Mapping LDAP attributes

 

+
Search Tips   |   Advanced Search

 


Member Manager maps from attribute names that are exposed on Java objects representing users and groups to the underlying repository attribute names. When the underlying repository is LDAP, Member Manager attributes are mapped to LDAP attributes through a file that is specified through an attribute that is contained in one of the files listed here. These files are only examples for the respective configurations. During the WebSphere Portal configuration, the corresponding file is modified and copied to...

$WP_ROOT/shared/app/wmm/wmm.xml

LDAP-only configuration: wmm_LDAP.xml
LDAP + Lookaside configuration: wmm_LDAP_LA.xml

For example, if you use an LDAP-only configuration, and the LDAP repository is IBM Directory Server, the wmm.xml file has an entry for...

configurationFile=$WP_ROOT/wmm/wmmLDAPServerAttributes.xml

So, the mapping file is...

$WP_ROOT/wmm/wmmLDAPServerAttributes.xml

Some attributes on LDAP do not have corresponding member attributes and are not exposed on the Java objects by default, while other attributes on the Java object can be stored in the Lookaside database instead of LDAP. You can add or delete attributes as required by your configuration, either by exposing additional attributes from the underlying LDAP repository that are not currently exposed or by extending the attribute set to include new attributes. You can expose new LDAP attributes by adding new mappings in the wmmLDAPServerAttributes.xml file.

If you custom configure any of the wmm_*.xml or wmm_LDAP_*.xml files, copy the files to the following locations:

    Expanding the user profile to include new attributes is more involved: in the database-only configuration, the database tables that define the attribute set must be changed to include the new attribute definitions. In the LDAP and Lookaside configuration, the attributes are defined in Lookaside. If the new attribute is defined on LDAP server, there is no need to add the new attribute definitions to database. You can simply add a new mapping for this attribute in the wmmLDAPServerAttributes_XXX.xml file.

    Use the following sample as a guide to mapping LDAP attributes to Member Manager:

      <attributeMap wmmAttributeName="extId" 
                    applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" 
                    pluginAttributeName="ibm-appUUID" 
                    dataType="String" 
                    multiValued="false" 
                    readOnly="true" /> 
    
      <!--  Define which LDAP attribute is used for storing static group members --> 
    
      <!--  By default, member attribute is mandatory in IBM Directory Server, 
            so define default value "uid=dummy" --> 
    
      <attributeMap wmmAttributeName="groupMember" 
                   pluginAttributeName="member" 
                   applicableMemberTypes="Group" 
                   dataType="String" 
                   valueLength="1024" 
                   multiValued="true" 
                   defaultValue="uid=dummy" /> 
    
      <!--  Define which LDAP attribute is used for storing dynamic group queries --> 
    
      <attributeMap wmmAttributeName="groupMemberURL" 
                   pluginAttributeName="memberURL" 
                   applicableMemberTypes="Group" 
                   dataType="String" 
                   valueLength="1024" 
                   multiValued="true" />
    
      <!-- Common schema attributes -->
    
      <attributeMap wmmAttributeName="uid" 
                   pluginAttributeName="uid" 
                   applicableMemberTypes="Person" 
                   requiredMemberTypes="Person" 
                   dataType="String" 
                   valueLength="256" 
                   multiValued="false" /> 
    
      <attributeMap wmmAttributeName="sn" 
                   pluginAttributeName="sn" 
                   applicableMemberTypes="Person" 
                   requiredMemberTypes="Person" 
                   dataType="String" 
                   valueLength="128" 
                   multiValued="true" />
    
      <attributeMap wmmAttributeName="givenName" 
                   pluginAttributeName="givenName" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="128" 
                   multiValued="true" />
    
      <attributeMap wmmAttributeName="initials" 
                   pluginAttributeName="initials" 
                   applicableMemberTypes="Person" 
                   dataType="String" valueLength="20" multiValued="true" />
    
      <attributeMap wmmAttributeName="ibm-primaryEmail" 
                   pluginAttributeName="mail" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="256" 
                   multiValued="false" /> 
    
      <attributeMap wmmAttributeName="displayName" 
                   pluginAttributeName="displayName" 
                   applicableMemberTypes="Person" 
                   dataType="String" valueLength="128" multiValued="true" />
    
      <attributeMap wmmAttributeName="preferredLanguage" 
                   pluginAttributeName="preferredLanguage" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="128" 
                   multiValued="false" /> 
    
      <attributeMap wmmAttributeName="o" 
                   pluginAttributeName="o" 
                   applicableMemberTypes="Organization" 
                   requiredMemberTypes="Organization" 
                   dataType="String" 
                   valueLength="128" 
                   multiValued="false" /> 
    
      <attributeMap wmmAttributeName="ou" 
                   pluginAttributeName="ou" 
                   applicableMemberTypes="OrganizationalUnit" 
                   requiredMemberTypes="OrganizationalUnit" 
                   dataType="String" 
                   valueLength="128" 
                   multiValued="false" /> 
    
      <attributeMap wmmAttributeName="cn" 
                   pluginAttributeName="cn" 
                   applicableMemberTypes="Person;Group" 
                   requiredMemberTypes="Group" 
                   dataType="String" 
                   valueLength="256" 
                   multiValued="false" />
    
      <attributeMap wmmAttributeName="description" 
                   pluginAttributeName="description" 
                   applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" 
                   dataType="String" 
                   valueLength="1024" 
                   multiValued="true" /> 
    
      <attributeMap wmmAttributeName="userPassword" 
                   pluginAttributeName="userPassword" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="128" 
                   multiValued="false" />
    
      <!--  Read only attribute -->
    
      <attributeMap wmmAttributeName="createTimestamp" 
                   pluginAttributeName="createTimestamp" 
                   applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" 
                   dataType="Timestamp" 
                   multiValued="false" 
                   readOnly="true" />
    
      <!--  Read only attribute -->
    
      <attributeMap wmmAttributeName="modifyTimestamp" 
                   pluginAttributeName="modifyTimestamp" 
                   applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" 
                   dataType="Timestamp" 
                   multiValued="false" 
                   readOnly="true" /> 
    
      <attributeMap wmmAttributeName="jpegPhoto" 
                   pluginAttributeName="jpegPhoto" 
                   applicableMemberTypes="Person" 
                   dataType="ByteArray" 
                   valueLength="250000" 
                   multiValued="true" />
    
      <attributeMap wmmAttributeName="labeledURI" 
                   pluginAttributeName="labeledURI" 
                   applicableMemberTypes="Person" 
                   dataType="Object" 
                   classname="java.lang.String" 
                   multiValued="true" /> 
    
      <attributeMap wmmAttributeName="carLicense" 
                   pluginAttributeName="carLicense" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="128" 
                   multiValued="true" />
    
      <attributeMap wmmAttributeName="telephoneNumber" 
                   pluginAttributeName="telephoneNumber" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="32" 
                   multiValued="true" /> 
    
      <attributeMap wmmAttributeName="facsimileTelephoneNumber" 
                   pluginAttributeName="facsimileTelephoneNumber" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="32" 
                   multiValued="true" /> 
    
      <attributeMap wmmAttributeName="pager" 
                   pluginAttributeName="pager" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="32" 
                   multiValued="true" />
    
      <attributeMap wmmAttributeName="mobile" 
                   pluginAttributeName="mobile" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="32" 
                   multiValued="true" />
    
      <attributeMap wmmAttributeName="homePostalAddress" 
                   pluginAttributeName="homePostalAddress" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="500" 
                   multiValued="true" /> 
    
      <attributeMap wmmAttributeName="postalAddress" 
                   pluginAttributeName="postalAddress" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="500" 
                   multiValued="true" />
    
      <attributeMap wmmAttributeName="roomNumber" 
                   pluginAttributeName="roomNumber" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="256" 
                   multiValued="true" />
    
      <attributeMap wmmAttributeName="localityName" 
                   pluginAttributeName="localityName" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="128" 
                   multiValued="true" /> 
    
      <attributeMap wmmAttributeName="stateOrProvinceName" 
                   pluginAttributeName="stateOrProvinceName" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="128" 
                   multiValued="true" /> 
    
      <attributeMap wmmAttributeName="street" 
                   pluginAttributeName="street" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="128" 
                   multiValued="true" />
    
      <attributeMap wmmAttributeName="postalCode" 
                   pluginAttributeName="postalCode" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="40" 
                   multiValued="true" /> 
    
      <attributeMap wmmAttributeName="employeeNumber" 
                   pluginAttributeName="employeeNumber" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="20" 
                   multiValued="false" /> 
    
      <attributeMap wmmAttributeName="employeeType" 
                   pluginAttributeName="employeeType" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="128" 
                   multiValued="true" />
    
      <attributeMap wmmAttributeName="manager" 
                   pluginAttributeName="manager" 
                   applicableMemberTypes="Person" 
                   dataType="MemberIdentifier" 
                   multiValued="true" />
    
      <attributeMap wmmAttributeName="secretary" 
                   pluginAttributeName="secretary" 
                   applicableMemberTypes="Person" 
                   dataType="MemberIdentifier" 
                   multiValued="true" /> 
    
      <attributeMap wmmAttributeName="businessCategory" 
                   pluginAttributeName="businessCategory" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="128" 
                   multiValued="true" /> 
    
      <attributeMap wmmAttributeName="departmentNumber" 
                   pluginAttributeName="departmentNumber" 
                   applicableMemberTypes="Person" 
                   dataType="String" 
                   valueLength="128" 
                   multiValued="true" />
    
      <attributeMap wmmAttributeName="seeAlso" 
                   pluginAttributeName="seeAlso" 
                   applicableMemberTypes="Person" 
                   dataType="MemberIdentifier" 
                   multiValued="true" />
    
      </repositoryAttributes>
           
    

    In an IBM Directory Server environment, Member Manager can create a dummy member entry in a group when the group is created. The dummy member entry is configurable by setting the "defaultValue" in the attributeMap element of the "groupMember" attribute in PortalServer/wmm/wmmLDAPServerAttributes_XXX.xml file as shown here:

    <attributeMap  wmmAttributeName="groupMember"
                      pluginAttributeName="uniqueMember"
                      applicableMemberTypes="Group"
                      dataType="String"
                      valueLength="1000" 
                      multiValued="true"
                      defaultValue="uid=dummy"
                      readOnly="false"/> 
    

     

    Search criteria in portlets

    By default, the search function in portlets offers all Member Manager attributes as search criteria, even if an attribute does not exist in your LDAP directory. When users do a search based on an attribute that is not in the LDAP directory, the search results are null. To prevent this problem, restrict searches to Member Manager attributes that exist in the LDAP directory.

    Do this by editing the wp_root/wmm/wmmLDAPAttributes.xml file. Add a description attribute to the attributeMap definition with the content [wps:hide] as shown in bold here:

            <attributeMap   wmmAttributeName="givenName"
                            pluginAttributeName="givenName"
                            applicableMemberTypes="Person"                  
                            dataType="String" 
                            valueLength="128" 
                            description="[wps:hide]"
                            multiValued="true" />
    

     

    Group caching in LDAP

    Group Cache is used to cache the names, membership relations, and supported attributes of all groups in under the scope of Member Manager (under the Member Manager nodes defined in <wps_root>/shared/app/wmm/wmm.xml.

    By enabling group caching in LDAP, the performance of operations related to LDAP can be dramatically improved, for example, portal login process or User and Group Access Portlet.

    If you continue to use the old wmm.xml file from Member Manager 5.0 or Member Manager 5.0.2, this feature is not enabled. You need to add several new parameters in the wmm.xml file in order to enable and configure LDAP group cache.

    To use LDAP group cache, set the following attributes in the wmm.xml file. If you are operating in a clustered environment, set this attribute on every machine.

        <ldapRepository name="wmmLDAP"
               UUID="LDAP1"
               adapterClassName="com.ibm.ws.wmm.ldap.ibmdir.IBMDirectoryAdapterImpl"
               supportDynamicAttributes="false"
               configurationFile="wmm/xml/wmmLDAPAttributes_IDS_ENTRYUUID.xml" 
               wmmGenerateExtId="false"
               supportGetPersonByAccountName="true"               
               profileRepositoryForGroups="LDAP1"
               supportTransactions="false"
               adminId="cn=root"
               adminPassword="ibm"
               ldapHost="localhost"
               ldapPort="389"
               ldapTimeOut="6000"
               ldapAuthentication="SIMPLE"
               ldapType="0"
               
               cacheGroups="true"
               groupCacheRefreshInterval="600"
    
               attributesCacheSize="2000"
               attributesCacheTimeOut="600"
    
               namesCacheSize="2000"
               namesCacheTimeOut="300"
    
               cachesDiskOffLoad="false"
               serverTTLAttribute="ttl"
               >
    

    Attribute Set
    cacheGroups Specifies if the group membership and attributes are cached. If you want to enable Group Cache, set this parameter to "true." If this parameter is not present, the default value is false.
    groupCacheRefreshInterval (Optional) Specifies how frequently the Group Cache will be refreshed. Unit is one second. If this parameter is not specified, the default value is 600 seconds.
    attributesCacheSize Specifies the size of Attributes Cache. Attributes Cache is used to cache the results of LDAP getAttributes queries. Attributes Cache can be used to improve the performance of Member Manager getMember API, which improves Portal login performance.If this parameter is not present or if the value is set to 0, Attributes Cache is disabled.
    attributesCacheTimeOut (Optional) Length of time the attributes stay in the Attributes Cache before being invalidated. Unit is one second. The default value is 600 seconds.
    namesCacheSize Specifies the size of Names Cache. Names Cache is used to cache the results of LDAP search queries. Names Cache can be used to improve the performance of Member Manager APIs which involve search operations. For example, Search. If this parameter is not present or if the value is set to 0, Names Cache is disabled.
    namesCacheTimeOut (Optional) Length of time the search results stay in the NamesCache before being invalidated. Unit is one second. The default value is 600 seconds.
    cachesDiskOffLoad (Optional) Specifies if off-loading the caches into hard disk is enabled. This parameter affects both the attributes cache and the names cache. By default, when the number of cache entries reaches the size of the attributes cache and the names cache, eviction of cache entries occurs, allowing new entries to enter the caches. If cachesDiskOffLoad is enabled, the evicted cache entries is copied to disk for potential future access.
    serverTTLAttribute (Optional) Specifies the name of the ttl attribute supported by LDAP server. By default, the attributes in the attributes cache will be timed out after the number of seconds specified by the attributesCacheTimeOut parameter. If the LDAP server support ttl attribute (TimeToLive), by adding this parameter, Member Manager will use the value of this ttl attribute to set the time out of Attribute Cache. This allows the server-side to set the timeout value.

     

    See also

     

    WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

     

    IBM is a trademark of the IBM Corporation in the United States, other countries, or both.