The Sun ONE or iPlanet Directory Server uses two grouping mechanisms:
Groups are entries that name other entries as a list of members or as a filter for members.
Roles are also entries that name other entries as a list of members or as a filter for members. Additional functionality is provided by generating the nsrole attribute on each role member.
The following types of roles are available:
Filtered roles
Entries are members if they match a specified LDAP filter. In this way, the role depends upon the attributes that are contained in each entry. This role is equivalent to a dynamic group.
Nested roles
Create roles that contain other roles. This role is equivalent to a nested group.
Managed roles
Explicitly assigns a role to member entries. This role is equivalent to a static group.
Roles and groups are defined and administered similarly, with additional function so that member entries can have a generated attribute to indicate active roles. For example, an application can read the roles of an entry rather than select a group and browse the members list. This function simplifies and eases administration.
To configure dynamic or nested group support for Sun ONE or iPlanet Directory Server, perform the following steps in the WebSphere administrative console:
Expand Security --> User Registries, and click LDAP.
In the Type field, select Sun ONE for the LDAP server. Select the Ignore Case option. Click OK.
Under Additional Properties, click Advanced LDAP Settings.
On the Advanced LDAP Settings panel, change the value in the Group Filter field to the following value:
&(cn=%v)(objectclass=ldapsubentry))
On the Advanced LDAP Settings panel, change the value in the Group Member ID Map field to the following value:
nsRole:nsRole
Click OK.