ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/sec/secldaploc.htm

53 lines
5.2 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Locating a user's group memberships in Lightweight Directory Access Protocol</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h6><a name="secldaploc"></a>Locating a user's group memberships in Lightweight Directory Access Protocol (Version 5.1.1 or later)</h6>
<p>WebSphere Application Server - Express security can be configured to search group memberships directly or indirectly. It can also be configured to search only a static group, or it can be configured to search static groups, recursive (or nested) groups, and dynamic groups for some Lightweight Directory Access Protocol (LDAP) servers.</p>
<ul>
<li><p><strong>Evaluate group memberships from user object directly</strong>
<br>Several popular LDAP servers enable user objects to contain information about the groups to which they belong (such as Microsoft Active Directory Server, or eDirectory). Or, a user's group memberships can be computable attributes from the user object (such as IBM Directory Server or SunOne directory server). In some LDAP servers, this attribute can be used to include a user's dynamic group memberships, nesting group memberships, and static group memberships to locate all group memberships from a single attribute.</p>
<p>For example, in IBM Directory Server all group memberships, including the static groups, dynamic groups, and nested groups, can be returned using the <tt>ibm-allGroups</tt> attribute. In Sun ONE, all roles, including managed roles, filtered roles, and nested roles, are calculated using the <tt>nsRole</tt> attribute. If an LDAP server has such an attribute in a user object to include dynamic groups, nested groups, and static groups, WebSphere Application Server - Express security can be configured to use this attribute to support dynamic groups, nested groups, and static groups.</p></li>
<li><p><strong>Evaluate group memberships from group object indirectly</strong>
<br>Some LDAP servers enable only group objects such as the Lotus Domino LDAP server to contain information about users. The LDAP server does not enable the user object to contain information about groups. For this type of LDAP server, group membership searches are performed by locating the user on the member list of groups. The member list evaluation is currently used in the static group membership search for all of the WebSphere Application Server product releases before Version 5.</p></li>
</ul>
<p>Use the direct method for searching group memberships if your LDAP server has such an attribute in user object to include group information. To use the direct method or the indirect method, enter the appropriate value in the <strong>Group Member ID Map</strong> field on the Advanced LDAP Settings panel using:</p>
<ul>
<li><em>attribute</em>:<em>attribute</em> pairs for the direct method</li>
<li><em>objectclass</em>:<em>attribute</em> pairs for the indirect method</li>
</ul>
<p>Sample entries of <em>attribute</em>:<em>attribute</em> pairs in <strong>Group Member ID Map</strong> fields include:</p>
<ul>
<li><tt>ibm-allGroups:member</tt> for IBM Directory server</li>
<li><tt>nsRole:nsRole</tt> for SunONE directory if groups are created with Role inside SunONE</li>
<li><tt>memberOf:member</tt> in Microsoft Active Directory Server</li>
</ul>
<p>Sample entries of objectClass:attribute pairs in the Group Member ID Map field include:</p>
<ul>
<li><tt>dominoGroup:member</tt> for Domino </li>
<li><tt>groupOfNames:member</tt> for eDirectory</li>
</ul>
<p>While using the direct method dynamic groups, recursive groups, and static groups can be returned as multiple values of a single attribute. For example, in IBM Directory Server all group memberships, including the static groups, dynamic groups, and nested groups, can be returned using the ibm-allGroups attribute. In Sun ONE, all roles, including managed roles, filtered roles, and nested roles, are calculated using the nsRole attribute. If an LDAP server can use the nsRole attribute, dynamic groups, nested groups, and static groups are all supported by WebSphere Application Server - Express.</p>
<p>Some LDAP servers do not have recursive computing functionality. For example, although Microsoft Active Directory server has direct group search capability using the memberOf attribute, this attribute lists the groups beneath which the group is directly nested only and does not contain the recursive list of nested predecessors. Another example is that the Lotus Domino LDAP server, which only supports the indirect method to locate the group memberships for a user (you cannot obtain recursive group memberships from a Domino server directly). For LDAP servers without recursive searching capability, WebSphere Application Server security provides a recursive function that is enabled by clicking <strong>Perform a Nested Group Search</strong> in the Advanced LDAP user registry settings. Select this option only if your LDAP server does not provide recursive searches (and only if a recursive search is desired).</p>
</body>
</html>