Enabling support for chained LDAP groups in Microsoft Active Directory
Introduction
Jazz Foundation Server 4.0 introduces support for chained LDAP groups in Microsoft Active Directory using the vendor-specific LDAP_MATCHING_RULE_IN_CHAIN OID. When enabled, the synchronize-users task will find users defined in subgroups of Jazz groups.
However, since this support was added late in the development cycle, it was decided to disable this feature by default. To enable chained group support, you must add the following setting to your JTS teamserver.properties file and restart your server:
com.ibm.team.repository.ldap.supportsMatchingRuleInChain=true
In a future release, it is expected that this feature will be enabled by default.
Enabling chained roles in Tomcat security realm
If you are using Tomcat, you must also modify the generated server.xml file to support chained roles in the LDAPLocalGroup realm configuration. To include chained groups in the role search, append the LDAP_MATCHING_RULE_IN_CHAIN OID (:1.2.840.113556.1.4.1941:) to the roleSearch attribute like so…
<Realm className="org.apache.catalina.realm.JNDIRealm" ... roleSearch="(member:1.2.840.113556.1.4.1941:={0})" .../>
For more information
About the author
James Bognar is a developer working on the Jazz Foundation team.
Copyright © 2012 IBM Corporation