[closed] login problem "not authorized"
Hi,
we're facing a bad problem which prevents us from adding new user to Jazz. Our "User Registry Type" is LDAP and we're synchronizing every 10 minutes our LDAP groups matched to the Jazz groups "JazzAdmins, JazzUsers, JazzDWAdmins, JazzProjectAdmins, JazzGuests". This is working and we get any user we put in our AD inside the groups synchronized to Jazz. But since some days (or maybe weeks?) we're facing the problem, that all newly added useers facing problems while trying to login to Jazz. They get the error message "Error! You are not authorized to view this page. Forbidden" Sometimes in the right corner where the name is shown there is instead the username "unknown" written.
The strange thing is the user seems to be correct there:
The only thing I know which changed within the last time was that we changed the "Base Group DN" in the advanced properties to a more deeper container of the AD to get rid of our NightlyLDAPSync error message (decribed in https://jazz.net/forum/questions/87248/ldapnightlysyncservice-error-though-it-seems-to-sync-the-users).
|
The question has been closed for the following reason: "The question is answered, right answer was accepted" by eickel Sep 16 '13, 1:07 a.m.
Accepted answer
I think I found the problem but don't really understand why this causes trouble.
We changed (like described in the first message) the JazzUsers and the JazzGuests groups to newly created AD groups which match our company wide naming conventions. This group is written "A_JAZZ" and is the problem. Though it contains all users and newly added users gets synchronized correctly (that's how it looks like) they face the error when trying to connect. Why? I don't know - but I think maybe the trouble is the '_' Ralph Schoon selected this answer as the correct answer
Comments Thanks for sharing Simon. I am not sure if there is any reason why it should not work with an underscore, but I am not the LDAP expert either. If you can confirm your change works, just comment and I can accept this answer.
Simon Eickel
commented Oct 08 '12, 10:01 a.m.
in our case the change back from the group with underscore to the group before (jtsuser) it works again.
Ralph Schoon
commented Oct 08 '12, 10:15 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
Glad that your system is working.
@jbognar: have you heard of an underscore causing trouble with LDAP?
|
One other answer
Ralph Schoon (63.3k●3●36●46)
| answered Oct 05 '12, 4:13 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
Simon,
why is the e-mail address of the user unknown? This, I think, indicates an issue with LDAP. In addition, as far as I know LDAP is used by several applications, the CCM/JTS etc and Tomcat. The settings in the teamserver.properties are only one part. I think the Tomcat server.xml contains settings as well, when you set up LDAP, the server.xml as well as the web.inf files are generated and you have to replace them. Have you looked into the logs? Any indicators there? The log4j.properties of the applications contain settings you can modify to get more LDAP messags. Have you tried that? One last thought. when setting up LDAP in the setup pages, there is a hint to a technote that describes how to test your LDAP configuration. Did you try that? If all the hints above don't help, I would suggest to contact support. Comments
Simon Eickel
commented Oct 05 '12, 4:35 a.m.
Hi Ralph,
WAS has also special configurations for LDAP that need to match the ones in the teamserver.properties. If you change only one side, you get into trouble. You should check your WAS profile(s) if the LDAP configuration can work. The Applications ask WAS if the user is correctly authenticated. The applications use their own settings for import and group mapping only. So if the WAS settings are wrong while the application settings are correct, you won't be able to log in.
Ralph Schoon
commented Oct 05 '12, 5:16 a.m.
| edited Oct 05 '12, 5:53 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
In addition, there are WAS logs you might want to look at. The conf folders for ccm/jts also contain log4j.properties files, where you should find settings such as
LDAP access from jazzTurn on query trace against the LDAP serverlog4j.logger.com.ibm.team.repository.service.jts.internal.userregistry.ldap.LDAPUserRegistry=DEBUG
Turn on asynch task DEBUG tracelog4j.logger.com.ibm.team.repository.service.internal.scheduler=DEBUG
Simon Eickel
commented Oct 08 '12, 6:47 a.m.
Hi Ralph,
|
Comments
the "unknown" instead of the name appears when you refresh this page or when you try to open the personal dashboard and than hit the back button of your browser.