WebSphere Portal - Mapping LDAP Attributes

Mapping LDAP attributes

Member Manager maps from attribute names that are exposed on Java objects representing users and groups to the underlying repository attribute names. When the underlying repository is LDAP, Member Manager attributes are mapped to LDAP attributes through a file that is specified through an attribute that is contained in one of the files listed here. These files are only examples for the respective configurations. During the WebSphere Portal configuration, the corresponding file is modified and copied to the <wp_root>/shared/app/wmm/wmm.xml directory.

LDAP-only configuration: wmm_LDAP.xml
LDAP + Lookaside configuration: wmm_LDAP_LA.xml

For example, if you use an LDAP-only configuration, and the LDAP repository is IBM Directory Server, the wmm.xml file has an entry for configurationFile="<wp_root>/wmm/wmmLDAPServerAttributes.xml. So, the mapping file is <wp_root>/wmm/wmmLDAPServerAttributes.xml. Some attributes on LDAP do not have corresponding member attributes and are not exposed on the Java objects by default, while other attributes on the Java object can be stored in the Lookaside database instead of LDAP. You can add or delete attributes as required by the configuration, either by exposing additional attributes from the underlying LDAP repository that are not currently exposed or by extending the attribute set to include new attributes. You can expose new LDAP attributes by adding new mappings in the wmmLDAPServerAttributes.xml file.

If you custom configure any of the wmm_*.xml or wmm_LDAP_*.xml files, copy the files to the following locations:

<wp_root>/shared/app/wmm/wmm.xml.
<wp_root>/wmm/wmmLDAPServerAttributes.xml

Expanding the user profile to include new attributes is more involved: in the DB2-only configuration, the database tables that define the attribute set must be changed to include the new attribute definitions. In the LDAP and Lookaside configuration, the attributes are defined in Lookaside. If the new attribute is defined on LDAP server, there is no need to add the new attribute definitions to database. You can simply add a new mapping for this attribute in the wmmLDAPServerAttributes_XXX.xml file.

Use the following sample as a guide to mapping LDAP attributes to Member Manager:

  <attributeMap wmmAttributeName="extId" applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" 
 pluginAttributeName="ibm-appUUID" dataType="String" multiValued="false" readOnly="true" /> 
- <!--  Define which LDAP attribute is used for storing static group members 
  --> 
- <!--  By default, member attribute is mandatory in IBM Directory Server, so 
define default value "uid=dummy" 
  --> 
  <attributeMap wmmAttributeName="groupMember" pluginAttributeName="member" 
 applicableMemberTypes="Group" dataType="String" valueLength="1024" multiValued="true" defaultValue="uid=dummy" /> 
- <!--  Define which LDAP attribute is used for storing dynamic group queries 
  --> 
  <attributeMap wmmAttributeName="groupMemberURL" pluginAttributeName="memberURL" 
 applicableMemberTypes="Group" dataType="String" valueLength="1024" multiValued="true" />
- <!--  * * * * *  Common schema attributes * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ** * * * * * * * 
  -->
  <attributeMap wmmAttributeName="uid" pluginAttributeName="uid" applicableMemberTypes="Person" requiredMemberTypes="Person" dataType="String" valueLength="256" multiValued="false" /> 
  <attributeMap wmmAttributeName="sn" pluginAttributeName="sn" applicableMemberTypes="Person" requiredMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" />
  <attributeMap wmmAttributeName="givenName" pluginAttributeName="givenName" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" />
  <attributeMap wmmAttributeName="initials" pluginAttributeName="initials" applicableMemberTypes="Person" dataType="String" valueLength="20" multiValued="true" />
  <attributeMap wmmAttributeName="ibm-primaryEmail" pluginAttributeName="mail" applicableMemberTypes="Person" dataType="String" valueLength="256" multiValued="false" /> 
  <attributeMap wmmAttributeName="displayName" pluginAttributeName="displayName" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" />
  <attributeMap wmmAttributeName="preferredLanguage" pluginAttributeName="preferredLanguage" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="false" /> 
  <attributeMap wmmAttributeName="o" pluginAttributeName="o" applicableMemberTypes="Organization" requiredMemberTypes="Organization" dataType="String" valueLength="128" multiValued="false" /> 
  <attributeMap wmmAttributeName="ou" pluginAttributeName="ou" applicableMemberTypes="OrganizationalUnit" requiredMemberTypes="OrganizationalUnit" dataType="String" valueLength="128" multiValued="false" /> 
  <attributeMap wmmAttributeName="cn" pluginAttributeName="cn" applicableMemberTypes="Person;Group" requiredMemberTypes="Group" dataType="String" valueLength="256" multiValued="false" />
  <attributeMap wmmAttributeName="description" pluginAttributeName="description" applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" dataType="String" valueLength="1024" multiValued="true" /> 
  <attributeMap wmmAttributeName="userPassword" pluginAttributeName="userPassword" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="false" />
- <!--  Read only attribute 
  -->
  <attributeMap wmmAttributeName="createTimestamp" pluginAttributeName="createTimestamp" applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" dataType="Timestamp" multiValued="false" readOnly="true" />
- <!--  Read only attribute 
  -->
  <attributeMap wmmAttributeName="modifyTimestamp" pluginAttributeName="modifyTimestamp" applicableMemberTypes="Person;Group;Organization;OrganizationalUnit" dataType="Timestamp" multiValued="false" readOnly="true" /> 
  <attributeMap wmmAttributeName="jpegPhoto" pluginAttributeName="jpegPhoto" applicableMemberTypes="Person" dataType="ByteArray" valueLength="250000" multiValued="true" />
  <attributeMap wmmAttributeName="labeledURI" pluginAttributeName="labeledURI" applicableMemberTypes="Person" dataType="Object" classname="java.lang.String" multiValued="true" /> 
  <attributeMap wmmAttributeName="carLicense" pluginAttributeName="carLicense" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" />
  <attributeMap wmmAttributeName="telephoneNumber" pluginAttributeName="telephoneNumber" applicableMemberTypes="Person" dataType="String" valueLength="32" multiValued="true" /> 
  <attributeMap wmmAttributeName="facsimileTelephoneNumber" pluginAttributeName="facsimileTelephoneNumber" applicableMemberTypes="Person" dataType="String" valueLength="32" multiValued="true" /> 
  <attributeMap wmmAttributeName="pager" pluginAttributeName="pager" applicableMemberTypes="Person" dataType="String" valueLength="32" multiValued="true" />
  <attributeMap wmmAttributeName="mobile" pluginAttributeName="mobile" applicableMemberTypes="Person" dataType="String" valueLength="32" multiValued="true" />
  <attributeMap wmmAttributeName="homePostalAddress" pluginAttributeName="homePostalAddress" applicableMemberTypes="Person" dataType="String" valueLength="500" multiValued="true" /> 
  <attributeMap wmmAttributeName="postalAddress" pluginAttributeName="postalAddress" applicableMemberTypes="Person" dataType="String" valueLength="500" multiValued="true" />
  <attributeMap wmmAttributeName="roomNumber" pluginAttributeName="roomNumber" applicableMemberTypes="Person" dataType="String" valueLength="256" multiValued="true" />
  <attributeMap wmmAttributeName="localityName" pluginAttributeName="localityName" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" /> 
  <attributeMap wmmAttributeName="stateOrProvinceName" pluginAttributeName="stateOrProvinceName" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" /> 
  <attributeMap wmmAttributeName="street" pluginAttributeName="street" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" />
  <attributeMap wmmAttributeName="postalCode" pluginAttributeName="postalCode" applicableMemberTypes="Person" dataType="String" valueLength="40" multiValued="true" /> 
  <attributeMap wmmAttributeName="employeeNumber" pluginAttributeName="employeeNumber" applicableMemberTypes="Person" dataType="String" valueLength="20" multiValued="false" /> 
  <attributeMap wmmAttributeName="employeeType" pluginAttributeName="employeeType" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" />
  <attributeMap wmmAttributeName="manager" pluginAttributeName="manager" applicableMemberTypes="Person" dataType="MemberIdentifier" multiValued="true" />
  <attributeMap wmmAttributeName="secretary" pluginAttributeName="secretary" applicableMemberTypes="Person" dataType="MemberIdentifier" multiValued="true" /> 
  <attributeMap wmmAttributeName="businessCategory" pluginAttributeName="businessCategory" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" /> 
  <attributeMap wmmAttributeName="departmentNumber" pluginAttributeName="departmentNumber" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="true" />
  <attributeMap wmmAttributeName="seeAlso" pluginAttributeName="seeAlso" applicableMemberTypes="Person" dataType="MemberIdentifier" multiValued="true" />
  </repositoryAttributes>

In an IBM Directory Server environment, Member Manager can create a dummy member entry in a group when the group is created. The dummy member entry is configurable by setting the "defaultValue" in the attributeMap element of the "groupMember" attribute in PortalServer/wmm/wmmLDAPServerAttributes_XXX.xml file as shown here:

<attributeMap  wmmAttributeName="groupMember"
     pluginAttributeName="uniqueMember"
     applicableMemberTypes="Group"
     dataType="String"
     valueLength="1000" 
     multiValued="true"
     defaultValue="uid=dummy"
     readOnly="false"/>

Search criteria in portlets

By default, the search function in portlets offers all Member Manager attributes as search criteria, even if an attribute does not exist in the LDAP directory. When users do a search based on an attribute that is not in the LDAP directory, the search results are null. To prevent this problem, restrict searches to Member Manager attributes that exist in the LDAP directory.

Do this by editing the wp_root/wmm/wmmLDAPAttributes.xml file. Add a desription attribute to the attributeMap definition with the content [wps:hide] as shown in bold here:

        <attributeMap   wmmAttributeName="givenName"
                        pluginAttributeName="givenName"
                        applicableMemberTypes="Person"                  
                        dataType="String" 
                        valueLength="128" 
                        description="[wps:hide]"
                        multiValued="true" />

Mapping LDAP attributes

Search criteria in portlets

See also