Configuring Rational Team Concert on Tomcat to use LDAP

You can configure the included IBM® Rational® Team Concert™ running on Apache Tomcat to use LDAP.

Before you begin

You must have administrative access to the Tomcat server.

Unlike Rational Asset Manager, Rational Team Concert uses LDAP groups to determine user roles. You must be able to create LDAP groups, or know the names of LDAP groups that you can remap to the appropriate roles for Rational Team Concert.

About this task

Complete the following procedure only if you meet either of these requirements:

The included Rational Team Concert is on the same Tomcat server as Rational Asset Manager and you have configured Rational Asset Manager to use LDAP authentication.
The included Rational Team Concert is on a different server and you want to use LDAP authentication for the single user.

Procedure

Shut down the Tomcat server.

Configure the Tomcat server for Rational Team Concert to use LDAP. If Rational Team Concert is on the same server as Rational Asset Manager, you already configured the Tomcat server in step 4 of Configuring the Tomcat server for Rational Asset Manager to use LDAP. If Rational Asset Manager and Rational Team Concert are on different servers, complete the following:

In a text editor, open the tomcat_for_rtc_install_directory/conf/server.xml file.

Find the Realm tag and edit it with the appropriate values for your LDAP server:

<Realm  className="org.apache.catalina.realm.JNDIRealm" debug="99"    			
     connnectionURL="ldap://example.com:389"
     connectionName="uid=123456,c=us,ou=exampleorganization,o=example.com"
     connectionPassword="password"
     userBase="ou=exampleorganization,o=example.com"
     userSearch="(mail={0})"
     userSubtree="true"
     roleBase="ou=memberlist,ou=groups,o=example.com"
     roleName="cn"
     roleSearch="(mail={0})"
     roleSubtree="true"
/>

Where:

Table 1. LDAP Properties needed for Rational Asset Manager and Rational Team Concert
LDAP Property	Definition
connectionURL	The location and port for the LDAP server
connectionName	The distinguished user name that is used to connect to the LDAP repository
connectionPassword	The password for the distinguished user
userBase	When you search for a user, this is where to start the search.
userSearch	The LDAP search filter to use to select the user entry after substituting the user name in {0}.
userSubtree	To enable LDAP searches of the entire subtree, set to this value to `true`.
roleBase	The base entry for the role search
roleName	An LDAP entry that contains the name of the role
roleSearch	The LDAP filter that is used for searching groups
roleSubtree	To enable LDAP searches of the entire roles subtree, set this value to `true`.

Configure four LDAP groups for Rational Team Concert.
Create four groups:
- JazzAdmins
- JazzDWAdmins
- JazzUsers
- JazzGuests
The user who is the Rational Team Concert server administrator must be in the JazzAdmins group. To add the user to the group, complete either of these steps:
- In LDAP, create a group called JazzAdmins, and add the Tomcat server administrator to that group.
- You can map existing LDAP group names to the group names required for Rational Team Concert. Modify the tomcat_for_rtc_install_directory/webapps/jazz/WEB-INF/web.xml file as described in TN0030: User management for Jazz servers in Tomcat. If that file does not exist, start and then stop your Tomcat server; the file will exist after the ramjazz.war application is deployed.
For more information about creating LDAP groups, see the documentation for your LDAP server.
Restart the Tomcat server.
Remove the developer license from the old administrative user:
1. Launch the Administration web user interface of Rational Team Concert in a web browser at https://machine_name:secure_port/jazz/admin/. Note the https; the connection must be secure.
2. Log in with the user ID and password for the new administrative user that is a member of the JazzAdmins LDAP group.
3. Click User Management.
4. Click the name of the previous administrative user.
5. In the Client Access License section, clear the selected Rational Team Concert – Developer license.
6. Click Save.
Add the new administrative user:
1. Click Create user.
2. Enter the following details:
  1. User Name: The user ID (LDAP login) of the new server administrator
  2. User ID: The user ID (LDAP login) of the new Tomcat server administrator
  3. Email Address: A valid email address for the Tomcat server administrator
3. In the Client Access License section, select Rational Team Concert - Developer to assign the developer license to that user.
4. Click Save.
5. Log out, and then log back in to the Admin Web UI as the new administrator of the application server.
Assign the appropriate memberships and process roles for the new administrator:
1. On the Project Area Management page, click the RAM Lifecycle project area.
2. In the Administrators section, click Add. Search for and select the administrator user that you created. If you are working with an existing Rational Team Concert application, you can also select a different user to be administrator for this project area.
3. In the Members section, click Add; then search for and select the same user that you selected as the administrator for the project area.
4. After you add the administrator, click the Process Roles icon next to the administrator's name.
5. In the Edit Process Roles window, from the Available Roles list, select Administration and click Add.
6. Click Finish.
7. Click Save.
Stop and then restart the Tomcat server.
Change the information about the administrative user for Rational Team Concert in Rational Asset Manager:
1. In a web browser, log in to the Rational Asset Manager as a repository administrator.
2. Click Administration > Configuration.
3. In the Internal Rational Team Concert Path section, update the User and Password fields for the new Rational Team Concert administrator.
4. Click Save.

Feedback