Enabling support for chained LDAP groups in Microsoft Active Directory

James Bognar, Jazz Foundation Team, IBM
Last updated: May 29, 2012
Build basis: Jazz Foundation Server 4.0

Introduction

Jazz Foundation Server 4.0 introduces support for chained LDAP groups in Microsoft Active Directory using the vendor-specific LDAP_MATCHING_RULE_IN_CHAIN OID. When enabled, the synchronize-users task will find users defined in subgroups of Jazz groups.

However, since this support was added late in the development cycle, it was decided to disable this feature by default. To enable chained group support, you must add the following setting to your JTS teamserver.properties file and restart your server:

com.ibm.team.repository.ldap.supportsMatchingRuleInChain=true

In a future release, it is expected that this feature will be enabled by default.

Enabling chained roles in Tomcat security realm

If you are using Tomcat, you must also modify the generated server.xml file to support chained roles in the LDAPLocalGroup realm configuration. To include chained groups in the role search, append the LDAP_MATCHING_RULE_IN_CHAIN OID (:1.2.840.113556.1.4.1941:) to the roleSearch attribute like so…

<Realm className="org.apache.catalina.realm.JNDIRealm"   	... roleSearch="(member:1.2.840.113556.1.4.1941:={0})" .../>

For more information

Microsoft Active Directory Search Filter Syntax

About the author

James Bognar is a developer working on the Jazz Foundation team.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Feedback

Was this information helpful?

Yes

No 1 person rated this as helpful.