Administer > Manage instances > WCS instance > Configure directory services (LDAP) with Commerce > Replication for LDAP
ldapentry.xml
To configure attributes that are synchronized between the LDAP server and the IBM WebSphere Commerce database, configure:
WC_EAR/xml/ldap/ldapentry.xml
...which is configured to use an LDAP server as the master profile repository for users and organizations. Commerce interacts with the LDAP server using WebSphere Application Server's federated repository, implemented using Virtual Member Manager (VMM).
The ldapentry.xml file provides the mapping between commerce attributes and VMM attributes, to sychronize data between commerce database and LDAP. This mapping file provides a default mapping for the most commonly used attributes. The attributes can be customized.
Check wc-server.xml to verify which ldapentry file is being used:
Microsoft Active Directory Typically uses ldapentry_ad.xml LDAP servers Typically uses ldapentry.xml Additional information can be found at the following resources:
- Default LDAP configuration mapping based on LDAP server type
- Property types supported by virtual member manager
- A commerce User corresponds to PersonAccount in VMM,
- A commerce Organizational Entity corresponds to OrgContainer in VMM.
- Create a new property in VMM
Sample data in the ldapentry.xml file:
<?xml version="1.0"?> <!DOCTYPE ldapentry SYSTEM "ldapentry.dtd"> <ldapentry> <entry entryName="User"> <ldapsetting> <ldaprdn rdnName="uid" keyAttrName="logonId" keyObjName="UserRegistry"/> </ldapsetting> <ldapmap> <map> <objectAttribute attrName="logonPassword"/> <ldapAttribute name="password" operation="replace" flow="wcsToLdap"/> </map> <map> <objectAttribute attrName="lastName"/> <objectAttribute attrName="firstName"/> <objectSeparator attrSeparator="/"/> <ldapAttribute name="cn" operation="replace" flow="wcsToLdap"/> </map> <map> <objectAttribute attrName="lastName"/> <ldapAttribute name="sn" operation="replace" flow="bothDirections"/> </map> <map> <objectAttribute attrName="firstName"/> <ldapAttribute name="givenName" operation="replace" flow="bothDirections"/> </map> <map> <objectAttribute attrName="phone1"/> <ldapAttribute name="homePhone" operation="add" flow="bothDirections"/> </map> <map> <objectAttribute attrName="email1"/> <ldapAttribute name="mail" operation="replace" flow="bothDirections"/> </map> <map> <objectAttribute attrName="zipCode"/> <ldapAttribute name="postalCode" operation="replace" flow="bothDirections"/> </map> <map> <objectAttribute attrName="address1" size="50"/> <objectAttribute attrName="address2" size="50"/> <objectAttribute attrName="address3" size="50"/> <objectSeparator attrSeparator="/"/> <ldapAttribute name="postalAddress" operation="replace" flow="bothDirections"/> </map> </ldapmap> </entry> <entry entryName="Organization"> <ldapsetting> <ldaprdn rdnName="o" keyAttrName="orgEntityName" keyObjName="Organization"/> </ldapsetting> <ldapmap> <map> <objectAttribute attrName="businessCategory"/> <ldapAttribute name="businessCategory" operation="replace" flow="bothDirections"/> </map> <map> <objectAttribute attrName="description"/> <ldapAttribute name="description" operation="replace" flow="bothDirections"/> </map> <map> <objectAttribute attrName="address1" size="50"/> <objectAttribute attrName="address2" size="50"/> <objectAttribute attrName="address3" size="50"/> <objectSeparator attrSeparator="/"/> <ldapAttribute name="postalAddress" operation="replace" flow="bothDirections"/> </map> <map> <objectAttribute attrName="phone1"/> <ldapAttribute name="telephoneNumber" operation="add" flow="bothDirections"/> </map> </ldapmap> </entry> <entry entryName="OrganizationalUnit"> <ldapsetting> <ldaprdn rdnName="ou" keyAttrName="orgEntityName" keyObjName="Organization"/> </ldapsetting> <ldapmap> <map> <objectAttribute attrName="businessCategory"/> <ldapAttribute name="businessCategory" operation="replace" flow="bothDirections"/> </map> <map> <objectAttribute attrName="description"/> <ldapAttribute name="description" operation="replace" flow="bothDirections"/> </map> <map> <objectAttribute attrName="address1" size="50"/> <objectAttribute attrName="address2" size="50"/> <objectAttribute attrName="address3" size="50"/> <objectSeparator attrSeparator="/"/> <ldapAttribute name="postalAddress" operation="replace" flow="bothDirections"/> </map> <map> <objectAttribute attrName="phone1"/> <ldapAttribute name="telephoneNumber" operation="add" flow="bothDirections"/> </map> </ldapmap> </entry> </ldapentry>
The format of the ldapentry.xml is...
entry Type of member the mappings are for. Values: User, Organization, or OrganizationalUnit ldapsetting - ldaprdn - rdnName Specify which LDAP attribute is the RDN attribute ldapsetting - ldaprdn - keyAttrName Specify which commerce attribute maps to the RDN attribute. ldapsetting - ldaprdn - keyObjName Specify the commerce access bean that contains the keyAttrName attribute. ldapsetting - ldapocs - objClass This option is no longer used. It has been moved to the wimconfig.xml file. ldapsetting - ldapbase - defaultBase This option is no longer used. It has been moved to the wimconfig.xml file. ldapsetting - ldapbase - searchBase This option is no longer used. It has been moved to the wimconfig.xml file. map -objectAttribute - attrName A commerce attribute name. See List of attributes that can be synchronized with LDAP for more information. map -ldapAttribute - name Name of the VMM attribute to be mapped to the commerce attribute specified in attrName. The VMM attribute name is commonly the same as the LDAP attribute name. In cases where it is different, the mapping is defined in the attributeConfiguration element of the wimconfig.xml file. map -ldapAttribute - flow Specify how the attribute value is read from and written to LDAP. Valid values are:
ldapToWcs The value flows from LDAP to commerce database only. This is used during authentication and get operations. wcsToLdap The value flows from commerce database to LDAP only. This setting applies when creating or updating a member in WebSphere Commerce. bothDirections The value flows both ways, between commerce database and LDAP. If commerce is used to create or update a user or organization using the member commands, for example, UserRegistrationAddCmd or OrgEntityUpdateCmd, then the flow of data is commerce to LDAP. On a read or get request, for example at Logon time or when populating a databean, the flow of data is LDAP to commerce, because LDAP is considered the master of record. However, data is only transferred if the record in LDAP has been updated more recently than it has been last synchronized with commerce. This last synchronized time is stored in the WMMMAP table.
ldapOnly The value exists only on LDAP, not the commerce database. These attributes will be accessible from the following APIs:
- UserSyncBean.getProperty(String propertyName)
- OrganizationSyncBean.getProperty(String propertyName)
That will in turn make it available to the following data beans:
- UserRegistrationDataBean.getAttribute(String attributeName)
- OrgEntityDataBean.getAttribute(String attributeName)
In turn, the GetPerson and GetOrganization services will populate the Person and Organization SDOs with these attributes when using the IBM_All access profile:
- /Person/Attributes
- /Organization/Attributes
map -ldapAttribute - operation Specify whether how the attribute value should be modified for LDAP. Valid values are replace or add. A value of replace updates the current user information with the new information provided (for example, replace a existing phone number with a new one). A value of add includes another entry for the user (for example, adding a new phone number to the current user information, making a list of phone numbers for the user). map - objectSeparator - attrSeparator Separator character used when storing or retrieving multiple Commerce attributes to or from a single LDAP attribute. Replicating multivalued attributes is not supported.
Synchronization of multi-valued LDAP attributes to the MBRATTRVAL table
The MBRATTRVAL table is used for storing custom member attributes. The table can store multiple values (rows) for a single attribute and user. LDAP can handle multivalued attributes.
For example:
<map> <objectAttribute attrName="JobFunction_10001_r_n"/> <ldapAttribute name="telephoneNumber" operation="replace" flow="bothDirections"/> </map>Original mapping:
<!-- <map> <objectAttribute attrName="phone1"/> <ldapAttribute name="telephoneNumber" operation="add" flow="bothDirections"/> </map> -->The telephoneNumber VMM attribute maps to the JobFunction_10001_r_n commerce attribute. This commerce attribute, based on the naming convention, is a custom member attribute, whose values are stored in the MBRATTRVAL table. Note that the member attribute name ends with _n to indicate that it is multivalued.
If there are multiple values in the MBRATTRVAL table, they are synchronized over to multiple values in LDAP. Conversely, if there are multiple values in LDAP, they are synchronized to multiple rows in the MBRATTRVAL table.
The following URL is an example of how to add or update two JobFunction values for the current user:
https://localhost/webapp/wcs/stores/servlet/UserRegistrationUpdate?storeId=10101&catalogId=10101&langId=-1 &editRegistration=Y&JobFunction_10101_r_1=manager&JobFunction_10101_r_2=clerk&URL=UserRegistrationFormNote the two occurrences of JobFunction updates in the URL string. The first being JobFunction_10101_r_1 for manager and the second being JobFunction_10101_r_2 for clerk.