Configuring the Apache Tomcat LDAPLocalGroup realm

This topic provides instructions on how to configure the Apache Tomcat application server and the IBM® Engineering Lifecycle Management applications to use information contained in the LDAP directory for authentication and a local file for managing authorization and group membership.

About this task

To support authentication by using LDAP and authorization by using the information in a local file, you must configure the LDAPLocalGroup user registry type. Use the following steps to authenticate by using the user information contained in the LDAP directory and authorize by using the information contained in the local group mapping file.
Note: Starting in version 6.0.1, Apache Tomcat is not provided as a default application server. However, you can use Apache Tomcat. The following examples show Apache Tomcat installed in this location: JazzInstallDir/server/tomcat. If your version is in another location, change the installation path.

Procedure

  1. Configure Apache Tomcat to use the Jazz JNDI realm instead of the default JNDI realm:
    1. Open JazzInstallDir/server/tomcat/conf/server.xml for editing, uncomment com.ibm.team.repository.localgroups.realm.LocalMappingJNDIRealm section and comment out org.apache.catalina.realm.UserDatabaseRealm section or any other realm you may have defined from a prior configuration change such as org.apache.catalina.realm.JNDIRealm.
    2. Replace the values in connectionURL, userBase, and userSearch with the values from your LDAP directory.
    <Realm className="com.ibm.team.repository.localgroups.realm.LocalMappingJNDIRealm"
    		connectionName="ldap_bind_user_id"
    		connectionPassword="ldap_bind_user_password"
    		connectionURL="ldap://ldapserver.example.com:389"
    		userBase="ou=users,dc=jazz,dc=net"
    		userSearch="(uid={0})"
    		userSubtree="true"
    		roleBase="ou=people,dc=xxx"
    		roleSubtree="false"
    		roleSearch="(memberNotAvailablexxx={0})"
    		roleName="cn"
    />
  2. Under GlobalNamingResources uncomment the "LocalRoleMap" section and comment out the "UserDatabase" section. The GlobalNamingResources defines the global JNDI resources for the server. Set the pathname attribute to a .csv format mapping file in the file system. To make the user names in the files case insensitive, make sure the ignorecase is set to true.
    <GlobalNamingResources>
    ...
    <Resource name="LocalRoleMap" auth="Container"
    		type="com.ibm.team.repository.localgroups.IUserRoleMap"
    		descripion="Role mapping file"
    		factory="com.ibm.team.repository.localgroups.realm.RoleMappingResourceFactory"
    		ignorecase="true"
    		pathname="/opt/JazzTeamServer/server/mapping.csv" />
    </GlobalNamingResources>
    Here is an example of mapping.csv. The mapping file will be used by Tomcat to determine the roles associated with the users. In this example, user1 has JazzUsers role while user2 has JazzAdmins and JazzProjectAdmins roles.
    user1,JazzUsers
    user2,[JazzAdmins; JazzProjectAdmins]
    user3,JazzProjectAdmins
    user4,JazzGuests
  3. Go to JazzInstallDir/server/tomcat/webapps/jts/META-INF and copy the context.xml file to JazzInstallDir/server/tomcat/conf/Catalina/localhost.
  4. Rename the context.xml file that you just copied to jts.xml.
  5. Open jts.xml for editing and add the following entry to allow Jazz application to get access to the global JNDI resource.
    <Context crossContext="true">
       <ResourceLink name="LocalRoleMap"
    			global="LocalRoleMap"
    			type="com.ibm.team.repository.localgroups.IUserRoleMap" />
    			...
    </Context>
    These changes allow the Apache Tomcat application server to authenticate using LDAP directory and to authorize using the information present in the mapping.csv file.
  6. If the server supports LDAP synchronization, the registry type and settings must be changed in the IBM Engineering Lifecycle Management applications to import users, synchronize users, and view the group membership of a user. Log on to the Server Administration at https://hostname.example.com:9443/jts/admin and click Server > Advanced Properties.
  7. Under com.ibm.team.repository.service.jts.internal.userregistry.ExternalUserRegistryInternalService, click Edit and change the user registry type to LDAPLocalGroup.
    LDAPLocalGroup User Registry Type
  8. Under com.ibm.team.repository.userregistry.provider.ldaplocalgroup.LDAPLocalGroupRegistryProvider, click Edit and set the LDAP registry location, base user DN, and user attribute mapping information.
    Note: These configuration properties are different from the ones for LDAP user registry provider.
    LDAP local group registry provider

video icon Video

Jazz.net channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community

Jazz.net
Jazz.net forums
Jazz.net library

support icon Support

IBM Support Community
Deployment wiki