+

Search Tips   |   Advanced Search

Locating user group memberships in a LDAP registry

WebSphere Application Server can search group memberships in static, recursive (nested), and dynamic groups.


Evaluate group memberships

Use the efficient direct group membership where possible.

Use the relatively efficient dynamic group membership where the LDAP computes membership within a single query.

Use static group membership, or client side dynamic group membership as a secondary alternative. This option only performs well on systems where the number of groups within the LDAP server is "small".

The configurations for the supported, listed LDAP servers are pre-defined to use the optimal group membership mechanisms. They assume that the standard object types and schemas for that LDAP vendor are in use on the LDAP server.


Evaluate the LDAP registry configuration

Standalone LDAP registry

For an LDAP server outside of the list of pre-configured types, configure the appropriate value in the Group Member ID map field on the Advanced LDAP Settings panel using the following methods.


LDAP Registry within a Federated Repositories Registry

For an LDAP server outside of the list of pre-configured types, configure the appropriate value in the Group attribute definition properties for the repository.

If static group membership is used, specify the name of the object class, and the attribute used for indicating membership in Group attribute definition -> Member attributes. If the group objectclass for the user is, groupOfUniquePersons, and within that objectclass, members are listed as persons, then the static group Member attributes property is set follows:

  1. To specify a new external repository or select an external repository that is preconfigured.

    In a multiple security domain environment, click...

      Security domains > domain_name > Security Attributes > User Realm > Customize for this domain > Realm type > Federated repositories > Configure > Related items > Manage repositories > Add

    To specify a new member attribute.

    Set the Name of member attribute field to persons

    Set the Object class field to groupOfUniquePersons

    When we finish adding or updating your federated repository configuration, go to the Security > Global security panel and click Apply to validate the changes.

  2. If direct group membership is used, then attributes exist in the objectclass for the user and use the attribute. For example, if the objectclass for the user is user, and it contains attributes that are called ingroup that contain each group membership, then we specify the direct group membership in the Group attribute definition property for the repository. Perform the following steps:

  3. To specify a new external repository or select an external repository that is preconfigured...

      Security > Global security > User account repository > Available realm definitions > Federated repositories > Configure > Related items > Manage repositories > Add > Additional properties > Group attribute definition

    Set the Name of group membership attribute field to ingroup.

    When we finish adding or updating your federated repository configuration, go to the Security > Global security panel and click Apply to validate the changes.


Evaluate Nested Groups

While using the direct method, dynamic groups, recursive groups, and static groups can be returned as multiple values of a single attribute. For example, in IBM Directory Server all group memberships, including the static groups, dynamic groups, and nested groups, can be returned using the ibm-allGroups attribute. In Sun ONE, all roles, including managed roles, filtered roles, and nested roles, are calculated using the nsRole attribute. If an LDAP server can use the nsRole attribute, dynamic groups, nested groups, and static groups are all supported by WAS.

Some LDAP servers do not have recursive computing functionality. For example, although Microsoft Active Directory server has direct group search capability using the memberOf attribute, this attribute lists the groups beneath, which the group is directly nested only and does not contain the recursive list of nested predecessors. The Lotus Domino LDAP server only supports the indirect method to locate the group memberships for a user. We cannot obtain recursive group memberships from a Domino server directly. For LDAP servers without recursive searching capability, WAS security provides a recursive function enabled by clicking Perform a Nested Group Search in the Advanced LDAP user registry settings. Select this option only if the LDAP server does not provide recursive searches and we want a recursive search.


Subtopics


Related:

  • Standalone LDAP registries
  • Dynamic groups and nested group support for LDAP
  • Configure LDAP user registries
  • Use specific directory servers as the LDAP server