Express (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Select a registry or repository > Manage realms in a federated repository > Virtual member manager > Troubleshoot and Support > Support issues and limitations > Groups and membership issues and limitations

Member and membership attribute configuration

We can configure the memberAttributes and membershipAttribute in virtual member manager to search for a group membership relationship in an LDAP server.

There are two main ways to store a group and its members, for example, PersonAccount entities:

1. The PersonAccount entity has an attribute, for example, memberof, which points to the groups that this person belongs. The memberof attribute in this example is called the group membership attribute.
2. The Group entity has an attribute, for example, member, which points to its members. The member attribute in this example is called the group member attribute.

The following example shows a group membership in an LDAP server:

Group

cn=grp1,dc=com with attribute 'member' value: uid=usr1,dc=com

PersonAccount

uid=usr1,dc=com with attribute 'memberof' value: cn=grp1,dc=com

The corresponding member and membership configuration in the wimconfig.xml file is shown here:

<config:groupConfiguration>  
<config:memberAttributes name="member" objectClass="group" scope="direct"/>  
<config:membershipAttribute name="memberof" scope="direct"/>
</config:groupConfiguration> 

memberAttributes

Use the memberAttributes configuration to specify the LDAP attribute that stores the member of a group entity in LDAP.

membershipAttribute

Use the membershipAttribute configuration to specify the LDAP attribute that stores the group of a PersonAccount entity in LDAP.

Performance tip: If there are several groups in the LDAP server, configure membershipAttribute in virtual member manager for better performance when searching for a group membership relationship. If both memberAttributes and membershipAttribute are configured at the same time, membershipAttribute takes precedence when getting groups to which a user belongs, such as in a login scenario, whereas memberAttributes take precedence when getting users of a group.

• Set the scope parameter
  Configure the scope parameter of the memberAttributes or membershipAttributes as direct or nested according to the LDAP server.

Parent topic: Groups and membership issues and limitations

---

+

Search Tips   |   Advanced Search