Specify the global ID attribute for users and groups

Determine which attribute to use as the unique identifier of each person and group in the organization. This identifier must be unique across the organization.

By default, WAS reserves the following attributes as unique identifiers for the following LDAP directory servers:

• IBM Tivoli Directory Server:

  ibm-entryUUID

• Microsoft Active Directory:

  objectGUID

  For Active Directory, remember the samAccountName attribute has a 20 character limit; other IDs used by IBM Connections have a 256 character limit.

• IBM Domino Enterprise Server:

  dominoUNID

  If the bind ID for the Domino LDAP does not have sufficient manager access to the Domino directory, the Virtual Member Manager (VMM) does not return the correct attribute type for the Domino schema query; DN is returned as the VMM ID. To override VMM's default ID setting, add the following line to the <config:attributeConfiguration> section of the wimconfig.xml file:

  <config:externalIdAttributes

  name="dominoUNID"/>

• Sun Java System Directory Server:

  nsuniqueid

• eNovell Directory Server:

  GUID

• Custom ID:

  If the organization already uses a unique identifier for each user and group, we can configure IBM Connections to use that identifier.

The wimconfig.xml file is stored in...

AIX

/usr/IBM/WebSphere/AppServer/profiles/profile_name/config/cells/cell_name/wim/config

Linux

/opt/IBM/WebSphere/AppServer/profiles/profile_name/config/cells/cell_name/wim/config

Windows

drive:\IBM\WebSphere\AppServer\profiles\profile_name\config\cells\cell_name\wim\config

IBM recommends that you do not allow the GUID of a user to change. If we change the GUID, the user will not have access to their data unless you re-synchronize the LDAP and Profiles database with the new GUID. When you change the GUID and run the sync_all_dns batch file, the user's GUID is initially changed in the Profiles database, and then propagated to the other components using the user life cycle commands. Be sure when we are running sync_all_dns that an unchanged field is used as the hash. See the Synchronizing source changes such as LDAP with Profiles and Managing user data using Profiles administrative commands. for more information.

Parent topic:
Set up federated repositories

Related:
Prepare to configure the LDAP directory
Inactivate users to manage users with administrative commands
Sync LDAP with Profiles