+

Search Tips   |   Advanced Search

Dynamic groups and nested group support for LDAP

Dynamic and nested groups simplify WAS security management and increase its effectiveness and flexibility.

Dynamic groups contain a group name and membership criteria:

Nested groups enable the creation of hierarchical relationships used to define inherited group membership. A nested group is defined as a child group entry whose distinguished name (DN) is referenced by a parent group entry attribute.

You only need to assign a larger parent group if all nested groups share the same privilege. Assigning a role to a single parent group simplifies the run-time authorization table.


Dynamic groups and nested group support for the IBM Tivoli Directory Server

WebSphere Application Server supports all LDAP dynamic and nested groups when using IBM Security Directory Server. This function is enabled by default by taking advantage of a new feature in IBM Security Directory Server. IBM Tivoli Directory Server uses the ibm-allGroups forward-reference group attribute that automatically calculates all the group memberships including dynamic and recursive memberships for a user. Security directly locates a user group membership from a user object rather than indirectly search all the groups to match group members.

See Configure dynamic and nested group support for the IBM Security Directory Server.

(iseries) When creating groups, ensure that nested and dynamic group memberships work correctly.


Dynamic and nested group support for the SunONE or iPlanet Directory Server

The SunONE or iPlanet Directory Server uses two grouping mechanisms:

Groups

Entries that name other entries as a list of members or as a filter for members.

Roles

Entries that name other entries as a list of members or as a filter for members. Additional functionality is provided by generating the nsrole attribute on each role member.

Three types of roles are available:

Filtered roles

Depends upon the attributes contained in each entry. Entries are members, if they match a specified Lightweight Directory Access Protocol (LDAP) filter. This role is equivalent to a dynamic group.

Nested roles

Creates roles containing other roles. This role is equivalent to a nested group.

Managed roles

Explicitly assigns a role to member entries. This role is equivalent to a static group.

Refer to Configure dynamic and nested group support for the SunONE or iPlanet Directory Server for more information.


Related tasks


Configure dynamic and nested group support for the IBM Security Directory Server
Configure dynamic and nested group support for the SunONE or iPlanet Directory Server
Locating user group memberships in a LDAP registry
Use specific directory servers as the LDAP server