Deploying nested LDAP groups in WAS for IBM Directory Security Server
If WebSphere Application Server (WAS) has been configured with the IBM Directory Security Server LDAP repository and WAS has been enabled for nested groups, you must configure the Membership and Member attributes in a special way to take advantage of nested groups.
Before you begin
Note: If WAS has been configured to use
the IBM Tivoli Directory Security Server with nested groups, IBM Connections uses the most effective
group membership operational attribute. Specific configuration in both WAS and the IBM Directory
Security Server LDAP directory must be in place that requires a specific set of
Attribute/Objectclass pairings to be deployed in the LDAP directory Most other LDAP directories do
not require special deployment for membership.
Note: The Connections/WAS administrator might
not be the same person as the LDAP administrator.
Note: If an admin wants to use nested
groups, verify that their LDAP Administrator has indeed deployed groups using the LDAP Operational
attributes (as this is not the default). Connections relies on using the LDAP Operational attributes
to ensure they do not Overload the LDAP server and cause performance issues when nested groups are
deployed.
About this task
cn=NorthAmericanSalesMembership,cn=Groups,o=ibm,dc=com
objectClass=Top
objectClass=groupOfUniqueNames
objectClass=ibm-nestedGroup
ibm-memberGroup=cn=CanadianSales Membership,o=ibm,dc=com
ibm-memberGroup=cn=UnitedStatesSales Membership,o=ibm,dc=com
cn=NorthAmericanSales Membership
description=Top Level 3 Levels
uniquemember=cn=Jane Smith45,cn=Users,o=ibm,dc=com
uniquemember=cn=CanadianSales Membership,cn=Groups,o=ibm,dc=com
uniquemember=cn=UnitedStatesSales Membership,cn=Groups,o=ibm,dc=com
cn=CanadianSales Membership,cn=Groups,o=ibm,dc=com
objectClass=Top
objectClass=groupOfUniqueNames
objectClass=ibm-nestedGroup
ibm-memberGroup=cn=AlbertaSales Membership,o=ibm,dc=com
ibm-memberGroup=cn=QuebecSales Membership,o=ibm,dc=com
ibm-memberGroup=cn=OntarioSales Membership,o=ibm,dc=com
cn=CanadianSales Membership
description=second level in North America
uniquemember=cn=Jane Smith55,cn=Users,o=ibm,dc=com
uniquemember=cn=AlbertaSales Membership,cn=Groups,o=ibm,dc=com
uniquemember=cn=QuebecSales Membership,cn=Groups,o=ibm,dc=com
uniquemember=cn=OntarioSales Membership,cn=Groups,o=ibm,dc=com
cn=QuebecSales Membership,cn=Groups,o=ibm,dc=com
objectClass=Top
objectClass=groupOfUniqueNames
objectClass=ibm-nestedGroup
cn=QuebecSales Membership
description=3rd level in North America
uniquemember=cn=Frank Ouelette,cn=Users,o=ibm,dc=com
Where:- ibm-nestedGroup is an auxiliary class that allows the optional ibm-memberGroup attribute that can be used with a structural class such as groupOfNames to enable subgroups to be nested within the parent group.
- ibm-memberGroup is an attribute taken by the auxiliary class ibm-nestedGroup that identifies subgroups of a parent group entry. Members of such subgroups are regarded as members of the parent group when processing ACLs or the ibm-allMembers and ibm-allGroups operational attributes.
Perform the following steps using the Integrated Solutions console:
Procedure
- Specify the Membership attribute
as follows:
- Navigate to .
- Under General Properties, select ibm-allGroups in the Name of group membership attribute field.
- For best performance when using IBM Directory Server, select All for the Scope of group membership attribute field.
- Click Apply and then OK.
- Specify the Member attribute as
follows:Note: The IBM Directory Security Server LDAP directory also should have groups deployed using the standard supported default attribute/objectclass pairings: uniquemember/groupOfUniqueNames as described in LDAP objectclass/attribute pairings for nested groups.
- Navigate to .
- Under General Properties, add uniquemember in the Name of members attribute field.
- Add groupOfUniqueNames for the Object class field.
- Select Direct for the Scope field.Note: Selecting Direct is appropriate in most cases. Refer to Default LDAP configuration mapping based on LDAP server type in the WebSphere Application Server Knowledge Center to understand all scope options for your LDAP directory service provider.
- Click Apply and then OK.