Advanced group membership configurations
Overview
We can use ConfigEngine tasks to set up advanced Virtual Member Manager group configurations. A group membership attribute is an LDAP directory feature that allows an LDAP client to ask the LDAP directory for a list of groups the user is a member of. It is as if the list is an attribute of the user object. If the LDAP directory supports a group membership attribute, and your use cases include group nesting, or the use of dynamic groups, configure VMM to use the group membership attribute.
Configure VMM to use the group membership attribute
To configure VMM to use the group membership attribute, two things must be specified:
- The name of the group membership attribute in the LDAP directory implementation, set in wkplc.properties using...
federated.ldap.gc.name=attribute
...where attribute can be...
LDAP Attribute Active Directory memberOf Sun/Oracle nsroles or isMemberOf IBM Directory Server ibm-allGroups attribute.
- The scope of the attribute, set using property...
federated.ldap.gc.scope=scope
With three possible values...
direct The value returned holds only the list of static groups of which the user is a direct member. Does not attempt to account for group nesting or dynamic group memberships. Functionally equivalent to a query of the form... (&(objectClass=groupOfNames)(member=<user_dn>))
When the group membership attribute scope is direct, or when we use the traditional query method, VMM must do extra work if it needs to resolve nested groups or dynamic groups.
- VMM tries to resolve dynamic groups if the dynamic group configuration information is set up within the VMM configuration files.
- VMM tries to resolve nested groups if the client application, which is WebSphere Portal, requests it to. By default, WebSphere Portal requests that nested groups are used. If the access control models do not use group nesting to inherit permissions, turn off the nested group function within portal. Read the documentation for the enableNestedGroups custom property within the WP AccessControlDataManagementService Resource Environment Provider.
To avoid conflicts between how WebSphere Portal and WebSphere Application Server handle nested groups, globally turn off nested groups. Set...
nested The response from the LDAP server to a request for the group membership attribute already includes any nested group relationships, but not any dynamic group memberships. If the user is a member of group "A2" and "A2" is a member of group "A1", then the list of group memberships includes both A1 and A2. This information tells VMM that even if a client requests nested group information, the response already provides it. No further work needs to be done by VMM to satisfy the request. all The response from the LDAP server to a request for the group membership attribute already includes both nested groups and also dynamic groups, if any.
It is important to set the scope value to accurately reflect how the LDAP directory works to get correct and efficient operation. It is beyond the scope of this documentation to describe the unique characteristics of every directory. In some cases, the directory might require specific setup to fully support the advanced group features. For example, the IBM Directory Server must be set up with specific auxiliary object classes and special membership records to fully support nested groups and dynamic groups with the ibm-allGroups attribute.
ConfigEngine tasks for advanced group configuration
Set the federated.ldap.gc.name and federated.ldap.gc.scope properties before running one of the following tasks:
- wp-create-ldap
- wp-create-ldap-groupconfig
See
Parent User registry