[JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/defaults
folder one level up to [JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/
server.xml
, appConfig.xml
and ldapUserRegistry.xml
appConfig.xml
- Contains Jazz Group/Role mappings and UserRegistry file information
ldapUserRegistry.xml
- Configuring Liberty with an LDAP user registry
[JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/server.xml
and include the following in the list of features
<feature>scim-1.0</feature>
[JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/defaults/appConfig.xml
file and towards the end of the file change the following <include location="localUserRegistry.xml" optional="true"/> <!--include location="ldapUserRegistry.xml" optional="true"/-->TO
<!--include location="localUserRegistry.xml" optional="true"/--> <include location="ldapUserRegistry.xml" optional="true"/>
[JazzAuthServer_Install_Dir]/wlp/usr/servers/jazzop/defaults/ldapUserRegistry.xml
and modify to match your environment, examples below
<server> <ldapRegistry ldapType="Microsoft Active Directory" baseDN="CN=Users,DC=test,DC=com" bindDN="CN=CLM Admin,CN=Users,DC=test,DC=com" bindPassword="********" host="ldapserver" id="ldapserver:389" ignoreCase="true" port="389" realm="ldapserver:389" recursiveSearch="true" referal="follow" sslEnabled="false"> <activedFilters userFilter="(&(sAMAccountName=%v)(objectcategory=user))" groupFilter="(&(cn=%v)(objectcategory=group))" userIdMap="user:sAMAccountName" groupIdMap="*:cn" groupMemberIdMap="memberOf:member" > </activedFilters> <attributeConfiguration> <attribute name="cn" propertyName="displayName" entityType="PersonAccount"/> <!-- propertyName is the scim property, name is the ldap property--> </attributeConfiguration> </ldapRegistry> <federatedRepository> <primaryRealm name="FVTRegistry"> <participatingBaseEntry name="CN=Users,DC=test,DC=com"/> </primaryRealm> </federatedRepository> <administrator-role> <user>clmadmin</user> <group>MyJazzAdmins</group> </administrator-role> </server>
<administrator-role>
tag are SCIM Administrators
< attributeConfiguration >
is mandatory as the displayName
SCIM property is mapped to Name attribute in CLM / ELM. You can change the LDAP attribute mapping from cn
to as per your organization's requirement.
<server> <ldapRegistry ldapType="IBM Tivoli Directory Server" baseDN="o=test.com" bindDN="uid=clmadmin,c=in,ou=Users,o=test.com" bindPassword="********" host="ldapserver" id="ldapserver:389" ignoreCase="true" port="389" realm="ldapserver:389" recursiveSearch="true" searchTimeout="10m" sslEnabled="false"> <idsFilters groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))" groupIdMap="*:cn" groupMemberIdMap="groupOfUniqueNames:uniquemember" userFilter="(&(uid=%v)(objectclass=person))" userIdMap="*:uid"> </idsFilters> <attributeConfiguration> <attribute name="cn" propertyName="displayName" entityType="PersonAccount"/> <!-- propertyName is the scim property, name is the ldap property--> </attributeConfiguration> <ldapEntityType name="PersonAccount"> <searchBase>c=in,ou=Users,o=test.com</searchBase> </ldapEntityType> <ldapEntityType name="Group"> <searchBase>ou=JazzGroups,ou=Groups,o=test.com</searchBase> </ldapEntityType> </ldapRegistry> <administrator-role> <user>myscimadmin</user> </administrator-role> </server>
<administrator-role>
tag are SCIM Administrators
< attributeConfiguration >
is mandatory as the displayName
SCIM property is mapped to Name attribute in CLM / ELM. You can change the LDAP attribute mapping from cn
to as per your organization's requirement
< ldapEntityType >
tag is not mandatory, but can be used to limit the User and group query scope
<server> <ldapRegistry ldapType="Custom" baseDN="dc=example,dc=com" host="ldapserver" id="ldapserver:10389" ignoreCase="true" port="10389" realm="ldapserver:10389" recursiveSearch="true" referal="follow" sslEnabled="false" timestampFormat="yyyyMMddHHmmss.SSSSSSZ"> <customFilters groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))" groupIdMap="*:cn" groupMemberIdMap="groupOfUniqueNames:uniquemember" userFilter="(&(uid=%v)(objectclass=inetOrgPerson))" userIdMap="*:uid" > </customFilters> <attributeConfiguration> <attribute name="cn" propertyName="displayName" entityType="PersonAccount"/> <!-- propertyName is the scim property, name is the ldap property--> </attributeConfiguration> </ldapRegistry> <administrator-role> <user>myscimdmin</user> </administrator-role> </server>
< attributeConfiguration >
is mandatory as the displayName
SCIM property is mapped to Name attribute in CLM / ELM. You can change the LDAP attribute mapping from cn
to as per your organization's requirement
<administrator-role>
tag are SCIM Administrators
< timestampFormat >
attribute as shown above resolves the error.
<federatedRepository maxSearchResults="100000" />
[JazzAuthServer_Install_Dir]/wlp/bin/securityUtility
$ securityUtility encode userPasswordwhere userPassword is the password to encode
<oauth-roles> <authenticated> <special-subject type="ALL_AUTHENTICATED_USERS" /> </authenticated> <clientManager> <group name="MYJAZZADMINS" /> <user name = "myscimadmin" /> </clientManager> </oauth-roles>
$ cd JazzAuthServer_install_dir $ ./start-jazz
sAMAccountName
or uid
. If you wish to change the the CLM Login value to another LDAP attribute here are the steps.
https:/jtsserver:port/jts/admin
page and Click Server > Advanced Properties and search for the property SCIM Property to User ID mapping
mobile | phoneNumbers/type=mobile | LDAP User Mobile |
Ldap UserId Attribute | SCIM Property to UserId Mapping | User Name |
sAMAccountName, uid | userName (default value) | LDAP User Uid |
emails | LDAP User Email | |
emails/type=work | LDAP User Email 2 |
{"emails":[{"value":"shubjitnaik@testmail.com", "where":"work"},{"value":"shubjit1@homemail.com", "where":"home"}], "location":"https:\/\/jasserver:9643\/ibm\/api\/scim\/Users\/uid=shubjit,ou=Users,dc=ldap,dc=com", "displayName":"Shubjit Naik","schemas":["urn:scim:schemas:core:1.0"],"id":"uid=shubjit,ou=Users,dc=ldap,dc=com", "name":{"formatted":"Shubjit Naik","givenName":"Shubjit","familyName":"Naik"},"userName":"shubjit"}
https://[JAS_SERVER]:[JAS_PORT]/ibm/api/scim/Users/uid=shubjit,ou=Users,dc=ldap,dc=com
userName
attribute value is used as CLM login Id, in this case it is shubjit
emails
would not work as there are multiple email addresses associated with the user and it would result in an error
emails/where=work
which will extract shubjitnaik@testmail.com
as the value to Login to CLM
Synchronize Jazz Team Server Users With External User Registry