Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

WAS or LDAP as an external source

Questions
Tags
Users
Badges
Sterling Ferguson-II
(1.6k14288273) Jun 15 '12, 1:07 a.m.
So...

Whether you are using WAS or LDAP as an external source, do you still need to create accounts in CLM? I read of LDAP scripts, but where can I find those?

0 votes

3 answers
5,035 views
0 votes

3 answers

Permanent link
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER (63.9k33648) edited
Jun 15 '12, 4:20 a.m.
I don't get the WAS or LDAP.

If you configure WAS with LDAP and Jazz with LDAP you can use the Import users feature to import users that qualify in LDAP. Search the help for 'import' to find the help topic. There is also a Synchronize LDAP feature in repotools. Please search the help for 'Synchronize LDAP'.

I am ot sure what happens if you configure WAS with a local realm. With Tomcat the local realm is writable. Therefore you can create the users in JTS and they are created in the tomcat-users.xml.

1 vote

Permanent link
Christophe Elek
JAZZ DEVELOPER (2.9k13021) Jun 15 '12, 8:22 a.m.
Hey Sterling,
I will link the 2 questions. 

LDAP is like a database, or a file. Inside LDAP there are users, userid, passwords.

In Tomcat, you have the tomcat-users.xml which also contains userid/password
So in Tomcat you can either use tomcat-users.xml or LDAP to validate the userid/password.
Once validated, Tomcat calls Jazz with the userid.
Jazz looks into its own database and verifies the same userid exists.

in WAS, you do not have a tomcat-users.xml by default. WAS provides no default place for user, userid, password
WAS allows you to connect to LDAP OR to create your own file which contains user. But you have to manually create it.
Then the same thing happens. Once the userid/password is validated, WAS calls JAZZ and passes the userid. The userid must exist in the Jazz Database

To have a userid exist in the database you can do it in 2 ways
1) you synchronize with the same LDAP server if youwant
AND/OR
2) You create the user manually in the database

Does it help ?


1 vote

Comments
Sterling Ferguson-II
Jun 15 '12, 10:02 a.m.

OK, that helps Elek.

We have 10 users in WAS, and "Import Users" in the Manage Users section of Jazz is greyed out. So I seem to have to create the users in WAS AND in Jazz...which is silly. However, since we have customers without LDAP, we have to make a decision on what to do.

Oddly, I created 4 or the 10 WAS users in Jazz, and it was great that their Groups migrated over. To our surprise, the other 6 could STILL log in to jazz!!, Their names appeared as ADMIN/ADMIN and email ADMIN. (Defect?)

Christophe Elek
JAZZ DEVELOPER Jun 15 '12, 10:13 a.m.

Ah ah ... now you are facing the special rule... :)

Here is how it works 1) the user attempts to log in WAS...userid/password are validated.... 2) then we fetch the group associated to that user JazzAdmin, JazzUser etc etc 3) then we send the group and userid to Jazz 4) Jazz checks the userid

if (userid.exist) then allow else if group==JazzAdmin AND jazzAdminProperty=true then user.becomeJazzAdmin()

So your 6 users should be JazzAdmin AND youhave the property com.ibm.team.repository.ws.allow.admin.access=true in teamserver.properties

Does it match what you have ?

Permanent link
Sean G Wilbur
JAZZ DEVELOPER (87222421) Jun 15 '12, 10:03 a.m.
Only users residing in LDAP can be synchronized, all other directory types require that you create the users manually either in both places when using WAS File Based Registry or via Jazz for the tomcat-users.xml example. Keep in mind that the LDAP Adv Properties is the *only* place where synchronization takes place so only users that can be accessed via those LDAP settings will be selected by the sync and not any or all users that can login via the current configuration of the Servlet Container. Those are two distinct configurations, that normally should overlap.

 One specific example that they might not, you can only synchronize from the current LDAP server configured in Jazz Adv Properties, if you have multiple LDAP servers you must change your configuration between syncs. Even if you have federated registry in WAS across them and they can all login, the sync jobs can only be pointing at one directory at a time.

 -Sean

1 vote

Comments
Mark Ireland
Mar 07 '14, 6:22 a.m.

Hi,

Have you steps on what you need to do please?
I presume you change it "on the fly" to point at the relevant ldap import users etc?

How is does authentication work?
You have two LDAP servers, Bluepages one, and TDS one.
They are configured as federated in WAS.
JTS points at BP and works currently.

How do I import from TDS, and allow BOTH sets of users to sign in without issues?

Thanks

Sean G Wilbur
JAZZ DEVELOPER Mar 09 '14, 5:08 p.m.

Mark,


  All authentication and authorization requests go through the WAS federated realm, however the subtly I am noting here is the LDAP properties in the Jazz Admin Advanced Properties page are the ones used to import and sync users.

 So once you have synchronized your users from one directory (aka BP) you need to modify the JTS Adv properties for LDAP to point to TDS then you can import and sync users from there. The pain here is, you need to manually cycle back and forth between the two or more directories to keep JTS in sync.

 While this does not affect their ability to login, in the past I have noticed some strange behavior in some GUI's where the LDAP information is validated or role memberships are incorrectly populated. These appear to be only cosmetic, but part of the workaround as this is not a directly supported sceanrio.

  -Sean
 

sam detweiler
Mar 09 '14, 5:31 p.m.

In my prior company (~10,000 employees)  we synched users every night.. added to LDAP, they got added to the Jazz Users group, and given a Stakeholder license (using pooled licenses. We didn't TELL the users they were added, just did it.
and when a user left the company, we archived them in Jazz..

this way you don't have all that import/license confusion everytime someone sends them a link to a workitem they should look at or comment on.

if you needed some different license/group, then u submitted a service ticket and got added to the right place

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,498
× 6,125

Question asked: Jun 15 '12, 1:07 a.m.

Question was seen: 5,035 times

Last updated: Mar 09 '14, 5:31 p.m.

Confirmation Cancel Confirm