It's all about the answers!

Ask a question

Problems installing/upgrading to CLM/RQM/RFT 4.0 using LDAP and LDAPLocalGroup registry

Marc Richards (122) | asked Jul 20 '12, 2:31 p.m.
Just wanted to share my experience for those who may run into the same problem.  I Installed CLM 4.0 on a Linux server using Tomcat as my application server.  User authentication information is stored in Active Directory, but I wanted to use mapping.csv to manage groups since we do not control active directory.  

Apparently our Active Directory stores our usernames in mixed case, even though users are accustomed to using all lower case. This is a problem that I had run into before with CLM 3 and had successfully worked around using the "Use case insensitive user ID matching" advanced property.  However I had no end of grief getting things working in version 4.

As it turns out, Tomcat itself no longer supports case-insensitive operations across the board in version 7, and since CLM relies heavily on Tomcat for handling Authentication/Authorization, lowercase logins now constantly fail.

Here is my recommended approach for those with a similar setup.  

1) Ensure that the usernames stored in LDAP, written in mappings.csv and used to login are all the same case. This probably means you have to login with mixed case

2) Use the LDAP setup wizard (even though you are using LDAPLocalGroup ) to generate your server.xml file, the LDAP wizard now also includes a step that will test for case-sensitivity.

3) Modify the generated server.xml file to include the LDAPLocalGroup specific settings.

You may end up having to go back and forth, commenting and uncommenting the local tomacat user database in order to configure the advance properties correctly. 

IBM please consider the following fixes ASAP:

1) Update the Infocenter Article on LDAPLocalGroup to to specifically warn users about this issue. (And remove the superfluous mention of LDAP roles while you are at it). 

2) Add a comment along the same lines to the Tomcat server.xml file for version 4

3) Log these type of failures to your log files so that people can figure out what is going on 

4) Give better errors on screen.  There are already two defects for this: Defect 65816 and Enhancement 196322

5) Make LDAPLocalGroup and integrated part of the application rather than relying on manual Tomcat configuration.  That is the only way to truly circumvent the problem and it will greatly improve the setup/troubleshooting process.  See Atlassian Jira for a great example of this, they use Tomcat as well.

One answer

permanent link
Ralph Schoon (63.0k33645) | answered Jul 21 '12, 4:02 a.m.
 You should create a work item for your findings. You can poit it back to this forum post.

Your answer

Register or to post your answer.