Configuring Tomcat LDAPLocalGroup realm

This topic provides instructions on how to configure the Tomcat application server and the Jazz application to use information contained in the LDAP directory for authentication and a local file for managing authorization and group membership.

About this task

To support authentication using LDAP and authorization using the information in a local file, you must configure the LDAPLocalGroup user registry type. Use the following steps to authenticate using the user information contained in the LDAP directory and authorize using the information contained in the local group mapping file.

Procedure

  1. Configure Tomcat to use the Jazz JNDI realm instead of the default JNDI realm. Open <JazzInstallDir>/server/tomcat/conf/server.xml for editing, uncomment com.ibm.team.repository.localgroups.realm.LocalMappingJNDIRealm section and comment out org.apache.catalina.realm.UserDatabaseRealm section.
    <Realm className="com.ibm.team.repository.localgroups.realm.LocalMappingJNDIRealm"
                   connectionURL="ldap://ldapserver.example.com:389"
                   userBase="ou=users,dc=jazz,dc=net"
                   userSearch="(uid={0})"
                   userSubtree="true"
                   roleBase="ou=people,dc=xxx"
                   roleSubtree="false"
                   roleSearch="(memberNotAvailablexxx={0})"
                   roleName="cn"
    />
  2. Under GlobalNamingResources uncomment the "LocalRoleMap" section and comment out the "UserDatabase" section. The GlobalNamingResources defines the global JNDI resources for the server. Set the pathname attribute to a mapping file (csv format) in the file system.
    <GlobalNameingResources>
    ...
    <Resource name="LocalRoleMap" auth="Container"
            type="com.ibm.team.repository.localgroups.IUserRoleMap"
            descripion="Role mapping file"
            factory="com.ibm.team.repository.localgroups.realm.RoleMappingResourceFactory"
            pathname="/opt/JazzTeamServer/server/mapping.csv" />
    </GlobalNamingResources>
    Here is an example of mapping.csv. The mapping file will be used by Tomcat to determine the roles associated with the users.
    user1,JazzUsers
    user2,[JazzAdmins; JazzDWAdmins]
    user3,JazzProjectAdmins
    user4,JazzGuests
    In the above example, user1 has JazzUsers role while user2 has JazzAdmins and JazzDWAdmins roles.
  3. Add the following entry to <JazzInstallDir>/server/tomcat/conf/Catalina/localhost/jts.xml to allow Jazz application to get access to the global JNDI resource.
    <Context>
       <ResourceLink name="LocalRoleMap"
    			global="LocalRoleMap"
    			type="com.ibm.team.repository.localgroups.IUserRoleMap" />
    ...
    </Context>
    The changes listed above allow the Tomcat application server to authenticate using LDAP directory and to authorize using the information present in the mapping.csv file.
  4. If the server supports LDAP synchronization, the registry type and settings must be changed in the Jazz application to import users, synchronize users, and view the group membership of a user. Logon to the Server Administration (https://hostname.example.com:9443/jts/admin).
  5. Click Server > Advanced Properties.
  6. Under com.ibm.team.repository.service.jts.internal.userregistry.ExternalUserRegistryInternalService, click Edit and change the user registry type to LDAPLocalGroup.
    LDAPLocalGroup User Registry Type
  7. Under com.ibm.team.repository.userregistry.provider.ldaplocalgroup.LDAPLocalGroupRegistryProvider, click Edit and set the LDAPLocalGroup registry location, base user DN, and user attribute mapping information.
    Note: These configuration properties are different form the ones for LDAP user registry provider.
    LDAP local group registry provider

Feedback