Configuring the Jazz Authorization Server to use an LDAP user registry

Edit online

To configure the Jazz® Authorization Server to use a Lightweight Directory Access Protocol (LDAP) user registry, instead of a file-based user registry, complete the following steps.

Before you begin

If you have not already done so, copy the files in the JazzAuthServer_install_dir/wlp/usr/servers/jazzop/defaults directory up one level to the jazzop directory as described in Managing users on Jazz Authorization Server.

Groups to Jazz Roles mappings are picked from JTS configuration when JAS is configured with LDAP. When running JTS/setup, select the User registry type as LDAP and configure to the same LDAP registry that is configured with JAS and enter the group mappings under the property Jazz to LDAP Group Mapping.

Procedure

  1. Open the JazzAuthServer_install_dir/wlp/usr/servers/jazzop/appConfig.xml file in an editor.
    1. Comment out or delete the line that includes this content: 
      <include location="localUserRegistry.xml" optional="true"/>
    2. Uncomment the line that contains this content: 
      <include location="ldapUserRegistry.xml" optional="true"/>
    3. If the group name that is used for Jazz administrator access is not JazzAdmins, complete the next steps.
      1. In the <oauth-roles> element, edit the following line.
        <group name="JazzAdmins"/>
      2. Change the group name attribute value from JazzAdmins to the name of your Jazz administrator group. For example, in the following sample configuration, the clientManager role is granted to members of the YourJazzAdmins group.
        <oauth-roles>
  <authenticated>
    <special-subject type="ALL_AUTHENTICATED_USERS"/>
  </authenticated>
  <clientManager>
    <group name="YourJazzAdmins"/>
  </clientManager>
</oauth-roles>
      3. Be sure to include an administrator-role.

      For more information, see Configuring an OpenID Connect Provider to accept client registration requests.

    4. Save your changes and close the file.
  2. Open the JazzAuthServer_install_dir/wlp/usr/servers/jazzop/ldapUserRegistry.xml file in an editor.
    1. Modify the <ldapRegistry> element for your LDAP registry.
      For information about changes to the <ldapRegistry> element, see Configuring a user registry for the Liberty profile.
      Note: The configuration parameters are basically the same as the parameters that are used to configure LDAP for WebSphere Application Server, except that they must be entered into an XML file instead of specified in an administrative UI.
    2. Save your changes and close the file.