LDAP objectclass/attribute pairings for nested groups
The required Objectclass/Attribute pairings for nested groups are different for each LDAP directory type.
Consider whether you need nested groups
- You should have a basic understanding of the depth and breadth (numbers and layers of nested groups) existing in your LDAP directory so you can estimate the performance impact that queries that expand nested groups will have on your configured LDAP server.
- Verify that the LDAP directory has been deployed using Nested groups. Note: In some cases, such as IBM Security Directory Server, the LDAP administrator had to have created nested groups with specific Nested Group Objectclasses. Refer to the IBM Security Directory Server documentation for more information.
- The attribute pairings listed in Table 1 are the standard defaults for particular LDAP Directories. As always, consult your LDAP documentation and LDAP administrator to ensure that your deployed LDAP uses those defaults before configuring WebSphere Application Server.
- Attributes differ depending on each LDAP service provider
- If nested groups are deployed in LDAP and enabled in WAS, those groups will be enumerated as well
- Nested groups require an operational attribute to enable Connections to utilize the efficient manner that LDAP providers use to enumerate group membership.
The objectclass defines the collection of attributes that can be used to define an entry.
The operational attribute is needed to expand nested groups and has special meaning to a specific Directory server, is maintained by the server, and reflects information the server manages about an entry or those that affect server operation.
Here are the required Objectclass/Attribute pairings broken out by LDAP directory type:
LDAP | Group member attribute/objectclass pairing | Group member operational attribute |
---|---|---|
IBM® Directory Security Server 6.2 |
attribute: uniquemember objectclass: groupOfUniqueNames nested attribute: ibm-membershipGroup nested objectclass: ibm-nestedGroup |
ibm-allGroups |
Active Directory 2008 |
attribute: member objectclass: group Note: Active Directory does not expand nested groups automatically. WAS requires special
configuration for group expansion.
|
memberOf |
IBM® Domino® 9.0.x |
attribute: member objectclass: dominoGroup |
DominoAccessGroups |
Sun Directory Server 7 |
attribute:uniquemember objectclass: groupOfUniqueNames |
isMemberOf |
Novell eDirectory 5.8.8 |
attribute: member objectclass: groupOfNames |
groupMembership |
Dcom.ibm.connections.recursively.search.membership=true
.