This topic provides instructions on how to configure the
Tomcat application server and the Jazz application to use information
contained in the LDAP directory for authentication and a local file
for managing authorization and group membership.
About this task
To support authentication by using LDAP and authorization
by using the information in a local file, you must configure the LDAPLocalGroup
user registry type. Use the following steps to authenticate by using
the user information contained in the LDAP directory and authorize
by using the information contained in the local group mapping file.
Procedure
- Configure Tomcat to use the Jazz JNDI realm instead of
the default JNDI realm:
- Open JazzInstallDir/server/tomcat/conf/server.xml for
editing, uncomment com.ibm.team.repository.localgroups.realm.LocalMappingJNDIRealm section
and comment out org.apache.catalina.realm.UserDatabaseRealm section
or any other realm you may have defined from a prior configuration
change such as org.apache.catalina.realm.JNDIRealm.
- Replace the values in connectionURL, userBase,
and userSearch with the values from your LDAP
directory.
<Realm className="com.ibm.team.repository.localgroups.realm.LocalMappingJNDIRealm"
connectionName="ldap_bind_user_id"
connectionPassword="ldap_bind_user_password"
connectionURL="ldap://ldapserver.example.com:389"
userBase="ou=users,dc=jazz,dc=net"
userSearch="(uid={0})"
userSubtree="true"
roleBase="ou=people,dc=xxx"
roleSubtree="false"
roleSearch="(memberNotAvailablexxx={0})"
roleName="cn"
/>
- Under GlobalNamingResources uncomment
the "LocalRoleMap" section and comment out the "UserDatabase" section.
The GlobalNamingResources defines the global
JNDI resources for the server. Set the pathname attribute to a .csv format
mapping file in the file system. To make the user names in the files
case insensitive, make sure the ignorecase is
set to true.
<GlobalNamingResources>
...
<Resource name="LocalRoleMap" auth="Container"
type="com.ibm.team.repository.localgroups.IUserRoleMap"
descripion="Role mapping file"
factory="com.ibm.team.repository.localgroups.realm.RoleMappingResourceFactory"
ignorecase="true"
pathname="/opt/JazzTeamServer/server/mapping.csv" />
</GlobalNamingResources>
Here is an
example of mapping.csv. The mapping file will
be used by Tomcat to determine the roles associated with the users.
In this example, user1 has JazzUsers role while user2 has JazzAdmins
and JazzProjectAdmins roles.user1,JazzUsers
user2,[JazzAdmins; JazzProjectAdmins]
user3,JazzProjectAdmins
user4,JazzGuests
- Go to JazzInstallDir/server/tomcat/webapps/jts/META-INF and
copy the context.xml file to JazzInstallDir/server/tomcat/conf/Catalina/localhost.
- Rename the context.xml file that you
just copied to jts.xml.
- Open jts.xml for editing and add the
following entry to allow Jazz application to get access to the global
JNDI resource.
<Context crossContext="true">
<ResourceLink name="LocalRoleMap"
global="LocalRoleMap"
type="com.ibm.team.repository.localgroups.IUserRoleMap" />
...
</Context>
These changes allow the Tomcat application
server to authenticate using LDAP directory and to authorize using
the information present in the mapping.csv file.
- If the server supports LDAP synchronization, the registry
type and settings must be changed in the Jazz application to import
users, synchronize users, and view the group membership of a user.
Logon to the Server Administration https://hostname.example.com:9443/jts/admin and
click .
- Under com.ibm.team.repository.service.jts.internal.userregistry.ExternalUserRegistryInternalService,
click Edit and change the user registry type
to LDAPLocalGroup.
- Under com.ibm.team.repository.userregistry.provider.ldaplocalgroup.LDAPLocalGroupRegistryProvider,
click Edit and set the LDAP registry location,
base user DN, and user attribute mapping information.
Note: These
configuration properties are different from the ones for LDAP user
registry provider.