Enabling support for chained LDAP groups in Microsoft Active Directory


Jazz Foundation Server 4.0 introduces support for chained LDAP groups in Microsoft Active Directory using the vendor-specific LDAP_MATCHING_RULE_IN_CHAIN OID. When enabled, the synchronize-users task will find users defined in subgroups of Jazz groups.

However, since this support was added late in the development cycle, it was decided to disable this feature by default. To enable chained group support, you must add the following setting to your JTS teamserver.properties file and restart your server:


In a future release, it is expected that this feature will be enabled by default.

Enabling chained roles in Tomcat security realm

If you are using Tomcat, you must also modify the generated server.xml file to support chained roles in the LDAPLocalGroup realm configuration. To include chained groups in the role search, append the LDAP_MATCHING_RULE_IN_CHAIN OID (:1.2.840.113556.1.4.1941:) to the roleSearch attribute like so…

<Realm className="org.apache.catalina.realm.JNDIRealm"   	... roleSearch="(member:1.2.840.113556.1.4.1941:={0})" .../>

For more information

About the author

James Bognar is a developer working on the Jazz Foundation team.

Was this information helpful? Yes No 1 person rated this as helpful.