© 2013 IBM Corporation LDAP Fundamentals & LDAP for CLM Bruce Besch IBM Rational Services
© 2013 IBM Corporation Rational Services - ISSR 2 Agenda LDAP basics A sample LDAP directory structure Dissecting a Distinguished Name LDAP Groups LDAP for CLM Troubleshooting LDAP
© 2013 IBM Corporation Rational Services - ISSR 3 LDAP basics LDAP: Lightweight Directory Access Protocol, an industry standard for storing and retrieving attributes of things (or people) LDAP uses TCP ports 389 (insecure) and 636 (secure) by default Directories typically have a hierarchical structure Every directory entry has one or more attributes, each of which has one or more values Every entry has a name that is unique across the directory, its Distinguished Name (DN)
© 2013 IBM Corporation Rational Services - ISSR 4 A sample LDAP directory structure dc=com dc=acme ou=USA ou=Germany ou=Contractors ou=Employees cn=Mary Hill cn=Steven Schmidt cn=Jill Voss dc: Domain Component (typically in Active Directory) ou: Organizational Unit cn: Common Name
© 2013 IBM Corporation Rational Services - ISSR 5 A sample LDAP directory structure (continued) dc=com dc=acme ou=USA ou=Germany ou=Contractors ou=Employees cn=Mary Hill cn=Steven Schmidt cn=Lisa Simpson Distinguished Name (DN): cn=Steven Schmidt,ou=Contractors,ou=USA,dc=acme,dc=com Distinguished Name (DN): cn=Steven Schmidt,ou=Employees,ou=Germany,dc=acme,dc=com
© 2013 IBM Corporation Rational Services - ISSR 6 Dissecting a Distinguished Name cn=Steven Schmidt,ou=Contractors,ou=USA,dc=acme,dc=com Level in the LDAP hierarchyHighestLowest The leftmost part of a Distinguished Name is lowest in the LDAP hierarchy. The rightmost part of a Distinguished Name is highest in the LDAP hierarchy. The DN above refers to the LDAP entry Whose Common Name attribute contains the value Steven Schmidt Which resides in the Organizational Unit Contractors Which resides in the Organizational Unit USA Which is part of the Domain Component acme Which is part of the Domain Component com
© 2013 IBM Corporation Rational Services - ISSR LDAP Groups Groups are LDAP entries like any other object There is one attribute that stores the DNs of the members of the group This attribute has one value for each member. This attribute has different names depending on the LDAP server and the LDAP schema 7
© 2013 IBM Corporation Rational Services - ISSR LDAP and CLM 8 Specify the connection information for the LDAP server. To use LDAP over SSL, use ldaps:// instead of ldap:// Specify the DN of the LDAP account used to search the directory (aka “Bind DN”). This is typically required by Active Directory but any LDAP server can require it. Specify the password of the Bind DN above
© 2013 IBM Corporation Rational Services - ISSR LDAP and CLM (continued) 9 Specify the Base DN that contains all users who are going to be able to log into CLM Specify which attributes in the LDAP entry for a user map to the corresponding properties in a CLM user record.
© 2013 IBM Corporation Rational Services - ISSR LDAP and CLM (continued) 10 Specify the Base DN that contains all groups that you are specifying in the field below Specify which LDAP groups map to the five Jazz system groups. If the LDAP group names match the Jazz group names, the default can be kept. Specify which attribute of the group entry in LDAP contains the name of the group. Specify which attribute of the group entry in LDAP contains the members of the group.
© 2013 IBM Corporation Rational Services - ISSR Choosing the right Base DN 11 dc=com dc=acme ou=USA ou=Germany ou=Contractors ou=Employees cn=Steven Schmidt cn=Mary Hill cn=Steven Schmidt cn=Jill Voss When searching for objects in the directory, CLM will start at the Base DN and search it and all levels below. For performance reasons choose the lowest point in the hierarchy that is high enough to contain all users/groups who need access to CLM as the Base DN.
© 2013 IBM Corporation Rational Services - ISSR Testing the LDAP configuration 12 Enter the user ID of an LDAP-authenticated user that will have administrative privileges to continue to the setup. This user must be member of the LDAP group mapped to JazzAdmins. Note: “user ID” refers to the LDAP attribute that was configured to map to the “userId” property in Jazz.
© 2013 IBM Corporation Rational Services - ISSR Saving Tomcat Files When using Tomcat, the LDAP configuration is stored in XML files Clicking “Save Tomcat Files” will write the LDAP configuration to temporary XML files in the Tomcat directories First click “Next” in the JTS Setup Wizard, then replace the existing XML files with the temporary XML files to enable the LDAP configuration: \server\tomcat\conf\server.xml \server\tomcat\webapps\admin\WEB-INF\web.xml \server\tomcat\webapps\ccm\WEB-INF\web.xml \server\tomcat\webapps\jts\WEB-INF\web.xml \server\tomcat\webapps\rm\WEB-INF\web.xml \server\tomcat\webapps\qm\WEB-INF\web.xml Finally restart Tomcat, restart the browser and start the JTS Setup Wizard again, this time log in using an LDAP-authenticated user and continue through the wizard. 13
© 2013 IBM Corporation Rational Services - ISSR Importing Users 14 In order for users to be able to log into CLM, they must be imported into the Jazz repository. You can search for users using the Import Users wizard. The asterisk (*) is available as a wildcard. Users are synced nightly with the LDAP server, so users added in LDAP will be created in CLM by the next day. (You can also trigger the sync manually at any time.)
© 2013 IBM Corporation Rational Services - ISSR Connecting to an LDAP server using an LDAP management tool Apache Directory Studio is an open source Eclipse-based management tool that can connect to any LDAP server. You can use it to browse the LDAP hierarchy, perform searches or make changes to the directories entries. It is available for download from 15
© 2013 IBM Corporation Rational Services - ISSR Troubleshooting basic LDAP problems LDAP configuration is complete but the Import Users wizard shows no users –Use an LDAP management tool to verify that the Base DN for users and the search string are correct and make changes as necessary A user does not have JazzAdmin privileges even though that user is member of the corresponding group in LDAP –Verify that the Jazz group-to-LDAP group mapping is correct –Verify that the correct LDAP attribute was selected as the one containing membership information –Verify that the Base DN for groups is correct and use an LDAP management tool to verify the group can be found –If the user has a mixed-case username or entered their username with a different case than what is stored in LDAP, make sure that case insensitive user matching is enabled. This is a setting that is configurable on the Advanced Properties page in JTS. 16
© 2013 IBM Corporation Rational Services - ISSR 17 © Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.