Enable application groups
Application groups is a concept that allows us to define user groups within the database user registry with members (users or groups) contained in the LDAP user registry you configured. The benefit of application groups is that we can create Groups that are only used in IBM WebSphere Portal.
We can use application groups in the following scenarios:
- Read-only LDAP
- If you have a read-only LDAP, we cannot change the group membership of users and groups. If we need to define access rights for certain users that are in different groups, we can create an Application group for these users with the required access rights.
- Special group setup for WebSphere Portal
- In this scenario we need to setup a special group hierarchy that is only used by WebSphere Portal and not by other applications that access the LDAP. This can help you apply special access control rules just for WebSphere Portal as the roles apply to all members of the group as well.
Application groups only apply to WebSphere Portal; it does not apply to external security managers.
The following prerequisites are required to enable application groups:
- Ensure that the LDAP software is installed and any setup required for WebSphere Portal has been performed.
- Ensure that you configured the database you want to work with.
- Enable security per the LDAP.
We can configured the LDAP with or without realm support and with a lookaside database if required.
Use the following steps to enable application groups:
- Edit...
portal_server_root/wmm/wmm.xml...and make the following changes...
- Set...
horizontalPartitioning="true"...and copy the following lines to the...
<repositories>...</repositories>...section...
<federationRepository name="wmmDBFederation" UUID="DB1" supportTranslation="true" adapterClassName="com.ibm.ws.wmm.db.DataBaseFederationAdapter" dataSourceName="jdbc/wpsdbDS" databaseType="DB2" dataAccessManagerClassName="com.ibm.ws.wmm.db.dao.db2.WMMDB2Dao"/>Use the following table to make adjustments depending on the type of database we are using:
databaseType dataAccessManagerClassName db2 com.ibm.ws.wmm.db.dao.db2.WMMDB2Dao oracle com.ibm.ws.wmm.db.dao.oracle.WMMOracleDao cloudscape com.ibm.ws.wmm.db.dao.cloudscape.WMMCloudscapeDao sqlserver com.ibm.ws.wmm.db.dao.sqlserver.WMMSQLServerDao
- Copy the following lines to the <repositories>...<repositories> section:
<databaseRepository name="wmmDB" UUID="DB2" supportTransactions="true" wmmGenerateExtId="true" adapterClassName="com.ibm.ws.wmm.db.DatabaseRepository" supportDynamicAttributes="true" supportGetPersonByAccountName="false" profileRepositoryForGroups="DB2" dataSourceName="jdbc/wpsdbDS" databaseType="cloudscape" dataAccessManagerClassName="com.ibm.ws.wmm.db.dao.cloudscpae.WmmCloudscapeDao" saltLength="12" dbEncryptionKey="rZ15ws0ely9yHk3zCs3sTMv/ho8fY17s"> <readMemberType> <memberType name="Person" /> <memberType name="Group" /> <memberType name="Organization" /> <memberType name="OrganizationalUnit" /> </readMemberType> <createMemberType> <memberType name="Person" /> <memberType name="Group" /> <memberType name="Organization" /> <memberType name="OrganizationalUnit" /> </createMemberType> <updateMemberType> <memberType name="Person" /> <memberType name="Group" /> <memberType name="Organization" /> <memberType name="OrganizationalUnit" /> </updateMemberType> <deleteMemberType> <memberType name="Person" /> <memberType name="Group" /> <memberType name="Organization" /> <memberType name="OrganizationalUnit" /> </deleteMemberType> <renameMemberType> <memberType name="Person" /> <memberType name="Group" /> <memberType name="Organization" /> <memberType name="OrganizationalUnit" /> </renameMemberType> <moveMemberType> <memberType name="Person" /> <memberType name="Group" /> <memberType name="Organization" /> <memberType name="OrganizationalUnit" /> </moveMemberType> <nodeMaps> <nodeMap node="o=Default Organization" pluginNode="o=Default Organization" /> </nodeMaps> </databaseRepository>Use the following table to make adjustments depending on the type of database you are using:
databaseType dataAccessManagerClassName db2 com.ibm.ws.wmm.db.dao.db2.WMMDB2Dao oracle com.ibm.ws.wmm.db.dao.oracle.WMMOracleDao cloudscape com.ibm.ws.wmm.db.dao.cloudscape.WMMCloudscapeDao sqlserver com.ibm.ws.wmm.db.dao.sqlserver.WMMSQLServerDao
- Search for the tag...
<supportedMemberType name="Group"Ensure the tag looks as follow:...
<supportedMemberType name="Group" rdnAttrTypes="cn" defaultParentMember="o=Default Organization" defaultProfileRepository="DB2"/>
- Search for the tag...
<ldapRepository...and add ;DB2 to the profileRepositoryForGroups parameter...
<ldapRepository name="wmmLDAP" UUID="LDAP1" adapterClassName="com.ibm.ws.wmm.ldap.ibmdir.IBM DirectoryAdapterImpl" supportDynamicAttributes="false" configurationFile="wmmLDAPServerAttributes.xml" wmmGenerateExtId="false" supportGetPersonByAccountName="true" profileRepositoryForGroups="LDAP1;DB2" ...
- Perform the following step if using the multiple realms (WMMUR) configuration...
Edit...
portal_server_root/wmm/wmmur.xml...and make the following changes...
For all realms where the created groups should be stored in the WMMDB, set the following:
<node wmmnode="o=Default Organization" defaultParent="Group" />Also add the following additional wmmNode to the realms that will contain the application groups:
<node wmmnode="o=Default Organization" />.
- Restart PortalServer.
Parent Topic
Additional LDAP configuration