WAS or LDAP as an external source
So...
Whether you are using WAS or LDAP as an external source, do you still need to create accounts in CLM? I read of LDAP scripts, but where can I find those? |
3 answers
Ralph Schoon (63.3k●3●36●46)
| answered Jun 15 '12, 4:17 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER edited Jun 15 '12, 4:20 a.m.
I don't get the WAS or LDAP.
If you configure WAS with LDAP and Jazz with LDAP you can use the Import users feature to import users that qualify in LDAP. Search the help for 'import' to find the help topic. There is also a Synchronize LDAP feature in repotools. Please search the help for 'Synchronize LDAP'. I am ot sure what happens if you configure WAS with a local realm. With Tomcat the local realm is writable. Therefore you can create the users in JTS and they are created in the tomcat-users.xml. |
Hey Sterling,
I will link the 2 questions. LDAP is like a database, or a file. Inside LDAP there are users, userid, passwords. In Tomcat, you have the tomcat-users.xml which also contains userid/password So in Tomcat you can either use tomcat-users.xml or LDAP to validate the userid/password. Once validated, Tomcat calls Jazz with the userid. Jazz looks into its own database and verifies the same userid exists. in WAS, you do not have a tomcat-users.xml by default. WAS provides no default place for user, userid, password WAS allows you to connect to LDAP OR to create your own file which contains user. But you have to manually create it. Then the same thing happens. Once the userid/password is validated, WAS calls JAZZ and passes the userid. The userid must exist in the Jazz Database To have a userid exist in the database you can do it in 2 ways 1) you synchronize with the same LDAP server if youwant AND/OR 2) You create the user manually in the database Does it help ? Comments
Sterling Ferguson-II
commented Jun 15 '12, 10:02 a.m.
OK, that helps Elek. We have 10 users in WAS, and "Import Users" in the Manage Users section of Jazz is greyed out. So I seem to have to create the users in WAS AND in Jazz...which is silly. However, since we have customers without LDAP, we have to make a decision on what to do. Oddly, I created 4 or the 10 WAS users in Jazz, and it was great that their Groups migrated over. To our surprise, the other 6 could STILL log in to jazz!!, Their names appeared as ADMIN/ADMIN and email ADMIN. (Defect?) Ah ah ... now you are facing the special rule... :) Here is how it works 1) the user attempts to log in WAS...userid/password are validated.... 2) then we fetch the group associated to that user JazzAdmin, JazzUser etc etc 3) then we send the group and userid to Jazz 4) Jazz checks the userid if (userid.exist) then allow else if group==JazzAdmin AND jazzAdminProperty=true then user.becomeJazzAdmin() So your 6 users should be JazzAdmin AND youhave the property com.ibm.team.repository.ws.allow.admin.access=true in teamserver.properties Does it match what you have ? |
Only users residing in LDAP can be synchronized, all other directory types require that you create the users manually either in both places when using WAS File Based Registry or via Jazz for the tomcat-users.xml example. Keep in mind that the LDAP Adv Properties is the *only* place where synchronization takes place so only users that can be accessed via those LDAP settings will be selected by the sync and not any or all users that can login via the current configuration of the Servlet Container. Those are two distinct configurations, that normally should overlap.
One specific example that they might not, you can only synchronize from the current LDAP server configured in Jazz Adv Properties, if you have multiple LDAP servers you must change your configuration between syncs. Even if you have federated registry in WAS across them and they can all login, the sync jobs can only be pointing at one directory at a time. -Sean Comments
Mark Ireland
commented Mar 07 '14, 6:22 a.m.
Hi,
Mark,
All authentication and authorization requests go through the WAS federated realm, however the subtly I am noting here is the LDAP properties in the Jazz Admin Advanced Properties page are the ones used to import and sync users.
So once you have synchronized your users from one directory (aka BP) you need to modify the JTS Adv properties for LDAP to point to TDS then you can import and sync users from there. The pain here is, you need to manually cycle back and forth between the two or more directories to keep JTS in sync.
While this does not affect their ability to login, in the past I have noticed some strange behavior in some GUI's where the LDAP information is validated or role memberships are incorrectly populated. These appear to be only cosmetic, but part of the workaround as this is not a directly supported sceanrio.
-Sean
sam detweiler
commented Mar 09 '14, 5:31 p.m.
In my prior company (~10,000 employees) we synched users every night.. added to LDAP, they got added to the Jazz Users group, and given a Stakeholder license (using pooled licenses. We didn't TELL the users they were added, just did it.
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.