LDAP configuration file (ldapentry.xml)

The WCServer_enterprise_archive/xml/ldap/ldapentry.xml file is used when WebSphere Commerce is configured to use an LDAP server as the master profile repository for users and organizations. WebSphere Commerce interacts with the LDAP server using WebSphere Application Server's federated repository. The federated repository is implemented using Virtual Member Manager (VMM).

The ldapentry.xml file provides the mapping between WebSphere Commerce attributes and VMM attributes, to sychronize data between WebSphere Commerce database and LDAP. This mapping file provides a default mapping for the most commonly used attributes. The attributes can be customized. See List of attributes that can be synchronized with LDAP for more information.

Note: Ensure that you check the wc-server.xml file to verify which ldapentry file is being used:

Microsoft Active Directory: typically uses ldapentry_ad.xml
Other LDAP servers: typically uses ldapentry.xml

For information about mapping VMM attributes to LDAP attributes, see Default LDAP configuration mapping based on LDAP server type.
If the VMM attribute that you specified is not defined in the VMM entity you are using, define it in VMM. For more information, see Using addIdMgrPropertyToEntityTypes command to add a new property to one or more existing entity types.
Property types supported by virtual member manager, where WebSphere Commerce User corresponds to PersonAccount in VMM, and WebSphere Commerce Organizational Entity corresponds to OrgContainer in VMM.

Sample data in the ldapentry.xml file


<?xml version="1.0"?>
<!DOCTYPE ldapentry SYSTEM "ldapentry.dtd">
<ldapentry>
   <entry entryName="User">
      <ldapsetting>       
              <ldaprdn rdnName="uid" keyAttrName="logonId" keyObjName="UserRegistry"/>
          </ldapsetting>
      <ldapmap>
         <map>
            <objectAttribute attrName="logonPassword"/>
            ldapAttribute name="password" operation="replace" flow="wcsToLdap"/>
         </map>
         <map>
            <objectAttribute attrName="lastName"/>
            <objectAttribute attrName="firstName"/>
            <objectSeparator attrSeparator="/"/>
            <ldapAttribute name="cn" operation="replace" flow="wcsToLdap"/>
         </map>
         <map>
            <objectAttribute attrName="lastName"/>
            <ldapAttribute name="sn" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="firstName"/>
            <ldapAttribute name="givenName" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="phone1"/>
            <ldapAttribute name="homePhone" operation="add" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="email1"/>
            <ldapAttribute name="mail" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="zipCode"/>
            <ldapAttribute name="postalCode" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="address1" size="50"/>
            <objectAttribute attrName="address2" size="50"/>
            <objectAttribute attrName="address3" size="50"/>
            <objectSeparator attrSeparator="/"/>
            <ldapAttribute name="postalAddress" operation="replace" flow="bothDirections"/>
         </map>
      </ldapmap>
   </entry>
   <entry entryName="Organization">
      <ldapsetting>   
              <ldaprdn rdnName="o" keyAttrName="orgEntityName" keyObjName="Organization"/>
          </ldapsetting>
      <ldapmap>
         <map>
            <objectAttribute attrName="businessCategory"/>
            <ldapAttribute name="businessCategory" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="description"/>
            <ldapAttribute name="description" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="address1" size="50"/>
            <objectAttribute attrName="address2" size="50"/>
            <objectAttribute attrName="address3" size="50"/>
            <objectSeparator attrSeparator="/"/>
            <ldapAttribute name="postalAddress" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="phone1"/>
            <ldapAttribute name="telephoneNumber" operation="add" flow="bothDirections"/>
         </map>
      </ldapmap>
   </entry>
   <entry entryName="OrganizationalUnit">
          <ldapsetting>                   
              <ldaprdn rdnName="ou" keyAttrName="orgEntityName" keyObjName="Organization"/>
          </ldapsetting>
      <ldapmap>
         <map>
            <objectAttribute attrName="businessCategory"/>
            <ldapAttribute name="businessCategory" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="description"/>
            <ldapAttribute name="description" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="address1" size="50"/>
            <objectAttribute attrName="address2" size="50"/>
            <objectAttribute attrName="address3" size="50"/>
            <objectSeparator attrSeparator="/"/>
            <ldapAttribute name="postalAddress" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="phone1"/>
            <ldapAttribute name="telephoneNumber" operation="add" flow="bothDirections"/>
         </map>
      </ldapmap>
   </entry>
</ldapentry>

The format of the ldapentry.xml file is as follows:

entry

The entry element identifies which type of member the mappings are for. Valid values are User, Organization, or OrganizationalUnit.

ldapsetting - ldaprdn - rdnName

Specifies which LDAP attribute is the RDN attribute

ldapsetting - ldaprdn - keyAttrName

Specifies which WebSphere Commerce attribute maps to the RDN attribute.

ldapsetting - ldaprdn - keyObjName

Specifies the WebSphere Commerce access bean that contains the keyAttrName attribute.

ldapsetting - ldapocs - objClass

This option is no longer used. It has been moved to the wimconfig.xml file.

ldapsetting - ldapbase - defaultBase

This option is no longer used. It has been moved to the wimconfig.xml file.

ldapsetting - ldapbase - searchBase

This option is no longer used. It has been moved to the wimconfig.xml file.

map -objectAttribute - attrName

A WebSphere Commerce attribute name. See List of attributes that can be synchronized with LDAP for more information.

map -ldapAttribute - name

Name of the VMM attribute to be mapped to the WebSphere Commerce attribute specified in attrName. The VMM attribute name is commonly the same as the LDAP attribute name. In cases where it is different, the mapping is defined in the attributeConfiguration element of the wimconfig.xml file.

map -ldapAttribute - flow

Specifies how the attribute value is read from and written to LDAP. Valid values are:

ldapToWcs

The value flows from LDAP to WebSphere Commerce database only. This is used during authentication and get operations.

wcsToLdap

The value flows from WebSphere Commerce database to LDAP only. This setting applies when creating or updating a member in WebSphere Commerce.

bothDirections

The value flows both ways, between WebSphere Commerce database and LDAP.

If WebSphere Commerce is used to create or update a user or organization using the member commands, for example, UserRegistrationAddCmd or OrgEntityUpdateCmd, then the flow of data is WebSphere Commerce to LDAP. On a read or get request, for example at Logon time or when populating a databean, the flow of data is LDAP to WebSphere Commerce, because LDAP is considered the master of record. However, data is only transferred if the record in LDAP has been updated more recently than it has been last synchronized with WebSphere Commerce. This last synchronized time is stored in the WMMMAP table.

ldapOnly

The value exists only on LDAP, not the WebSphere Commerce database. These attributes will be accessible from the following APIs:

UserSyncBean.getProperty(String propertyName)
OrganizationSyncBean.getProperty(String propertyName)

That will in turn make it available to the following data beans:

UserRegistrationDataBean.getAttribute(String attributeName)
OrgEntityDataBean.getAttribute(String attributeName)

In turn, the GetPerson and GetOrganization services will populate the Person and Organization SDOs with these attributes when using the IBM_All access profile:

/Person/Attributes
/Organization/Attributes

map -ldapAttribute - operation

Specifies whether how the attribute value should be modified for LDAP. Valid values are replace or add. A value of replace updates the current user information with the new information provided (for example, replace a existing phone number with a new one). A value of add includes another entry for the user (for example, adding a new phone number to the current user information, making a list of phone numbers for the user).

map - objectSeparator - attrSeparator

Separator character used when storing or retrieving multiple WebSphere Commerce attributes to or from a single LDAP attribute. Replicating multivalued attributes is not supported.

Synchronization of multi-valued LDAP attributes to the MBRATTRVAL table

The MBRATTRVAL table is used for storing custom member attributes. The table can store multiple values (rows) for a single attribute and user. LDAP can handle multivalued attributes.

For example:


<map>
     <objectAttribute attrName="JobFunction_10001_r_n"/>
     <ldapAttribute name="telephoneNumber" operation="replace" flow="bothDirections"/>
</map>

Original mapping:


<!--
<map>
     <objectAttribute attrName="phone1"/>
     <ldapAttribute name="telephoneNumber" operation="add" flow="bothDirections"/>
</map>
-->

The telephoneNumber VMM attribute maps to the JobFunction_10001_r_n WebSphere Commerce attribute. This WebSphere Commerce attribute, based on the naming convention, is a custom member attribute, whose values are stored in the MBRATTRVAL table. Note that the member attribute name ends with _n to indicate that it is multivalued.

If there are multiple values in the MBRATTRVAL table, they are synchronized over to multiple values in LDAP. Conversely, if there are multiple values in LDAP, they are synchronized to multiple rows in the MBRATTRVAL table.

The following URL is an example of how to add or update two JobFunction values for the current user:

https://localhost/webapp/wcs/stores/servlet/UserRegistrationUpdate?storeId=10101&catalogId=10101&langId=-1
&editRegistration=Y&JobFunction_10101_r_1=manager&JobFunction_10101_r_2=clerk&URL=UserRegistrationForm

Note the two occurrences of JobFunction updates in the URL string. The first being JobFunction_10101_r_1 for manager and the second being JobFunction_10101_r_2 for clerk.