Deploying nested LDAP groups in WAS for IBM Directory Security Server
If WebSphere Application Server (WAS) has been configured with the IBM Directory Security Server LDAP repository and WAS has been enabled for nested groups, you must configure the Membership and Member attributes in a special way to take advantage of nested groups.
Before you begin
Note: If WAS has been configured to use the IBM Tivoli
Directory Security Server with nested groups, IBM Connections uses
the most effective group membership operational attribute. Specific
configuration in both WAS and the IBM Directory Security Server LDAP
directory must be in place that requires a specific set of Attribute/Objectclass
pairings to be deployed in the LDAP directory Most other LDAP directories
do not require special deployment for membership.
Note: The
Connections/WAS administrator might not be the same person as the
LDAP administrator.
Note: If an admin wants to use nested groups,
verify that their LDAP Administrator has indeed deployed groups using
the LDAP Operational attributes (as this is not the default). Connections
relies on using the LDAP Operational attributes to ensure they do
not Overload the LDAP server and cause performance issues when nested
groups are deployed.
About this task
cn=NorthAmericanSalesMembership,cn=Groups,o=ibm,dc=com
objectClass=Top
objectClass=groupOfUniqueNames
objectClass=ibm-nestedGroup
ibm-memberGroup=cn=CanadianSales Membership,o=ibm,dc=com
ibm-memberGroup=cn=UnitedStatesSales Membership,o=ibm,dc=com
cn=NorthAmericanSales Membership
description=Top Level 3 Levels
uniquemember=cn=Jane Smith45,cn=Users,o=ibm,dc=com
uniquemember=cn=CanadianSales Membership,cn=Groups,o=ibm,dc=com
uniquemember=cn=UnitedStatesSales Membership,cn=Groups,o=ibm,dc=com
cn=CanadianSales Membership,cn=Groups,o=ibm,dc=com
objectClass=Top
objectClass=groupOfUniqueNames
objectClass=ibm-nestedGroup
ibm-memberGroup=cn=AlbertaSales Membership,o=ibm,dc=com
ibm-memberGroup=cn=QuebecSales Membership,o=ibm,dc=com
ibm-memberGroup=cn=OntarioSales Membership,o=ibm,dc=com
cn=CanadianSales Membership
description=second level in North America
uniquemember=cn=Jane Smith55,cn=Users,o=ibm,dc=com
uniquemember=cn=AlbertaSales Membership,cn=Groups,o=ibm,dc=com
uniquemember=cn=QuebecSales Membership,cn=Groups,o=ibm,dc=com
uniquemember=cn=OntarioSales Membership,cn=Groups,o=ibm,dc=com
cn=QuebecSales Membership,cn=Groups,o=ibm,dc=com
objectClass=Top
objectClass=groupOfUniqueNames
objectClass=ibm-nestedGroup
cn=QuebecSales Membership
description=3rd level in North America
uniquemember=cn=Frank Ouelette,cn=Users,o=ibm,dc=com
Where:- ibm-nestedGroup is an auxiliary class that allows the optional ibm-memberGroup attribute that can be used with a structural class such as groupOfNames to enable subgroups to be nested within the parent group.
- ibm-memberGroup is an attribute taken by the auxiliary class ibm-nestedGroup that identifies subgroups of a parent group entry. Members of such subgroups are regarded as members of the parent group when processing ACLs or the ibm-allMembers and ibm-allGroups operational attributes.
Perform the following steps using the Integrated Solutions console: