[closed] login problem "not authorized"
we're facing a bad problem which prevents us from adding new user to Jazz.
Our "User Registry Type" is LDAP and we're synchronizing every 10 minutes our LDAP groups matched to the Jazz groups "JazzAdmins, JazzUsers, JazzDWAdmins, JazzProjectAdmins, JazzGuests".
This is working and we get any user we put in our AD inside the groups synchronized to Jazz.
But since some days (or maybe weeks?) we're facing the problem, that all newly added useers facing problems while trying to login to Jazz.
They get the error message "Error! You are not authorized to view this page. Forbidden"
Sometimes in the right corner where the name is shown there is instead the username "unknown" written.
The strange thing is the user seems to be correct there:
with the correct license:
The only thing I know which changed within the last time was that we changed the "Base Group DN" in the advanced properties to a more deeper container of the AD to get rid of our NightlyLDAPSync error message (decribed in https://jazz.net/forum/questions/87248/ldapnightlysyncservice-error-though-it-seems-to-sync-the-users).
And we changed the JazzUsers and the JazzGuests group matching to new groups in the AD.
But when I change both changes back to the beginning we're still facing this trouble.
Case sensitivity should not be the reason because we set in both (ccm / jts) the "insensitive user ID matching" option to true in both cases.
It would be very nice if you could help me with this because at the moment no new users can be added to our Jazz environment.
Greetings,
Simon
The question has been closed for the following reason: "The question is answered, right answer was accepted" by eickel Sep 16 '13, 1:07 a.m.
Accepted answer
We changed (like described in the first message) the JazzUsers and the JazzGuests groups to newly created AD groups which match our company wide naming conventions.
This group is written "A_JAZZ" and is the problem. Though it contains all users and newly added users gets synchronized correctly (that's how it looks like) they face the error when trying to connect.
Why? I don't know - but I think maybe the trouble is the '_'
Comments
Thanks for sharing Simon. I am not sure if there is any reason why it should not work with an underscore, but I am not the LDAP expert either. If you can confirm your change works, just comment and I can accept this answer.
in our case the change back from the group with underscore to the group before (jtsuser) it works again.
Glad that your system is working.
@jbognar: have you heard of an underscore causing trouble with LDAP?
One other answer
why is the e-mail address of the user unknown? This, I think, indicates an issue with LDAP.
In addition, as far as I know LDAP is used by several applications, the CCM/JTS etc and Tomcat.
The settings in the teamserver.properties are only one part. I think the Tomcat server.xml contains settings as well, when you set up LDAP, the server.xml as well as the web.inf files are generated and you have to replace them.
Have you looked into the logs? Any indicators there?
The log4j.properties of the applications contain settings you can modify to get more LDAP messags. Have you tried that?
One last thought. when setting up LDAP in the setup pages, there is a hint to a technote that describes how to test your LDAP configuration. Did you try that?
If all the hints above don't help, I would suggest to contact support.
Comments
Hi Ralph,
the emailaddress is unknown, because this account has no emailaddress.
We do no use Tomcat, we use WAS.
Yes, I've looked into the logs but there are no entries. Even the logs running in DEBUG mode show nothing.
WAS has also special configurations for LDAP that need to match the ones in the teamserver.properties. If you change only one side, you get into trouble. You should check your WAS profile(s) if the LDAP configuration can work. The Applications ask WAS if the user is correctly authenticated. The applications use their own settings for import and group mapping only. So if the WAS settings are wrong while the application settings are correct, you won't be able to log in.
In addition, there are WAS logs you might want to look at. The conf folders for ccm/jts also contain log4j.properties files, where you should find settings such as
LDAP access from jazz
Turn on query trace against the LDAP server
log4j.logger.com.ibm.team.repository.service.jts.internal.userregistry.ldap.LDAPUserRegistry=DEBUG
Turn on asynch task DEBUG trace
log4j.logger.com.ibm.team.repository.service.internal.scheduler=DEBUG
That you could turn on. If you don't see anything there (in the application logs), I would assume that there is an issue with the WAS profile settings and should reflect in the WAS logs.
Hi Ralph,
yes - in the log4j properties of ccm/jts we did the DEBUG mode but there are no entries for this error.
Thanks for the mention of the WAS LDAP thing - yes, that's true - but doesnt this mean that nobody would be bale to login?
But the trouble is, that only newly synchronised users arent able to login. All other can login, too.
Comments
Simon Eickel
Oct 05 '12, 4:08 a.m.the "unknown" instead of the name appears when you refresh this page or when you try to open the personal dashboard and than hit the back button of your browser.