WAS v8.5 > Secure applications > Authenticate users > Select a registry or repository > Manage the realm in a federated repository configurationConfigure dynamic member attributes in a federated repository configuration
Follow this task to configure dynamic member attributes in a federated repository configuration.
Because dynamic member attributes apply only to a LDAP repository, first configure an LDAP repository. For more information, see Manage repositories in a federated repository configuration. A dynamic group defines its members differently than a static group. Instead of listing the members individually, the dynamic group defines its members using an LDAP search. The filter for the search is defined in a dynamic member attribute. For example, the dynamic group uses the structural objectclass groupOfURLs, or auxiliary objectclass ibm-dynamicGroup, and the attribute memberURL, to define the search using a simplified LDAP URL syntax:
ldap:///<base DN of search> ? ? <scope of search> ? <searchfilter>
The following is an example of the LDAP URL that defines all entries that are under o=Acme with the objectclass=person:
ldap:///o=Acme,c=US??sub?objectclass=person
If both member and dynamic member attributes are specified for the same group type, this group type is a hybrid group with both static and dynamic members.
- In the dmgr console, click...
Security > Global security > User account repository > Federated repositories > Available realm definitions > Configure
To configure for a specific domain in a multiple security domain environment, click...
Security domains > domain_name > Security Attributes > User Realm > Customize for this domain
- Select the Realm type as Federated repositories and then click...
Configure > Related items > Manage repositories > [Add | repository}
If you click Add to specify a new external repository, first complete the required fields and click Apply before proceeding to the next step.
- Under Additional Properties click...
LDAP entity types > Group entity type
- In the Object Classes field, add the entry for the object class, for example, groupOfUrls. Delimit multiple entries with a semicolon (;).
- Click OK.
- Under Additional properties, click...
Group attribute definition > Additional properties > Dynamic member attributes
- Click New to specify a new dynamic member attribute or Delete to remove a preconfigured dynamic member attribute.
- Specify the name of the dynamic member attribute in the Name of dynamic member attribute field.
The name of the dynamic member attribute defines the filter for dynamic group members in LDAP, for example, memberURL is the name of a commonly used dynamic member attribute.
- Specify the object class of the group containing the dynamic member attribute in the Dynamic object class field, for example, groupOfURLs.
If this property is not defined, the dynamic member attribute applies to all group object classes.
- Save your configuration changes in the administration console: Click...
System administration > Save changes to master repository > Save
- This next step involves using a wsadmin command and cannot be done through the dmgr console. Start the wsadmin scripting tool and connect to a server, using the following command:
wsadmin -username username -password password
- Use the addIdMgrPropertyToEntityTypes command to add the dynamic member attribute specified in step 12 to the federated repositories schema.
The dynamic member attribute needs to be added to the entity type Group in the federated repositories schema otherwise an error occurs while creating a group in an LDAP repository configured under federated repositories using the create() API and specifying the memberURL attribute and its value. The correctness of the value of the memberURL attribute is not validated because LDAP does not validate this. In the following example, the memberURL property is added to the entity type Group:
$AdminTask addIdMgrPropertyToEntityTypes {-name memberURL -dataType String -entityTypeNames Group -repositoryIds repository_ID}
- Save your configuration changes.
$AdminConfig save
Results
After completing these steps, dynamic member attributes are configured for the LDAP repository.
- After configuring the federated repositories, click Security > Global security to return to the Global security panel.
Verify that Federated repositories is identified in the Current realm definition field. If Federated repositories is not identified, select Federated repositories from the Available realm definitions field and click Set as current. To verify the federated repositories configuration, click Apply on the Global security panel. If Federated repositories is not identified in the Current realm definition field, your federated repositories configuration is not used by WebSphere Application Server.
- See Enable security for the realm.
- Save, stop, and restart all the product servers (deployment managers, nodes, and appservers) for changes in this panel to take effect. If the server comes up without any problems, the setup is correct.
Subtopics