Locate a users group memberships in LDAP
Evaluate group memberships from User object directly
Several LDAP servers, including Microsoft Active Directory and eDirectory, enable User objects to contain information about the groups to which they belong. Other LDAP servers, such as IBM Directory Server and Sun ONE directory server, have User objects with attributes that can be used to compute user group membership.
For example, in IBM Directory Server, dynamic, nested, and static group memberships can be returned using the attribute...
ibm-allGroups
In Sun ONE, all roles, including managed, filtered, and nested, are calculated using the attribute...
nsRole
Evaluate group memberships from a Group object indirectly
Some LDAP servers, such as Lotus Domino LDAP server, enable only Group objects, and do not enable the User object to contain information about groups. For this type of LDAP server, group membership searches are performed by locating the user on the member list of groups. The member list evaluation is not currently used in the static group membership search for WAS.
Use the direct method for searching group memberships
Use if the LDAP server has an attribute in the User object to include group information.
To use the direct method or the indirect method, enter the appropriate value in the Group Member ID map field on the Advanced LDAP Settings panel using the following methods.
- objectclass:attribute pairs for the indirect method
- attribute:attribute pairs for the direct method
Use the sample entries of attribute:attribute pairs in Group member ID map fields
ibm-allGroups:member IBM Directory server nsRole:nsRole Sun ONE directory, if groups are created with role inside Sun ONE memberOf:member Microsoft Active Directory Server groupMembership:member eDirectory Note that the groupMembership attribute lists all the static groups for which a user is a member. This attribute is NOT updated whenever an object matches or does not match a dynamic groups filter. Refer to the Novell eDirectory documentation for more information about the groupMembership attribute.
Use the sample entries of objectClass:attribute pairs in the Group member ID map field
dominoGroup:member Lotus Domino groupOfNames:member Novell eDirectory
Results
While using the direct method, dynamic groups, recursive groups, and static groups can be returned as multiple values of a single attribute. For example, in IBM Directory Server all group memberships, including the static groups, dynamic groups, and nested groups, can be returned using the ibm-allGroups attribute. In Sun ONE, all roles, including managed roles, filtered roles, and nested roles, are calculated using the nsRole attribute. If an LDAP server can use the nsRole attribute, dynamic groups, nested groups, and static groups are all supported by WAS.
Some LDAP servers do not have recursive computing functionality. For example, although Microsoft Active Directory server has direct group search capability using the memberOf attribute, this attribute lists the groups beneath, which the group is directly nested only and does not contain the recursive list of nested predecessors. The Lotus Domino LDAP server only supports the indirect method to locate the group memberships for a user. We cannot obtain recursive group memberships from a Domino server directly. For LDAP servers without recursive searching capability, WebSphere Application WAS security provides a recursive function that is enabled by clicking Perform a Nested Group Search in the Advanced LDAP user registry settings. Select this option only if the LDAP server does not provide recursive searches and you want a recursive search.
Related
Set dynamic and nested group support for the SunONE or iPlanet Directory Server
Set dynamic and nested group support for the IBM Tivoli Directory Server
Standalone LDAP registries
Dynamic groups and nested group support
Use specific directory servers as the LDAP server
Set LDAP user registries