WebSphere 6.1.0.15 and DB2 9.5. I have created a group on our LDAP environment for JazzAdmins and a group for JazzUsers, both of which are mapped to the admins and users groups in the LDAP configuration of our Jazz server. I initially populated the JazzAdmins group only on the LDAP server with a few LDAP users. When LDAPNightlySyncTask ran on the Jazz server, the LDAP users were added to the local Jazz repository. I then added one user and removed one from the JazzAdmins group on the LDAP server. When LDAPNightlySyncTask ran on the Jazz server, nothing was updated in the local Jazz repository. Then, I added LDAP users to the JazzUsers group on the LDAP server. When LDAPNightlySyncTask ran on the Jazz server, these new JazzUsers group additions were populated to the local Jazz repository. Does anybody have any ideas why the JazzUsers group updates are getting populated but the JazzAdmins group updates aren't? Thanks in advance. Chris |
9 answers
When talking about the LDAP nightly sync, it's important to remember
that only the user data is sync'd, and not the role assignments. The role assignments are always kept in the LDAP server, and queried when needed. Are you describing that new users added to the JazzAdmins role are not automatically created in the RTC server? cerrichetti wrote: Hi, all. |
When you remove a user from LDAP (that is already present in Jazz repo), we
don't automatically archive the user in Jazz repository. You need to archive the user manually. For new users created in LDAP, we create the user in Jazz repository. ------- Balaji "cerrichetti" <chris_errichetti> wrote in message news:g7crks$duu$1@localhost.localdomain... Hi, all. |
On the LDAP server, I have two groups: one called LDAPJazzAdmins and one called LDAPJazzUsers. Both of these groups exist on the LDAP server only. In the Jazz server configuration, I have mapped the LDAPJazzAdmins LDAP group to the JazzAdmins local repository group and the LDAPJazzUsers LDAP group to the JazzUsers local repository group. When I log on to the LDAP server and add a new user to the LDAPJazzUsers group, the user gets populated to the JazzUsers group in the local repository. However, when I log on to the LDAP server and add a new user to the LDAPJazzAdmins group, the user does not get populated to the JazzAdmins group in the local repository. In my particular issue, the roles assigned to the user accounts are irrelevant. Thanks. Chris |
Chris,
In case you are not aware, the server provides a feed you can subscribe to to view events from the LDAP sync. This is in the docs at https://jazz.net/jazzdocs/topic/com.ibm.team.repository.web.admin.doc/topics/cldapsynctaskfeed.html You might want to try the following: -Check the feed to see if you see any events or errors related to the users you expect to be added -Check your LDAP properties in the Jazz server admin web UI advanced configuration page. Make sure that your group mappings are correctly configured. Remember that the group mappings are configured in the container (WAS) for authentication and authorization, and are also configured in Jazz for user import. -- Ritchie Schacher Jazz Server Development "cerrichetti" <chris_errichetti> wrote in message news:g7fl9j$lhm$1@localhost.localdomain...
|
Hi, all.
Still having some issues with syncing up the repository with the LDAP groups that I have defined. Several valid user IDs were added to our JazzUsers group that was created on the LDAP server and is linked to the configuration on the Jazz server. All but one of the user IDs was populated to the repository at the next LDAP Nightly sync task run. I checked the events feed and see the following error in regards to the ID that didn't get populated to the repository: The user "uid=xxxxxxxx,c=xx,ou=xxxxxxx,o=xxx" is invalid... This user has more than one user id. However, this ID doesn't show up in the admin console view of the users. I also get this error for another user ID that I had to archive and then create by importing through the admin console. FYI, I see the same user ID info in IE 6 and Firefox 3. Any ideas on what is happening here? Thanks. Chris |
The user id must be mapped to a single attribute value. Can you check with your LDAP administrator and map the user id to an attribute that contains single value.
|
If you are using IBM bluegroups, you need to map userId to preferredIdentity
--- Balaji Jazz Server Team |
Thanks, Balaji. I am using IBM BlueGroups. Which property would this be for in the Advanced Properties section of the admin console? Would it be User Property Names Mapping? Or would I make the change at the WebSphere global security level? Or maybe both?
Chris |
The correct solution is to fix both WebSphere LDAP configuration and user property mapping in advanced properties.
But IBM bluepages authentication is tolerant to multiple email addresses associated with an user. So to fix your problem, edit Advanced properties->LDAPUserRegistryProvider->UserProperty mapping.. The mapping value must be |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.