It's all about the answers!

Ask a question

[closed] login problem "not authorized"


Simon Eickel (1.1k75457) | asked Oct 05 '12, 1:56 a.m.
closed Sep 16 '13, 1:07 a.m.
Hi,

we're facing a bad problem which prevents us from adding new user to Jazz.
Our "User Registry Type" is LDAP and we're synchronizing every 10 minutes our LDAP groups matched to the Jazz groups "JazzAdmins, JazzUsers, JazzDWAdmins, JazzProjectAdmins, JazzGuests".
This is working and we get any user we put in our AD inside the groups synchronized to Jazz.

But since some days (or maybe weeks?) we're facing the problem, that all newly added useers facing problems while trying to login to Jazz.
They get the error message "Error! You are not authorized to view this page. Forbidden"
not authorized error message

Sometimes in the right corner where the name is shown there is instead the username "unknown" written.

The strange thing is the user seems to be correct there:
user view
with the correct license:
license

The only thing I know which changed within the last time was that we changed the "Base Group DN" in the advanced properties to a more deeper container of the AD to get rid of our NightlyLDAPSync error message (decribed in https://jazz.net/forum/questions/87248/ldapnightlysyncservice-error-though-it-seems-to-sync-the-users).

And we changed the JazzUsers and the JazzGuests group matching to new groups in the AD.
But when I change both changes back to the beginning we're still facing this trouble.

Case sensitivity should not be the reason because we set in both (ccm / jts) the "insensitive user ID matching" option to true in both cases.

It would be very nice if you could help me with this because at the moment no new users can be added to our Jazz environment. 

Greetings,
Simon


Comments
Simon Eickel commented Oct 05 '12, 4:08 a.m.

the "unknown" instead of the name appears when you refresh this page or when you try to open the personal dashboard and than hit the back button of your browser.

The question has been closed for the following reason: "The question is answered, right answer was accepted" by eickel Sep 16 '13, 1:07 a.m.

Accepted answer


permanent link
Simon Eickel (1.1k75457) | answered Oct 08 '12, 9:32 a.m.
I think I found the problem but don't really understand why this causes trouble.

We changed (like described in the first message) the JazzUsers and the JazzGuests groups to newly created AD groups which match our company wide naming conventions.
This group is written "A_JAZZ" and is the problem. Though it contains all users and newly added users gets synchronized correctly (that's how it looks like) they face the error when trying to connect.

Why? I don't know - but I think maybe the trouble is the '_'
Ralph Schoon selected this answer as the correct answer

Comments
Ralph Schoon commented Oct 08 '12, 9:39 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Thanks for sharing Simon. I am not sure if there is any reason why it should not work with an underscore, but I am not the LDAP expert either. If you can confirm your change works, just comment and I can accept this answer.


Simon Eickel commented Oct 08 '12, 10:01 a.m.

in our case the change back from the group with underscore to the group before (jtsuser) it works again.


Ralph Schoon commented Oct 08 '12, 10:15 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Glad that your system is working.


Bo Chulindra commented Oct 08 '12, 11:51 a.m.
JAZZ DEVELOPER

@jbognar: have you heard of an underscore causing trouble with LDAP?

One other answer



permanent link
Ralph Schoon (60.9k33643) | answered Oct 05 '12, 4:13 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
Simon,

why is the e-mail address of the user unknown? This, I think, indicates an issue with LDAP.

In addition, as far as I know LDAP is used by several applications, the CCM/JTS etc and Tomcat.
The settings in the teamserver.properties are only one part. I think the Tomcat server.xml contains settings as well, when you set up LDAP, the server.xml as well as the web.inf files are generated and you have to replace them.

Have you looked into the logs? Any indicators there?

The log4j.properties of the applications contain settings you can modify to get more LDAP messags. Have you tried that?

One last thought. when setting up LDAP in the setup pages, there is a hint to a technote that describes how to test your LDAP configuration. Did you try that?

If all the hints above don't help, I would suggest to contact support.

Comments
Simon Eickel commented Oct 05 '12, 4:35 a.m.

Hi Ralph,

the emailaddress is unknown, because this account has no emailaddress.
We do no use Tomcat, we use WAS.

Yes, I've looked into the logs but there are no entries. Even the logs running in DEBUG mode show nothing.


Ralph Schoon commented Oct 05 '12, 4:51 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

WAS has also special configurations for LDAP that need to match the ones in the teamserver.properties. If you change only one side, you get into trouble. You should check your WAS profile(s) if the LDAP configuration can work. The Applications ask WAS if the user is correctly authenticated. The applications use their own settings for import and group mapping only. So if the WAS settings are wrong while the application settings are correct, you won't be able to log in.


Ralph Schoon commented Oct 05 '12, 5:16 a.m. | edited Oct 05 '12, 5:53 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

In addition, there are WAS logs you might want to look at. The conf folders for ccm/jts also contain log4j.properties files, where you should find settings such as


   LDAP access from jazz     



Turn on query trace against the LDAP server


log4j.logger.com.ibm.team.repository.service.jts.internal.userregistry.ldap.LDAPUserRegistry=DEBUG



Turn on asynch task DEBUG trace


log4j.logger.com.ibm.team.repository.service.internal.scheduler=DEBUG



That you could turn on. If you don't see anything there (in the application logs), I would assume that there is an issue with the WAS profile settings and should reflect in the WAS logs.


Simon Eickel commented Oct 08 '12, 6:47 a.m.

Hi Ralph,

yes - in the log4j properties of ccm/jts we did the DEBUG mode but there are no entries for this error.

Thanks for the mention of the WAS LDAP thing - yes, that's true - but doesnt this mean that nobody would be bale to login?
But the trouble is, that only newly synchronised users arent able to login. All other can login, too.