Deploying nested LDAP groups in WAS for IBM Security Directory Integrator server
If WebSphere Application Server has been configured with the IBM Security Directory Integrator server LDAP repository and WebSphere has been enabled for nested groups, you must configure the Membership and Member attributes in a special way to take advantage of nested groups.
Before you begin
Note: If WAS has been configured
to use the Security Directory Integrator with nested groups, HCL Connections uses the most
effective group membership operational attribute. Specific configuration in both WAS and the
Security Directory Integrator LDAP directory must be in place that requires a specific set of
Attribute/Objectclass pairings to be deployed in the LDAP directory Most other LDAP directories
do not require special deployment for membership.
Note: The Connections/WAS administrator
might not be the same person as the LDAP administrator.
Note: If an admin wants to use
nested groups, verify that their LDAP Administrator has indeed deployed groups using the LDAP
Operational attributes (as this is not the default). Connections relies on using the LDAP
Operational attributes to ensure they do not Overload the LDAP server and cause performance
issues when nested groups are deployed.
About this task
cn=NorthAmericanSalesMembership,cn=Groups,o=ibm,dc=com
objectClass=Top
objectClass=groupOfUniqueNames
objectClass=ibm-nestedGroup
ibm-memberGroup=cn=CanadianSales Membership,o=ibm,dc=com
ibm-memberGroup=cn=UnitedStatesSales Membership,o=ibm,dc=com
cn=NorthAmericanSales Membership
description=Top Level 3 Levels
uniquemember=cn=Jane Smith45,cn=Users,o=ibm,dc=com
uniquemember=cn=CanadianSales Membership,cn=Groups,o=ibm,dc=com
uniquemember=cn=UnitedStatesSales Membership,cn=Groups,o=ibm,dc=com
cn=CanadianSales Membership,cn=Groups,o=ibm,dc=com
objectClass=Top
objectClass=groupOfUniqueNames
objectClass=ibm-nestedGroup
ibm-memberGroup=cn=AlbertaSales Membership,o=ibm,dc=com
ibm-memberGroup=cn=QuebecSales Membership,o=ibm,dc=com
ibm-memberGroup=cn=OntarioSales Membership,o=ibm,dc=com
cn=CanadianSales Membership
description=second level in North America
uniquemember=cn=Jane Smith55,cn=Users,o=ibm,dc=com
uniquemember=cn=AlbertaSales Membership,cn=Groups,o=ibm,dc=com
uniquemember=cn=QuebecSales Membership,cn=Groups,o=ibm,dc=com
uniquemember=cn=OntarioSales Membership,cn=Groups,o=ibm,dc=com
cn=QuebecSales Membership,cn=Groups,o=ibm,dc=com
objectClass=Top
objectClass=groupOfUniqueNames
objectClass=ibm-nestedGroup
cn=QuebecSales Membership
description=3rd level in North America
uniquemember=cn=Frank Ouelette,cn=Users,o=ibm,dc=com
Where:- ibm-nestedGroup is an auxiliary class that allows the optional ibm-memberGroup attribute that can be used with a structural class such as groupOfNames to enable subgroups to be nested within the parent group.
- ibm-memberGroup is an attribute taken by the auxiliary class ibm-nestedGroup that identifies subgroups of a parent group entry. Members of such subgroups are regarded as members of the parent group when processing ACLs or the ibm-allMembers and ibm-allGroups operational attributes.
Perform the following steps using the Integrated Solutions console:
Procedure
- Specify the Membership attribute
as follows:
- Navigate to .
- Under General Properties, select ibm-allGroups in the Name of group membership attribute field.
- For best performance when using Security Directory Integrator, select All for the Scope of group membership attribute field.
- Click Apply and then OK.
- Specify the Member attribute as
follows:Note: The Security Directory Integrator LDAP directory also should have groups deployed using the standard supported default attribute/objectclass pairings: uniquemember/groupOfUniqueNames as described in LDAP objectclass/attribute pairings for nested groups.
- Navigate to .
- Under General Properties, add uniquemember in the Name of members attribute field.
- Add groupOfUniqueNames for the Object class field.
- Select Direct for the Scope field.Note: Selecting Direct is appropriate in most cases. Refer to Default LDAP configuration mapping based on LDAP server type in the WebSphere Application Server documentation to understand all scope options for your LDAP directory service provider.
- Click Apply and then OK.