Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows
Mapping LDAP attributes
Member Manager maps attribute names that are exposed on Java objects representing users and groups to the underlying repository attribute names. The attributes and mappings are specified in xml files in the portal_server_root/wmm/ directory, which are referenced or implicitly defined in the portal_server_root/wmm/wmm.xml file.
See Configuration for information on all Member Manager configuration xml files.
The following files are needed to configure attributes and mappings:
- wmm.xml to reference the attribute and mappings specification.
- wmmAttributes.xml to define all attributes used by Member Manager and wmmAttributesDescription.xml to add localized descriptions to the attributes. The first file must be referenced in the <wmm> tag in file wmm.xml with the XML attribute configurationFile="portal_server_root/wmm/wmmAttributes.xml".
- wmmDBAttributes.xml and wmmDBAttributesDescription.xml for the attribute mappings and descriptions of a database user repository (this is not relevant for mapping LDAP attributes).
- wmmLAAttributes.xml for the attribute mappings of the Lookaside database. The attributes stored to the Lookaside database should be carefully considered before enabling security, as this file is not used during runtime, but only as a base to create the appropriate Member Manager database tables during the configuration procedure.
- wmmLDAPAttributes.xml for the attribute mappings of the LDAP repository. This file must be referenced in the <ldapRepository> tag in the wmm.xml file by the XML attribute configurationFile="portal_server_root/wmm/wmmLDAPAttributes.xml".
Some attributes on the LDAP database do not have corresponding member attributes and are not exposed on the Java objects by default, while other attributes on the Java object can be stored in the Lookaside database instead of the LDAP database. Attributes that should only be read from within portal can be flagged as read-only by setting the read-only=true property in the attribute tag in file wmmAttributes.xml. Attributes mapped to the Lookaside database should never be specified as read-only.
You can add or delete attributes as required by your configuration by exposing additional attributes from the underlying LDAP repository that are not currently exposed or removing existing ones. You can expose new attributes by adding the attribute to the wmmAttributes.xml file and a new mapping to the wmmLDAPAttributes.xml file. Likewise, you can remove attributes from both files.
Sample configurations
The portal_server_root/wmm/ directory contains a set of sample configuration files for the most usual scenarios. If you custom configure any of the wmm_*.xml, rename the file to portal_server_root/wmm/wmm.xml and make sure the file references inside are correct.
Use the following sample as a guide to map LDAP attributes to Member Manager:
<attributeMap wmmAttributeName="extId"
applicableMemberTypes="Person;Group;Organization;OrganizationalUnit"
pluginAttributeName="ibm-appUUID" dataType="String" multiValued="false"
readOnly="true" />
<!-- Define which LDAP attribute is used for storing static group members -->
<!-- By default, member attribute is mandatory in IBM Directory Server, so
define default value "uid=dummy"
-->
<attributeMap wmmAttributeName="groupMember" pluginAttributeName="member"
applicableMemberTypes="Group" dataType="String" valueLength="1024"
multiValued="true" defaultValue="uid=dummy" />
<!-- Define which LDAP attribute is used for storing dynamic group queries
-->
<attributeMap wmmAttributeName="groupMemberURL" pluginAttributeName="memberURL"
applicableMemberTypes="Group" dataType="String" valueLength="1024"
multiValued="true" />
<!-- * * * * * Common schema attributes * * * * * * * * * * * * * * * * * -->
<attributeMap wmmAttributeName="uid" pluginAttributeName="uid"
applicableMemberTypes="Person" requiredMemberTypes="Person" dataType="String"
valueLength="256" multiValued="false" />
<attributeMap wmmAttributeName="sn" pluginAttributeName="sn"
applicableMemberTypes="Person" requiredMemberTypes="Person" dataType="String"
valueLength="128" multiValued="true" />
<attributeMap wmmAttributeName="givenName" pluginAttributeName="givenName"
applicableMemberTypes="Person" dataType="String" valueLength="128"
multiValued="true" />
<attributeMap wmmAttributeName="initials" pluginAttributeName="initials"
applicableMemberTypes="Person" dataType="String" valueLength="20"
multiValued="true" />
<attributeMap wmmAttributeName="ibm-primaryEmail" pluginAttributeName="mail"
applicableMemberTypes="Person" dataType="String" valueLength="256"
multiValued="false" />
<attributeMap wmmAttributeName="displayName" pluginAttributeName="displayName"
applicableMemberTypes="Person" dataType="String" valueLength="128"
multiValued="true" />
<attributeMap wmmAttributeName="preferredLanguage"
pluginAttributeName="preferredLanguage" applicableMemberTypes="Person"
dataType="String" valueLength="128" multiValued="false" />
<attributeMap wmmAttributeName="o" pluginAttributeName="o"
applicableMemberTypes="Organization" requiredMemberTypes="Organization"
dataType="String" valueLength="128" multiValued="false" />
<attributeMap wmmAttributeName="ou" pluginAttributeName="ou"
applicableMemberTypes="OrganizationalUnit" requiredMemberTypes="OrganizationalUnit"
dataType="String" valueLength="128" multiValued="false" />
<attributeMap wmmAttributeName="cn" pluginAttributeName="cn"
applicableMemberTypes="Person;Group" requiredMemberTypes="Group" dataType="String"
valueLength="256" multiValued="false" />
<attributeMap wmmAttributeName="description" pluginAttributeName="description"
applicableMemberTypes="Person;Group;Organization;OrganizationalUnit"
dataType="String" valueLength="1024" multiValued="true" />
<attributeMap wmmAttributeName="userPassword" pluginAttributeName="userPassword"
applicableMemberTypes="Person" dataType="String" valueLength="128"
multiValued="false" />
<!-- Read only attribute -->
<attributeMap wmmAttributeName="createTimestamp" pluginAttributeName="createTimestamp"
applicableMemberTypes="Person;Group;Organization;OrganizationalUnit"
dataType="Timestamp" multiValued="false" readOnly="true" />
<!-- Read only attribute -->
<attributeMap wmmAttributeName="modifyTimestamp" pluginAttributeName="modifyTimestamp"
applicableMemberTypes="Person;Group;Organization;OrganizationalUnit"
dataType="Timestamp" multiValued="false" readOnly="true" />
<attributeMap wmmAttributeName="jpegPhoto" pluginAttributeName="jpegPhoto"
applicableMemberTypes="Person" dataType="ByteArray" valueLength="250000"
multiValued="true" />
<attributeMap wmmAttributeName="labeledURI" pluginAttributeName="labeledURI"
applicableMemberTypes="Person" dataType="Object" classname="java.lang.String"
multiValued="true" />
<attributeMap wmmAttributeName="carLicense" pluginAttributeName="carLicense"
applicableMemberTypes="Person" dataType="String" valueLength="128"
multiValued="true" />
<attributeMap wmmAttributeName="telephoneNumber" pluginAttributeName="telephoneNumber"
applicableMemberTypes="Person" dataType="String" valueLength="32" multiValued="true" />
<attributeMap wmmAttributeName="facsimileTelephoneNumber"
pluginAttributeName="facsimileTelephoneNumber" applicableMemberTypes="Person"
dataType="String" valueLength="32" multiValued="true" />
<attributeMap wmmAttributeName="pager" pluginAttributeName="pager"
applicableMemberTypes="Person" dataType="String" valueLength="32" multiValued="true" />
<attributeMap wmmAttributeName="mobile" pluginAttributeName="mobile"
applicableMemberTypes="Person" dataType="String" valueLength="32" multiValued="true" />
<attributeMap wmmAttributeName="homePostalAddress" pluginAttributeName="homePostalAddress"
applicableMemberTypes="Person" dataType="String" valueLength="500" multiValued="true" />
<attributeMap wmmAttributeName="postalAddress" pluginAttributeName="postalAddress"
applicableMemberTypes="Person" dataType="String" valueLength="500" multiValued="true" />
<attributeMap wmmAttributeName="roomNumber" pluginAttributeName="roomNumber"
applicableMemberTypes="Person" dataType="String" valueLength="256" multiValued="true" />
<attributeMap wmmAttributeName="localityName" pluginAttributeName="localityName"
applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" />
<attributeMap wmmAttributeName="stateOrProvinceName" pluginAttributeName="stateOrProvinceName"
applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" />
<attributeMap wmmAttributeName="street" pluginAttributeName="street"
applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" />
<attributeMap wmmAttributeName="postalCode" pluginAttributeName="postalCode"
applicableMemberTypes="Person" dataType="String" valueLength="40" multiValued="true" />
<attributeMap wmmAttributeName="employeeNumber" pluginAttributeName="employeeNumber"
applicableMemberTypes="Person" dataType="String" valueLength="20" multiValued="false" />
<attributeMap wmmAttributeName="employeeType" pluginAttributeName="employeeType"
applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" />
<attributeMap wmmAttributeName="manager" pluginAttributeName="manager"
applicableMemberTypes="Person" dataType="MemberIdentifier" multiValued="true" />
<attributeMap wmmAttributeName="secretary" pluginAttributeName="secretary"
applicableMemberTypes="Person" dataType="MemberIdentifier" multiValued="true" />
<attributeMap wmmAttributeName="businessCategory" pluginAttributeName="businessCategory"
applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" />
<attributeMap wmmAttributeName="departmentNumber" pluginAttributeName="departmentNumber"
applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" />
<attributeMap wmmAttributeName="seeAlso" pluginAttributeName="seeAlso"
applicableMemberTypes="Person" dataType="MemberIdentifier" multiValued="true" />
</repositoryAttributes>
In an Tivoli Directory Server environment, Member Manager can create a dummy member entry in a group when the group is created. The dummy member entry is configurable by setting the defaultValue in the attributeMap element of the groupMember attribute in portal_server_root/wmm/wmmLDAPServerAttributes.xml file as shown here:
<attributeMap wmmAttributeName="groupMember"
pluginAttributeName="uniqueMember"
applicableMemberTypes="Group"
dataType="String"
valueLength="1000"
multiValued="true"
defaultValue="uid=dummy"
readOnly="false"/>
Search criteria in portlets
By default, the search function in portlets offers all Member Manager attributes as search criteria, even if an attribute does not exist in your LDAP directory. When users do a search based on an attribute that is not in the LDAP directory, the search results are null. To prevent this problem, restrict searches to Member Manager attributes that exist in the LDAP directory.
Do this by editing the portal_server_root/wmm/wmmLDAPAttributes.xml file. Add a description attribute to the attributeMap definition with the content [wps:hide], as shown in bold here.
<attributeMap wmmAttributeName="givenName"
pluginAttributeName="givenName"
applicableMemberTypes="Person"
dataType="String"
valueLength="128"
description="[wps:hide]"
multiValued="true" />
Group caching in LDAP
Group caching is used to cache the names, membership relations, and supported attributes of all groups under the scope of Member Manager (under the Member Manager nodes defined in portal_server_root/wmm/wmm.xml.
By enabling group caching in LDAP, the performance of operations related to LDAP can be dramatically improved, for example, portal login process or User and Group Access Portlet.
If you continue to use the old wmm.xml file from Member Manager 5.0 or Member Manager 5.0.2, this feature is not enabled. You need to add several new parameters in the wmm.xml file in order to enable and configure LDAP group cache.
To use LDAP group cache, set the following attributes in the wmm.xml file. In a clustered environment, you need to check the file out of the deployment manager before making changes and back in afterwards.
<ldapRepository name="wmmLDAP"
UUID="LDAP1"
adapterClassName="com.ibm.ws.wmm.ldap.ibmdir.IBMDirectoryAdapterImpl"
supportDynamicAttributes="false"
configurationFile="wmm/wmmLDAPAttributes_IDS_ENTRYUUID.xml"
wmmGenerateExtId="false"
supportGetPersonByAccountName="true"
profileRepositoryForGroups="LDAP1"
supportTransactions="false"
adminId="cn=root"
adminPassword="ibm"
ldapHost="localhost"
ldapPort="389"
ldapTimeOut="6000"
ldapAuthentication="SIMPLE"
ldapType="0"
cacheGroups="true"
groupsCacheTimeOut="600"
attributesCacheSize="2000"
attributesCacheTimeOut="600"
namesCacheSize="2000"
namesCacheTimeOut="300"
cachesDiskOffLoad="false"
serverTTLAttribute="ttl"
>
| Attribute | Setting |
|---|---|
| cacheGroups | Specifies if the group membership and attributes are cached. If you want to enable Group Cache, set this parameter to "true". If this parameter is not present, the default value is false. |
| groupsCacheTimeout | (Optional) Specifies how frequently the Group Cache will be refreshed. Unit is one second. If this parameter is not specified, the default value is 600 seconds. |
| attributesCacheSize | The size of Attributes Cache. Attributes Cache is used to cache the results of LDAP getAttributes queries. Attributes Cache can be used to improve the performance of Member Manager getMember API, which improves Portal login performance. If this parameter is not present or if the value is set to 0, Attributes Cache is disabled. |
| attributesCacheTimeOut | (Optional) Length of time the attributes stay in the Attributes Cache before being invalidated. Unit is one second. The default value is 600 seconds. |
| namesCacheSize | The size of Names Cache. Names Cache is used to cache the results of LDAP search queries. Names Cache can be used to improve the performance of Member Manager APIs that involve search operations; for example, Search. If this parameter is not present or if the value is set to 0, Names Cache is disabled. |
| namesCacheTimeOut | (Optional) Length of time the search results stay in the NamesCache before being invalidated. The unit value is in seconds. The default value is 600 seconds. |
| cachesDiskOffLoad | (Optional) Specifies if off-loading the caches into hard disk is enabled. This parameter affects both the attributes cache and the names cache. By default, when the number of cache entries reaches the size of the attributes cache and the names cache, eviction of cache entries occurs, allowing new entries to enter the caches. If cachesDiskOffLoad is enabled, the evicted cache entries is copied to disk for potential future access. |
| serverTTLAttribute | (Optional) The name of the ttl attribute supported by the LDAP server. By default, the attributes in the attributes cache will timed out after the number of seconds specified by the attributesCacheTimeOut parameter. If the LDAP server supports the ttl attribute (TimeToLive), by adding this parameter, Member Manager will use the value of this ttl attribute to set the time out of Attribute Cache. This allows the server-side to set the timeout value. |
Related information