Jazz Library Enabling support for chained LDAP groups in Microsoft Active Directory
Author name

Enabling support for chained LDAP groups in Microsoft Active Directory

Introduction

Jazz Foundation Server 4.0 introduces support for chained LDAP groups in Microsoft Active Directory using the vendor-specific LDAP_MATCHING_RULE_IN_CHAIN OID. When enabled, the synchronize-users task will find users defined in subgroups of Jazz groups.

However, since this support was added late in the development cycle, it was decided to disable this feature by default. To enable chained group support, you must add the following setting to your JTS teamserver.properties file and restart your server:

com.ibm.team.repository.ldap.supportsMatchingRuleInChain=true

In a future release, it is expected that this feature will be enabled by default.

Enabling chained roles in Tomcat security realm

If you are using Tomcat, you must also modify the generated server.xml file to support chained roles in the LDAPLocalGroup realm configuration. To include chained groups in the role search, append the LDAP_MATCHING_RULE_IN_CHAIN OID (:1.2.840.113556.1.4.1941:) to the roleSearch attribute like so…

<Realm className="org.apache.catalina.realm.JNDIRealm"   	... roleSearch="(member:1.2.840.113556.1.4.1941:={0})" .../>

For more information


About the author

James Bognar is a developer working on the Jazz Foundation team.

Wed, 11 Jul 2012