This topic provides instructions on how to configure the
Tomcat application server and the Jazz application to use information
contained in the LDAP directory for authentication and a local file
for managing authorization and group membership.
About this task
To support authentication using LDAP and authorization using
the information in a local file, you must configure the LDAPLocalGroup
user registry type. Use the following steps to authenticate using
the user information contained in the LDAP directory and authorize
using the information contained in the local group mapping file.
Procedure
- Configure Tomcat to use the Jazz JNDI realm instead of
the default JNDI realm. Open <JazzInstallDir>/server/tomcat/conf/server.xml for
editing, uncomment com.ibm.team.repository.localgroups.realm.LocalMappingJNDIRealm section
and comment out org.apache.catalina.realm.UserDatabaseRealm section.
<Realm className="com.ibm.team.repository.localgroups.realm.LocalMappingJNDIRealm"
connectionURL="ldap://ldapserver.example.com:389"
userBase="ou=users,dc=jazz,dc=net"
userSearch="(uid={0})"
userSubtree="true"
roleBase="ou=people,dc=xxx"
roleSubtree="false"
roleSearch="(memberNotAvailablexxx={0})"
roleName="cn"
/>
- Under GlobalNamingResources uncomment
the "LocalRoleMap" section and comment out the "UserDatabase" section.
The GlobalNamingResources defines the global
JNDI resources for the server. Set the pathname attribute to a mapping
file (csv format) in the file system.
<GlobalNameingResources>
...
<Resource name="LocalRoleMap" auth="Container"
type="com.ibm.team.repository.localgroups.IUserRoleMap"
descripion="Role mapping file"
factory="com.ibm.team.repository.localgroups.realm.RoleMappingResourceFactory"
pathname="/opt/JazzTeamServer/server/mapping.csv" />
</GlobalNamingResources>
Here is an example of mapping.csv.
The mapping file will be used by Tomcat to determine the roles associated
with the users.user1,JazzUsers
user2,[JazzAdmins; JazzDWAdmins]
user3,JazzProjectAdmins
user4,JazzGuests
In the above example, user1 has JazzUsers
role while user2 has JazzAdmins and JazzDWAdmins roles.
- Add the following entry to <JazzInstallDir>/server/tomcat/conf/Catalina/localhost/jts.xml to
allow Jazz application to get access to the global JNDI resource.
<Context>
<ResourceLink name="LocalRoleMap"
global="LocalRoleMap"
type="com.ibm.team.repository.localgroups.IUserRoleMap" />
...
</Context>
The changes listed above allow the Tomcat
application server to authenticate using LDAP directory and to authorize
using the information present in the mapping.csv file.
- If the server supports LDAP synchronization, the registry
type and settings must be changed in the Jazz application to import
users, synchronize users, and view the group membership of a user.
Logon to the Server Administration (https://hostname.example.com:9443/jts/admin).
- Click .
- Under com.ibm.team.repository.service.jts.internal.userregistry.ExternalUserRegistryInternalService,
click Edit and change the user registry type
to LDAPLocalGroup.
- Under com.ibm.team.repository.userregistry.provider.ldaplocalgroup.LDAPLocalGroupRegistryProvider,
click Edit and set the LDAPLocalGroup registry
location, base user DN, and user attribute mapping information.
Note: These configuration properties are different form the
ones for LDAP user registry provider.