Edit
Attach
P
rintable
r6 - 2017-02-23 - 11:28:23 -
ShubjitNaik
You are here:
TWiki
>
Deployment Web
>
DeploymentInstallingUpgradingAndMigrating
>
JazzAuthorizationServer
>
JASSCIMFederatedRepositories
<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%"> ---+!! Multiple User Registries with Jazz Authorization Server and SCIM <img src="https://jazz.net/wiki/pub/Deployment/WebPreferences/todo.png" alt="todo.png" width="50" height="50" align="right"> %DKGRAY% Author: Main.ShubjitNaik <br> Build basis: JAS and CLM 6.0.2 and higher %ENDCOLOR%</div></sticky> <!-- Page contents top of page on right hand side in box --> <sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;"> %TOC{title="Page contents"}% </div></sticky> <sticky><div style="margin:15px;"></sticky> !WebSphere Application Server Liberty Profile allows configuring Multiple federated registries. User registry federation is used when user and group information is spread across multiple registries. For example, the information might be in two different LDAPs, in two subtrees of the same LDAP, in a file, or the users are of a system. The information might even be in a custom user data repository. With registries federated, you can search and use these distributed user information in a unified manner with continuous store of information. Using federated registry, you can use the unified view for authentication and authorization of users in Liberty. %BR% %BR% Jazz Authorization Server (JAS) is based on !WebSphere Liberty Profile and can leverage the feature of configuring federated Registries. However, for it work with CLM, you would have to configure JAS with SCIM. This article focuses on steps to configuring JAS for SCIM and with federated registries. ---++ Important Notes and Pre-requisites * To configure Multiple Users Registries with JAS, enabling SCIM configuration is Mandatory * Starting in Collaborative Lifecycle Management (CLM) 6.0.2, Jazz Authorization Server (JAS) supports SCIM in the Liberty profile * For Microsoft Active Directory LDAP Server, CLM and JAS version 6.0.2 or higher needs to be deployed * For any other LDAP Registries, the minimum version of CLM and JAS required to configure SCIM is 6.0.4 (GA in 2017) or higher * Currently the User Synchronization operation by default picks *UserID=sAMAccountName* for Microsoft AD and *UserId=uid* for IBM Tivoli Directory Server and !ApacheDS. It is recommended to *disable the Nighty Sync* operation until verification is completed. * Screenshots added for Non-Microsoft AD configurations are from CLM and JAS versions 6.0.4 M2 ---++ Setup and Configure JAS for SCIM with a Single LDAP Registry * To configure SCIM you must use Lightweight Directory Access Protocol (LDAP) * The first step is to configure JAS for SCIM with a Single LDAP Registry and complete JTS setup with JAS and SCIM * Refer article *[[JASAndSCIM][Configuring Jazz Authorization Server for SCIM]]* for the complete steps ---++ Configure JAS for SCIM with Multiple LDAP Registries ---+++ Enable federated registries features in Liberty * Enable the Jazz Authorization Server to support Federated Registries * Edit =JazzAuthServer_install_dir/wlp/usr/servers/jazzop/server.xml= and include the following in the list of features * <verbatim> <feature>appSecurity-2.0</feature> <feature>servlet-3.0</feature> <feature>ldapRegistry-3.0</feature> </verbatim> ---+++ Modify LDAP configuration to include multiple registries * We have included a few examples from different federated LDAP environments (MS Active Directory and !ApacheDS) to help guide the configuration * Users or Groups listed under <administrator-role> tag are *SCIM administrators* * Edit =JazzAuthServer_install_dir/wlp/usr/servers/jazzop/defaults/ldapUserRegistry.xml= and modify to match your environment, examples below ---++++ Microsoft Active Directory * <verbatim> <ldapRegistry ldapType="Microsoft Active Directory" baseDN="CN=Users,DC=HOST1,DC=com" bindDN="CN=CLM Admin,CN=Users,DC=HOST1,DC=com" bindPassword="********" host="ldapserver1" id="ldapserver1:389" ignoreCase="true" port="389" realm="ldapserver1:389" recursiveSearch="true" referal="follow" sslEnabled="false"> <activedFilters userFilter="(&(sAMAccountName=%v)(objectcategory=user))" groupFilter="(&(cn=%v)(objectcategory=group))" userIdMap="user:sAMAccountName" groupIdMap="*:cn" groupMemberIdMap="memberOf:member" > </activedFilters> </ldapRegistry> <ldapRegistry ldapType="Microsoft Active Directory" baseDN="CN=Users,DC=HOST2,DC=com" bindDN="CN=CLM Admin,CN=Users,DC=HOST2,DC=com" bindPassword="********" host="ldapserver2" id="ldapserver2:389" ignoreCase="true" port="389" realm="ldapserver2:389" recursiveSearch="true" referal="follow" sslEnabled="false"> <activedFilters userFilter="(&(sAMAccountName=%v)(objectcategory=user))" groupFilter="(&(cn=%v)(objectcategory=group))" userIdMap="user:sAMAccountName" groupIdMap="*:cn" groupMemberIdMap="memberOf:member" > </activedFilters> </ldapRegistry> <federatedRepository> <primaryRealm name="FVTRegistry"> <participatingBaseEntry name="CN=Users,DC=HOST1,DC=com"/> <participatingBaseEntry name="CN=Users,DC=HOST2,DC=com"/> </primaryRealm> </federatedRepository> <administrator-role> <user>adadmin</user> <user>ad2admin</user> </administrator-role> </verbatim> ---++++ !ApacheDS * <verbatim> <ldapRegistry ldapType="Custom" baseDN="dc=clm,dc=com" host="ldapserver1" id="ldapserver1:10389" ignoreCase="true" port="10389" realm="ldapserver1:10389" recursiveSearch="true" referal="follow" sslEnabled="false" timestampFormat="yyyyMMddHHmmss.SSSSSSZ"> <customFilters groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))" groupIdMap="*:cn" groupMemberIdMap="groupOfUniqueNames:uniquemember" userFilter="(&(uid=%v)(objectclass=inetOrgPerson))" userIdMap="*:uid" > </customFilters> </ldapRegistry> <ldapRegistry ldapType="Custom" baseDN="dc=example,dc=com" host="ldapserver2" id="ldapserver2:10389" ignoreCase="true" port="10389" realm="ldapserver2:10389" recursiveSearch="true" referal="follow" sslEnabled="false" timestampFormat="yyyyMMddHHmmss.SSSSSSZ"> <customFilters groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))" groupIdMap="*:cn" groupMemberIdMap="groupOfUniqueNames:uniquemember" userFilter="(&(uid=%v)(objectclass=inetOrgPerson))" userIdMap="*:uid" > </customFilters> </ldapRegistry> <administrator-role> <user>clmadmin1</user> <user>clmadmin2</user> </administrator-role> </verbatim> %BR% * The above example is from an !ApacheDS server setup with Anonymous Authentication. Include the !BindDN if necessary ---+++ Update Group Mappings * Map Groups from Federated LDAPS to the respective Jazz Roles * Edit =JazzAuthServer_install_dir/wlp/usr/servers/jazzop/appConfig.xml= * <verbatim> <application id="com.ibm.team.integration.jazzop" location="jazzop.war" name="com.ibm.team.integration.jazzop" context-root="jazzop" type="war"> <application-bnd> <security-role name="JazzAdmins"> <group name="MYJAZZADMINS"/> <group name="LDAP2_JAZZADMINS"/> </security-role> <security-role name="JazzUsers"> <group name="MYJAZZUSERS"/> <group name="LDAP2_JAZZUSERS"/> </security-role> <security-role name="JazzProjectAdmins"> <group name="MYJAZZPROJECTADMINS"/> <group name="LDAP2_JAZZPROJECTADMINS"/> </security-role> <security-role name="JazzGuests"> <group name="MYJAZZGUESTS"/> <group name="LDAP2_JAZZGUESTS"/> </security-role> <security-role name="JazzDebug"> <group name="MYJAZZDEBUG"/> <group name="LDAP2_JAZZDEBUG"/> </security-role> </application-bnd> </application></verbatim> * Map Groups and Users who would Administrate JAS * <verbatim><oauth-roles> <authenticated> <special-subject type="ALL_AUTHENTICATED_USERS" /> </authenticated> <clientManager> <group name="MYJAZZADMINS" /> <user name = "MYSCIMADMIN" /> <group name="LDAP2_JAZZADMINS"/> <user name = "LDAP2_SCIMADMIN" /> </clientManager> </oauth-roles> </verbatim> ---+++ Test SCIM with multiple registries * Now that JAS is configured with Federated Registries and SCIM, it is time to test if users from multiple registries are listed * Start the server (Linux example) <verbatim> $ cd JazzAuthServer_install_dir $ ./start-jazz </verbatim> * Access the SCIM API for Users with this URL and confirm Users from multiple registries are listed %BR% https://fully_qualified_domain_name_of_JAS_server:defined_port/ibm/api/scim/Users * Access the SCIM API for Groups with this URL and confirm Groups from multiple registries are listed %BR% https://fully_qualified_domain_name_of_JAS_server:defined_port/ibm/api/scim/Groups %BR% ---++ JTS SCIM configuration to map to Multiple LDAP Registries * It is assumed that JTS Setup was completed earlier and was configured with JAS for SCIM with 1 LDAP registry * Login to JTS admin page as a JazzAdmin User from the First LDAP registry * Click on *Server > Advanced Properties* and search for SCIM Configuration *com.ibm.team.repository.service.jts.internal.userregistry.scim.SCIMUserRegistryProvider* * Edit *Jazz Groups to Registry Group Mapping* to include groups from Additional LDAPs %BR% One Jazz group can be mapped to multiple groups. The user registry groups must be separated by a semi colon. For example, !JazzAdmins=LDAPAdmins1;LDAPAdmins2 maps !JazzAdmins group to LDAPAdmins1 and LDAPAdmins2 %BR% %BR% <img src="%ATTACHURLPATH%/SCIM_Groups_Multiple.png" alt="SCIM_Groups_Multiple.png" width="850" height="475" /> %BR% %BR% * Save the Configuration * Restart the Application Server hosting JTS application * Confirm Users from different LDAP registries are able to Login with the Mapped Roles ---++ Import Users * Currently the User Synchronization operation by default picks *UserID=sAMAccountName* for Microsoft AD and *UserId=uid* for IBM Tivoli Directory Server and !ApacheDS. It is recommended to *disable the Nighty Sync* operation until verification is completed. * To disable Nightly Sync, Login to JTS/admin page, Click *Server > Advanced Properties* and set *Enable Nightly Sync with SCIM provider* to *false* * Test by importing a user manually * Click on *Users > Active Users > Import Users* * Enter a search term, click on the User and Import the user * In the Active User Page, click on the newly imported user and confirm the !UserId maps to what is configured in JAS * Default is *uid* for Tivoli and Apache DS and *sAMAccountName* for Microsoft AD * If the verification is complete, you can chose to enable the Nightly Sync or proceed with Manual Import of User * To Manually Import users , use the repotools command and import from acsv file. Instructions are available on the [[https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.4/com.ibm.jazz.install.doc/topics/r_repotools_importusers.html][IBM Knowledge Center]] ---+++++!! Related topics: [[JazzAuthorizationServer][Jazz Authorization Server]], [[JASAndSCIM][Configuring Jazz Authorization Server for SCIM]] ---+++++!! External links: * [[https://www.ibm.com][IBM]] <sticky></div></sticky>
Edit
|
Attach
|
P
rintable
|
V
iew topic
|
Backlinks:
We
b
,
A
l
l Webs
|
H
istory
:
r15
|
r8
<
r7
<
r6
<
r5
|
More topic actions...
Deployment
Deployment web
Planning and design
Installing and upgrading
Migrating and evolving
Integrating
Administering
Monitoring
Troubleshooting
Community information and contribution guidelines
Create new topic
Topic list
Search
Advanced search
Notify
RSS
Atom
Changes
Statistics
Web preferences
NOTE: Please use the Sandbox web for testing
Status icon key:
To do
Under construction
New
Updated
Constant change
None - stable page
Smaller versions of status icons for inline text:
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our
Terms of Use.
Please read the following
disclaimer
.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more
here
.