[JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/defaults
folder one level up to [JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/
server.xml
, appConfig.xml
and ldapUserRegistry.xml
appConfig.xml
- Contains Jazz Group/Role mappings and UserRegistry file information
ldapUserRegistry.xml
- Configuring Liberty with an LDAP user registry
[JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/server.xml
and include the following in the list of features
<feature>scim-1.0</feature>
[JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/defaults/appConfig.xml
file and towards the end of the file change the following <include location="localUserRegistry.xml" optional="true"/> <!--include location="ldapUserRegistry.xml" optional="true"/-->TO
<!--include location="localUserRegistry.xml" optional="true"/--> <include location="ldapUserRegistry.xml" optional="true"/>
[JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/defaults/ldapUserRegistry.xml
and modify to match your environment, examples below
<server> <ldapRegistry ldapType="Microsoft Active Directory" baseDN="CN=Users,DC=test,DC=com" bindDN="CN=CLM Admin,CN=Users,DC=test,DC=com" bindPassword="********" host="ldapserver" id="ldapserver:389" ignoreCase="true" port="389" realm="ldapserver:389" recursiveSearch="true" referal="follow" sslEnabled="false"> <activedFilters userFilter="(&(sAMAccountName=%v)(objectcategory=user))" groupFilter="(&(cn=%v)(objectcategory=group))" userIdMap="user:sAMAccountName" groupIdMap="*:cn" groupMemberIdMap="memberOf:member" > </activedFilters> <attributeConfiguration> <attribute name="cn" propertyName="displayName" entityType="PersonAccount"/> <!-- propertyName is the scim property, name is the ldap property--> </attributeConfiguration> </ldapRegistry> <federatedRepository> <primaryRealm name="FVTRegistry"> <participatingBaseEntry name="CN=Users,DC=test,DC=com"/> </primaryRealm> </federatedRepository> <administrator-role> <user>clmadmin</user> <group>MyJazzAdmins</group> </administrator-role> </server>
<administrator-role>
tag are SCIM Administrators
< attributeConfiguration >
is mandatory as the displayName
SCIM property is mapped to Name attribute in CLM / ELM. You can change the LDAP attribute mapping from cn
to as per your organization's requirement.
<server> <ldapRegistry ldapType="IBM Tivoli Directory Server" baseDN="o=test.com" bindDN="uid=clmadmin,c=in,ou=Users,o=test.com" bindPassword="********" host="ldapserver" id="ldapserver:389" ignoreCase="true" port="389" realm="ldapserver:389" recursiveSearch="true" searchTimeout="10m" sslEnabled="false"> <idsFilters groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))" groupIdMap="*:cn" groupMemberIdMap="groupOfUniqueNames:uniquemember" userFilter="(&(uid=%v)(objectclass=person))" userIdMap="*:uid"> </idsFilters> <attributeConfiguration> <attribute name="cn" propertyName="displayName" entityType="PersonAccount"/> <!-- propertyName is the scim property, name is the ldap property--> </attributeConfiguration> <ldapEntityType name="PersonAccount"> <searchBase>c=in,ou=Users,o=test.com</searchBase> </ldapEntityType> <ldapEntityType name="Group"> <searchBase>ou=JazzGroups,ou=Groups,o=test.com</searchBase> </ldapEntityType> </ldapRegistry> <administrator-role> <user>myscimadmin</user> </administrator-role> </server>
<administrator-role>
tag are SCIM Administrators
< attributeConfiguration >
is mandatory as the displayName
SCIM property is mapped to Name attribute in CLM / ELM. You can change the LDAP attribute mapping from cn
to as per your organization's requirement
< ldapEntityType >
tag is not mandatory, but can be used to limit the User and group query scope
<server> <ldapRegistry ldapType="Custom" baseDN="dc=example,dc=com" host="ldapserver" id="ldapserver:10389" ignoreCase="true" port="10389" realm="ldapserver:10389" recursiveSearch="true" referal="follow" sslEnabled="false" timestampFormat="yyyyMMddHHmmss.SSSSSSZ"> <customFilters groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))" groupIdMap="*:cn" groupMemberIdMap="groupOfUniqueNames:uniquemember" userFilter="(&(uid=%v)(objectclass=inetOrgPerson))" userIdMap="*:uid" > </customFilters> <attributeConfiguration> <attribute name="cn" propertyName="displayName" entityType="PersonAccount"/> <!-- propertyName is the scim property, name is the ldap property--> </attributeConfiguration> </ldapRegistry> <administrator-role> <user>myscimdmin</user> </administrator-role> </server>
< attributeConfiguration >
is mandatory as the displayName
SCIM property is mapped to Name attribute in CLM / ELM. You can change the LDAP attribute mapping from cn
to as per your organization's requirement
<administrator-role>
tag are SCIM Administrators
< timestampFormat >
attribute as shown above resolves the error.
<federatedRepository maxSearchResults="100000" />
[JazzAuthServer_Install_Dir]/wlp/bin/securityUtility
$ securityUtility encode userPasswordwhere userPassword is the password to encode
<oauth-roles> <authenticated> <special-subject type="ALL_AUTHENTICATED_USERS" /> </authenticated> <clientManager> <group name="MYJAZZADMINS" /> <user name = "myscimadmin" /> </clientManager> </oauth-roles>
$ cd JazzAuthServer_install_dir $ ./start-jazz
Synchronize Jazz Team Server Users With External User Registry