Map external IDs Member Manager
Map external IDs to a unique ID attribute generated by the LDAP server
Every profile repository used with Member Manager needs to have an attribute whose value is unique, static, and never reused for every member entry. In Member Manager, this attribute is called extId. If a Lookaside repository is also used with Member Manager, extId allows Member Manager to associate data for a member in the Lookaside repository to the data for the same member in the profile repository.
Starting with WebSphere 6.0 roles are no longer tied to the DN of the user but to the WMM ExtID
WebSphere Portal provides three ways to map the external IDs...
- Unique ID attribute generated by the LDAP server
- Unique ID attribute that is generated by Member Manager (ibm-appUUID)
- Distinguished name of the member
Map external IDs to a unique ID attribute generated by the LDAP server
Portal administrator can map the WMM ExtID to an attribute of his choice (e.g. objectGUID, DN, email address, ...)
By default Portal uses the standard unique id defined by the LDAP vendors. All supported LDAP vendor do have such an attribute (as objectGUID for MSAD). If WMMDB setup is used, WMM generates the ExtID
Some LDAP servers already have a unique ID attribute that will be automatically populated by the LDAP server for each entry that is created on the LDAP server. If you are using an LDAP server with Member Manager, it is likely that the LDAP server already has an attribute whose value is unique, static, and never reused. In this case, you should map that attribute to the extId attribute in Member Manager and set wmmGenerateExtId to false.
We can map extId to this unique ID attribute that is generated by the LDAP server in...
portal_server_root/wmm/wmmLDAPServerAttributes.xml...and set wmmGenerateExtId to false.
There are two data types for the unique ID that is generated by the LDAP server, string type and octet string type.
To map external IDs to a unique ID attribute that is generated by the LDAP server:
- Open...
portal_server_root/shared/app/wmm/wmm.xml... search for wmmGenerateExtId, and set it to false.
- Open...
portal_server_root/wmm/wmmLDAPServerAttributes.xmlThis file is different for each LDAP server type. Set the attribute for the system, as follows:
- IBM Directory Server
IBM Directory Server V5.1 has a unique ID attribute called ibm-entryUuid that has a string data type. Map extId to this attribute in...
portal_server_root/wmm/wmmLDAPServerAttributes.xml<attributeMap wmmAttributeName="extId" applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" pluginAttributeName="ibm-entryUuid" dataType="String" multiValued="false" readOnly="true"/>
- Sun Java System Directory Server
Sun Java System Directory Server V5.1 (formerly iPlanet) has a unique ID attribute called nsuniqueid that has a string data type. Map extId to this attribute in...
portal_server_root/wmm/wmmLDAPServerAttributes.xml<attributeMap wmmAttributeName="extId" applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" pluginAttributeName="nsuniqueid" dataType="String" multiValued="false" readOnly="true"/>
- Microsoft Active Directory
Microsoft Active Directory server has a unique ID attribute called objectGUID that has an octet string type. In...
portal_server_root/wmm/wmmLDAPAttributes_AD.xml...map extId to this attribute, and specify pluginDataType as OctetString:
<attributeMap wmmAttributeName="extId" applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" pluginAttributeName="objectGUID" dataType="String" pluginDataType="OctetString" multiValued="false" readOnly="true"/>
- Novell eDirectory
Novell eDirectory Server has a unique ID attribute called GUID that has an octet string type. In...
portal_server_root/wmm/wmmLDAPServerAttributes.xml...map extId to this attribute, and specify pluginDataType as OctetString:
<attributeMap wmmAttributeName="extId" applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" pluginAttributeName="GUID" dataType="String" pluginDataType="OctetString" multiValued="false" readOnly="true"/>
Map external IDs to a unique ID attribute that is generated by Member Manager (ibm-appUUID)
If the LDAP server does not have an attribute whose value is unique, static, and never reused, we can set wmmGenerateExtId to true. In this case, Member Manager attaches the LDAP auxiliary class ibm-appUUIDAux with an attribute ibm-appUUID to every LDAP entry that is accessed by Member Manager. The ibm-appUUID attribute is the unique, static, and never reused attribute that is added by Member Manager to the LDAP server entries.
To map external IDs to a unique ID attribute that is generated by Member Manager :
- Create the schema of the ibm-appUUIDAux auxiliary object class and the ibm-appUUID attribute on the LDAP server. To do this, refer to the documentation for configuring Directory Server for Member Manager.
- Open...
portal_server_root/shared/app/wmm/wmm.xml...search for wmmGenerateExtId, and set it to true.
- In wmm.xml, add ibm-appUUIDAux object class to all member types:
<supportedLdapEntryTypes> <supportedLdapEntryType name="Person" rdnAttrTypes="uid" objectClassesForRead="inetOrgPerson" objectClassesForWrite="inetOrgPerson;ibm-appUUIDAux"/> <supportedLdapEntryType name="Group" rdnAttrTypes="cn" objectClassesForRead="groupOfNames" objectClassesForWrite="groupOfNames;ibm-appUUIDAux"/> <supportedLdapEntryType name="Organization" rdnAttrTypes="o" objectClassesForRead="organization" objectClassesForWrite="organization;ibm-appUUIDAux"/> <supportedLdapEntryType name="OrganizationalUnit" rdnAttrTypes="ou" objectClassesForRead="organizationalUnit" objectClassesForWrite="organizationalUnit;ibm-appUUIDAux"/> </supportedLdapEntryTypes>
- Open...
portal_server_root/wmm/wmmLDAPServerAttributes.xml... and Map extId to ibm-appUUID.
<attributeMap wmmAttributeName="extId" applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" pluginAttributeName="ibm-appUUID" dataType="String" multiValued="false" readOnly="true"/>
Map external IDs to the distinguished name of the member
If the LDAP server does not have an attribute whose value is unique, static, and never reused, and you do not want Member Manager to attach auxiliary classes to the LDAP entries, we can map the extId attribute to the LDAP distinguished name (DN).However, because the value of extId is meant to be unique, static, and never reused, by mapping the LDAP DN to extId, you assume that LDAP DN values are not only unique, but also static and never reused, which might not be true.
The attribute wmmGenerateExtId in wmm.xml determines whether or not the repository needs Member Manager to generate the external ID. If you map extId to a unique attribute that is automatically populated by the LDAP server or mapped to the DN, we need to set wmmGenerateExtId to false.
We can also use the distinguished name of the member as its external ID. To do this, map extId to DistinguishedName in...
portal_server_root/wmm/wmmLDAPServerAttributes.xmlIt is not necessary to change the LDAP schema. However, because the DN is modifiable, it cannot always uniquely identify the LDAP entries.
<attributeMap wmmAttributeName="extId" applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" pluginAttributeName="DistinguishedName" dataType="String" multiValued="false" readOnly="true"/>
Related information
Parent Topic
Additional LDAP configuration