Configure dynamic and nested group support for the IBM Directory Server (Version 5.1.1 or later)

WebSphere Application Server - Express Version 5.1 supports all LDAP dynamic and nested groups when using IBM Directory Server Version 4.1 (or a more current version). This function is enabled by default by taking advantage of a new feature in IBM Directory Server. IBM Directory Server Version 4.1 uses the ibm-allGroups forward reference group attribute that automatically calculates all the group memberships (including dynamic and recursive memberships) for a user. Security directly locates a user group membership from a user object rather than indirectly search all the groups to match group members. To utilize this function of IBM Directory Server, configure WebSphere Application Server - Express to perform a case-insensitive match so that all attribute values that are returned by ibm-allGroups are in all upper case. Lower-case values are stored in the directory server.

For more information about nested groups and IBM Directory Server, see Using nested groups in user registries.

The IBM Directory Server product that runs on iSeries is called i5/OS Directory Services, and ships with OS/400 V5R2 or later. Note that fixes are required to provide full LDAP 4.1 support. For more information about i5/OS Directory Services and the necessary fixes, see iSeries Directory Services (LDAP): New V5R2 Enhancements. Link outside of Information Center (http://www.ibm.com/servers/eserver/iseries/ldap/whatsnew41.htm)

Previous versions of OS/400 Directory Services (V5R1 and earlier) should be configured in WebSphere Application Server - Express as the SecureWay directory type. Dynamic and nested groups are not supported.

When creating groups, ensure that nested and dynamic group memberships work correctly.

Perform the following steps in the WebSphere administrative console:

  1. Expand Security --> User Registries, and click LDAP.

  2. Ensure that IBM_Directory_Server is selected in the Type field.

  3. Ensure that the Ignore Case field is selected. Click OK.

  4. Under Additional Properties, click Advanced LDAP Settings.

  5. On the Advanced LDAP Settings panel change the value in the Group Filter field to the following value:

    (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)
   (objectclass=groupOfURLs)))

  6. On the Advanced LDAP Settings panel change the value in the Group Member ID Map field to the following value:

    ibm-allGroups:member;ibm-allGroups:uniqueMember

  7. Click OK.