WebSphere Portal v6 - Map LDAP attributes
Member Manager maps attribute names that are exposed on Java objects representing users and groups to the underlying repository attribute names. The attributes and mappings are specified in xml files located in...
portal_server_root/shared/app/wmm/The following files are needed to configure attributes and mappings:
wmm.xml Attribute and mappings specification. wmmAttributes.xml Attributes used by Member Manager and wmmAttributesDescription.xml to add localized descriptions to the attributes. The first file must be referenced in the <wmm> tag in file wmm.xml with the XML attribute...
configurationFile="portal_server_root/wmm/wmmAttributes.xml".
wmmDBAttributes.xml
wmmDBAttributesDescription.xmlDefine attribute mappings of a database user repository. Not applicable for mapping LDAP attributes. wmmLAAttributes.xml Define attribute mappings of the Lookaside database. The attributes stored to the Lookaside database should be carefully considered before enabling security, as this file is not used during runtime, but only as a base to create the appropriate Member Manager database tables during the configuration procedure.
wmmLDAPAttributes.xml Define attribute mappings of the LDAP repository. This file must be referenced in the <ldapRepository> tag in the wmm.xml file by the XML attribute...
configurationFile="portal_server_root/wmm/wmmLDAPAttributes.xml"
Some attributes on the LDAP database do not have corresponding member attributes and are not exposed on the Java objects by default, while other attributes on the Java object can be stored in the Lookaside database instead of the LDAP database. Attributes that should only be read from within portal can be flagged as read-only by setting the read-only=true property in the attribute tag in file wmmAttributes.xml. Attributes mapped to the Lookaside database should never be specified as read-only.
We can add or delete attributes as required by the configuration by exposing additional attributes from the underlying LDAP repository that are not currently exposed or removing existing ones. We can expose new attributes by adding the attribute to the wmmAttributes.xml file and a new mapping to the wmmLDAPAttributes.xml file. Likewise, we can remove attributes from both files.
Sample configurations
The directory...
portal_server_root/shared/app/wmm/...contains a set of sample configuration files for the most usual scenarios. If you custom configure any of the wmm_*.xml, rename the file to...
portal_server_root/wmm/wmm.xml...and make sure the file references inside are correct.
Use the following sample as a guide to map LDAP attributes to Member Manager :
<attributeMap wmmAtributeName="extId" applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" pluginAttributeName="ibm-appUUID" dataType="String" multiValued="false" readOnly="true" /> <!-- Define which LDAP attribute is used for storing static group members --> <!-- By default, member attribute is mandatory in IBM Directory Server, --> <!-- so define default value "uid=dummy" --> <attributeMap wmmAtributeName="groupMember" pluginAttributeName="member" applicableMemberTypes="Group" dataType="String" valueLength="1024" multiValued="true" defaultValue="uid=dummy" /> <!-- Define which LDAP attribute is used for storing dynamic group queries --> <attributeMap wmmAtributeName="groupMemberURL" pluginAttributeName="memberURL" applicableMemberTypes="Group" dataType="String" valueLength="1024" multiValued="true" /> <!-- * * * * * Common schema attributes * * * * * * * * * * * * * * * * * --> <attributeMap wmmAtributeName="uid" pluginAttributeName="uid" applicableMemberTypes="Person" requiredMemberTypes="Person" dataType="String" valueLength="256" multiValued="false" /> <attributeMap wmmAtributeName="sn" pluginAttributeName="sn" applicableMemberTypes="Person" requiredMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" /> <attributeMap wmmAtributeName="givenName" pluginAttributeName="givenName" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" /> <attributeMap wmmAtributeName="initials" pluginAttributeName="initials" applicableMemberTypes="Person" dataType="String" valueLength="20" multiValued="true" /> <attributeMap wmmAtributeName="ibm-primaryEmail" pluginAttributeName="mail" applicableMemberTypes="Person" dataType="String" valueLength="256" multiValued="false" /> <attributeMap wmmAtributeName="displayName" pluginAttributeName="displayName" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" /> <attributeMap wmmAtributeName="preferredLanguage" pluginAttributeName="preferredLanguage" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="false" /> <attributeMap wmmAtributeName="o" pluginAttributeName="o" applicableMemberTypes="Organization" requiredMemberTypes="Organization" dataType="String" valueLength="128" multiValued="false" /> <attributeMap wmmAtributeName="ou" pluginAttributeName="ou" applicableMemberTypes="OrganizationalUnit" requiredMemberTypes="OrganizationalUnit" dataType="String" valueLength="128" multiValued="false" /> <attributeMap wmmAtributeName="cn" pluginAttributeName="cn" applicableMemberTypes="Person;Group" requiredMemberTypes="Group" dataType="String" valueLength="256" multiValued="false" /> <attributeMap wmmAtributeName="description" pluginAttributeName="description" applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" dataType="String" valueLength="1024" multiValued="true" /> <attributeMap wmmAtributeName="userPassword" pluginAttributeName="userPassword" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="false" /> <!-- Read only attribute --> <attributeMap wmmAtributeName="createTimestamp" pluginAttributeName="createTimestamp" applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" dataType="Timestamp" multiValued="false" readOnly="true" /> <!-- Read only attribute --> <attributeMap wmmAtributeName="modifyTimestamp" pluginAttributeName="modifyTimestamp" applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" dataType="Timestamp" multiValued="false" readOnly="true" /> <attributeMap wmmAtributeName="jpegPhoto" pluginAttributeName="jpegPhoto" applicableMemberTypes="Person" dataType="ByteArray" valueLength="250000" multiValued="true" /> <attributeMap wmmAtributeName="labeledURI" pluginAttributeName="labeledURI" applicableMemberTypes="Person" dataType="Object" classname="java.lang.String" multiValued="true" /> <attributeMap wmmAtributeName="carLicense" pluginAttributeName="carLicense" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" /> <attributeMap wmmAtributeName="telephoneNumber" pluginAttributeName="telephoneNumber" applicableMemberTypes="Person" dataType="String" valueLength="32" multiValued="true" /> <attributeMap wmmAtributeName="facsimileTelephoneNumber" pluginAttributeName="facsimileTelephoneNumber" applicableMemberTypes="Person" dataType="String" valueLength="32" multiValued="true" /> <attributeMap wmmAtributeName="pager" pluginAttributeName="pager" applicableMemberTypes="Person" dataType="String" valueLength="32" multiValued="true" /> <attributeMap wmmAtributeName="mobile" pluginAttributeName="mobile" applicableMemberTypes="Person" dataType="String" valueLength="32" multiValued="true" /> <attributeMap wmmAtributeName="homePostalAddress" pluginAttributeName="homePostalAddress" applicableMemberTypes="Person" dataType="String" valueLength="500" multiValued="true" /> <attributeMap wmmAtributeName="postalAddress" pluginAttributeName="postalAddress" applicableMemberTypes="Person" dataType="String" valueLength="500" multiValued="true" /> <attributeMap wmmAtributeName="roomNumber" pluginAttributeName="roomNumber" applicableMemberTypes="Person" dataType="String" valueLength="256" multiValued="true" /> <attributeMap wmmAtributeName="localityName" pluginAttributeName="localityName" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" /> <attributeMap wmmAtributeName="stateOrProvinceName" pluginAttributeName="stateOrProvinceName" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" /> <attributeMap wmmAtributeName="street" pluginAttributeName="street" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" /> <attributeMap wmmAtributeName="postalCode" pluginAttributeName="postalCode" applicableMemberTypes="Person" dataType="String" valueLength="40" multiValued="true" /> <attributeMap wmmAtributeName="employeeNumber" pluginAttributeName="employeeNumber" applicableMemberTypes="Person" dataType="String" valueLength="20" multiValued="false" /> <attributeMap wmmAtributeName="employeeType" pluginAttributeName="employeeType" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" /> <attributeMap wmmAtributeName="manager" pluginAttributeName="manager" applicableMemberTypes="Person" dataType="MemberIdentifier" multiValued="true" /> <attributeMap wmmAtributeName="secretary" pluginAttributeName="secretary" applicableMemberTypes="Person" dataType="MemberIdentifier" multiValued="true" /> <attributeMap wmmAtributeName="businessCategory" pluginAttributeName="businessCategory" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" /> <attributeMap wmmAtributeName="departmentNumber" pluginAttributeName="departmentNumber" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" /> <attributeMap wmmAtributeName="seeAlso" pluginAttributeName="seeAlso" applicableMemberTypes="Person" dataType="MemberIdentifier" multiValued="true" /> </repositoryAttributes>In an IBM Directory Server environment, Member Manager can create a dummy member entry in a group when the group is created. The dummy member entry is configurable by setting the defaultValue in the attributeMap element of the groupMember attribute in...
portal_server_root/wmm/wmmLDAPServerAttributes.xml...as shown here...
<attributeMap wmmAttributeName="groupMember" pluginAttributeName="uniqueMember" applicableMemberTypes="Group" dataType="String" valueLength="1000" multiValued="true" defaultValue="uid=dummy" readOnly="false"/>
Search criteria in portlets
By default, the search function in portlets offers all Member Manager attributes as search criteria, even if an attribute does not exist in the LDAP directory. When users do a search based on an attribute that is not in the LDAP directory, the search results are null. To prevent this problem, restrict searches to Member Manager attributes that exist in the LDAP directory.
Do this by editing...
portal_server_root/wmm/wmmLDAPAttributes.xmlAdd a description attribute to the attributeMap definition with the content [wps:hide]...
<attributeMap wmmAttributeName="givenName" pluginAttributeName="givenName" applicableMemberTypes="Person" dataType="String" valueLength="128" description="[wps:hide]" multiValued="true" />
Group caching in LDAP
Group caching is used to cache the names, membership relations, and supported attributes of all groups under the scope of Member Manager (under the Member Manager nodes defined in...
portal_server_root/shared/app/wmm/wmm.xmlBy enabling group caching in LDAP, the performance of operations related to LDAP can be dramatically improved, for example, portal login process or User and Group Access Portlet.
If you continue to use the old wmm.xml file from Member Manager 5.0 or Member Manager 5.0.2, this feature is not enabled. You need to add several new parameters in the wmm.xml file in order to enable and configure LDAP group cache.
To use LDAP group cache, set the following attributes in the wmm.xml file. If you are operating in a clustered environment, we need to set this attribute on every machine.
<ldapRepository name="wmmLDAP" UUID="LDAP1" adapterClassName="com.ibm.ws.wmm.ldap.ibmdir.IBM DirectoryAdapterImpl" supportDynamicAttributes="false" configurationFile="wmm/xml/wmmLDAPAttributes_IDS_ENTRYUUID.xml" wmmGenerateExtId="false" supportGetPersonByAccountName="true" profileRepositoryForGroups="LDAP1" supportTransactions="false" adminId="cn=root" adminPassword="ibm" ldapHost="localhost" ldapPort="389" ldapTimeOut="6000" ldapAuthentication="SIMPLE" ldapType="0" cacheGroups="true" groupsCacheTimeOut="600" attributesCacheSize="2000" attributesCacheTimeOut="600" namesCacheSize="2000" namesCacheTimeOut="300" cachesDiskOffLoad="false" serverTTLAttribute="ttl" >
Attribute Setting cacheGroups Specifies if the group membership and attributes are cached. If you want to enable Group Cache, set this parameter to "true". If this parameter is not present, the default value is false. groupsCacheTimeout (Optional) Specifies how frequently the Group Cache will be refreshed. Unit is one second. If this parameter is not specified, the default value is 600 seconds. attributesCacheSize Specifies the size of Attributes Cache. Attributes Cache is used to cache the results of LDAP getAttributes queries. Attributes Cache can be used to improve the performance of Member Manager getMember API, which improves Portal login performance. If this parameter is not present or if the value is set to 0, Attributes Cache is disabled. attributesCacheTimeOut (Optional) Length of time the attributes stay in the Attributes Cache before being invalidated. Unit is one second. The default value is 600 seconds. namesCacheSize Specifies the size of Names Cache. Names Cache is used to cache the results of LDAP search queries. Names Cache can be used to improve the performance of Member Manager APIs that involve search operations; for example, Search. If this parameter is not present or if the value is set to 0, Names Cache is disabled. namesCacheTimeOut (Optional) Length of time the search results stay in the NamesCache before being invalidated. The unit value is in seconds. The default value is 600 seconds. cachesDiskOffLoad (Optional) Specifies if off-loading the caches into hard disk is enabled. This parameter affects both the attributes cache and the names cache. By default, when the number of cache entries reaches the size of the attributes cache and the names cache, eviction of cache entries occurs, allowing new entries to enter the caches. If cachesDiskOffLoad is enabled, the evicted cache entries is copied to disk for potential future access. serverTTLAttribute (Optional) Name of the ttl attribute supported by the LDAP server. By default, the attributes in the attributes cache will timed out after the number of seconds specified by the attributesCacheTimeOut parameter. If the LDAP server supports the ttl attribute (TimeToLive), by adding this parameter, Member Manager will use the value of this ttl attribute to set the time out of Attribute Cache. This allows the server-side to set the timeout value.
Related information
Use multiple realms and user registries
Parent Topic
Additional LDAP configuration
Related reference
Directory Search
Member Manager and People Finder
Troubleshoot Domino and Extended Products Portlets