Locating user group memberships in a LDAP registry

WebSphere Application Server can search group memberships in static, recursive (nested), and dynamic groups.

Evaluate group memberships

• Static group membership:

  User group membership defined in a static list. For IBM Directory Server, user objects will contain information about the groups to which they belong.

• Dynamic group memberships

  With IBM Directory Server a single attribute, ibm-allGroups, can be used by the LDAP directory server to computed user's dynamic, nested, and static (direct) group memberships. With Sun ONE directory server can use the nsRole attribute to calculate, all managed, filtered and nested roles. While this approach is not as efficient as direct groups, server-side dynamic queries are more efficient than determining group membership using static group queries. WebSphere Application server composes the appropriate dynamic query against LDAP for each group.

Use the efficient direct group membership where possible.

Use the relatively efficient dynamic group membership where the LDAP computes membership within a single query.

Use static group membership, or client side dynamic group membership as a secondary alternative. This option only performs well on systems where the number of groups within the LDAP server is "small".

The configurations for the supported, listed LDAP servers are pre-defined to use the optimal group membership mechanisms. They assume that the standard object types and schemas for that LDAP vendor are in use on the LDAP server.

Evaluate the LDAP registry configuration

Standalone LDAP registry

For an LDAP server outside of the list of pre-configured types, configure the appropriate value in the Group Member ID map field on the Advanced LDAP Settings panel using the following methods.

• If we use static group membership, specify objectclass:attribute pairs. If the objectclass for the group object is, groupOfUniquePersons, and within that objectclass, members are listed as persons, then the static group membership Group Member ID map is groupOfUniquePersons:persons.

• If direct group membership is used, attributes exist in the objectclass, we must use attribute:attribute pairs. For example, if the objectclass for the user is userand the objectclasst contains attributes that are called ingroup, which contains each group membership, then the direct group membership Group Member ID map is ingroup:member.

LDAP Registry within a Federated Repositories Registry

For an LDAP server outside of the list of pre-configured types, configure the appropriate value in the Group attribute definition properties for the repository.

If static group membership is used, specify the name of the object class, and the attribute used for indicating membership in Group attribute definition -> Member attributes. If the group objectclass for the user is, groupOfUniquePersons, and within that objectclass, members are listed as persons, then the static group Member attributes property is set follows:

1. To specify a new external repository or select an external repository that is preconfigured.
   Security > Global security > Available realm definitions > Federated repositories > Configure

   In a multiple security domain environment, click...

   Security domains > domain_name > Security Attributes > User Realm > Customize for this domain > Realm type > Federated repositories > Configure > Related items > Manage repositories > Add

   To specify a new member attribute.

   Additional properties > Group attribute definition > Additional properties > Member attributes > New

   Set the Name of member attribute field to persons

   Set the Object class field to groupOfUniquePersons

   When we finish adding or updating your federated repository configuration, go to the Security > Global security panel and click Apply to validate the changes.

2. If direct group membership is used, then attributes exist in the objectclass for the user and use the attribute. For example, if the objectclass for the user is user, and it contains attributes that are called ingroup that contain each group membership, then we specify the direct group membership in the Group attribute definition property for the repository. Perform the following steps:

3. To specify a new external repository or select an external repository that is preconfigured...
   Security > Global security > User account repository > Available realm definitions > Federated repositories > Configure > Related items > Manage repositories > Add > Additional properties > Group attribute definition

   Set the Name of group membership attribute field to ingroup.

   When we finish adding or updating your federated repository configuration, go to the Security > Global security panel and click Apply to validate the changes.

Evaluate Nested Groups

• Nested Groups

  Depending on the LDAP server implementation, groups can contain only users, or can contain other groups, which are known as a nested group. We configure WAS to properly discover all groups by following this nesting as it applies to either a stand-alone LDAP registry or an LDAP Registry within a Federated Repositories Registry.

  • Standalone LDAP Registry The stand-alone LDAP registry default setting performs only a single group membership query. If the groups returned are in fact subgroups of other groups, enable the Perform a nested group search property on the Advanced LDAP Settings panel of the LDAP registry as follows:

  • Click...
    Security > Global security > User account repository Available realm definitions > Standalone LDAP registry > Configure > Additional properties > Advanced LDAP user registry settings

    Put a check mark in the Perform a nested group search check box.

  • LDAP Registry within a Federated Repositories Registry

    Within Federated repositories, configure what you expect the results of the query to return. Based on this information, the Federated repository makes the appropriate calls to establish all group membership. If the LDAP server returns all nested group information within a single direct group query, then we set the Scope of group membership attribute property in the group attribute definition to Nested. as follows:

    1. To specify a new external repository or select an external repository that is preconfigured.
       Security > Global security > User account repository > Available ream definitions > Federated repositories > Configure > Related items > Manage repositories > Add > Additional properties > Group attribute definition.

    Set the Scope of group membership attribute property in the group attribute definition to Nested.

  • If the LDAP server returns only the direct membership, then the registry must then make subsequent queries to establish complete membership. To force the Federated Repository to issue subsequent queries, set the Scope of group membership attribute property in the Group attribute definition for the repository to Direct.

While using the direct method, dynamic groups, recursive groups, and static groups can be returned as multiple values of a single attribute. For example, in IBM Directory Server all group memberships, including the static groups, dynamic groups, and nested groups, can be returned using the ibm-allGroups attribute. In Sun ONE, all roles, including managed roles, filtered roles, and nested roles, are calculated using the nsRole attribute. If an LDAP server can use the nsRole attribute, dynamic groups, nested groups, and static groups are all supported by WAS.

Some LDAP servers do not have recursive computing functionality. For example, although Microsoft Active Directory server has direct group search capability using the memberOf attribute, this attribute lists the groups beneath, which the group is directly nested only and does not contain the recursive list of nested predecessors. The Lotus Domino LDAP server only supports the indirect method to locate the group memberships for a user. We cannot obtain recursive group memberships from a Domino server directly. For LDAP servers without recursive searching capability, WAS security provides a recursive function enabled by clicking Perform a Nested Group Search in the Advanced LDAP user registry settings. Select this option only if the LDAP server does not provide recursive searches and we want a recursive search.

Subtopics

• Configure dynamic and nested group support for the SunONE or iPlanet Directory Server
  
• Configure dynamic and nested group support for the IBM Security Directory Server
  

Related:

Standalone LDAP registries

Dynamic groups and nested group support for LDAP

Configure LDAP user registries

Use specific directory servers as the LDAP server