49 lines
3.5 KiB
HTML
49 lines
3.5 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
|
|
|
|
<title>Configure dynamic and nested group support for the IBM Directory Server</title>
|
|
</head>
|
|
|
|
<BODY>
|
|
<!-- Java sync-link -->
|
|
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
|
|
|
|
<h6><a name="secldapibm"></a>Configure dynamic and nested group support for the IBM Directory Server (Version 5.1.1 or later)</h6>
|
|
|
|
<p>WebSphere Application Server - Express Version 5.1 supports all LDAP dynamic and nested groups when using IBM Directory Server Version 4.1 (or a more current version). This function is enabled by default by taking advantage of a new feature in IBM Directory Server. IBM Directory Server Version 4.1 uses the <tt>ibm-allGroups</tt> forward reference group attribute that automatically calculates all the group memberships (including dynamic and recursive memberships) for a user. Security directly locates a user group membership from a user object rather than indirectly search all the groups to match group members. To utilize this function of IBM Directory Server, configure WebSphere Application Server - Express to perform a case-insensitive match so that all attribute values that are returned by <tt>ibm-allGroups</tt> are in all upper case. Lower-case values are stored in the directory server.</p>
|
|
|
|
<p>For more information about nested groups and IBM Directory Server, see <a href="secldapn.htm">Using nested groups in user registries</a>.</p>
|
|
|
|
<p>The IBM Directory Server product that runs on iSeries is called i5/OS Directory Services, and ships with OS/400 V5R2 or later. Note that fixes are required to provide full LDAP 4.1 support. For more information about i5/OS Directory Services and the necessary fixes, see <a href="http://www.ibm.com/servers/eserver/iseries/ldap/whatsnew41.htm" target="_blank">iSeries Directory Services (LDAP): New V5R2 Enhancements</a>. <img src="www.gif" width="18" height="15" alt="Link outside of Information Center"> (http://www.ibm.com/servers/eserver/iseries/ldap/whatsnew41.htm)</p>
|
|
|
|
<p>Previous versions of OS/400 Directory Services (V5R1 and earlier) should be configured in WebSphere Application Server - Express as the <strong>SecureWay</strong> directory type. Dynamic and nested groups are not supported.</p>
|
|
|
|
<p>When creating groups, ensure that nested and dynamic group memberships work correctly.</p>
|
|
|
|
<p>Perform the following steps in the WebSphere administrative console:</p>
|
|
|
|
<ol>
|
|
<li><p>Expand <strong>Security</strong> --> <strong>User Registries</strong>, and click <strong>LDAP</strong>.</p></li>
|
|
|
|
<li><p>Ensure that <strong>IBM_Directory_Server</strong> is selected in the <strong>Type</strong> field.</p></li>
|
|
|
|
<li><p>Ensure that the <strong>Ignore Case</strong> field is selected. Click <strong>OK</strong>.</p></li>
|
|
|
|
<li><p>Under <strong>Additional Properties</strong>, click <strong>Advanced LDAP Settings</strong>.</p></li>
|
|
|
|
<li><p>On the Advanced LDAP Settings panel change the value in the <strong>Group Filter</strong> field to the following value:</p>
|
|
<pre>(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)
|
|
(objectclass=groupOfURLs)))</pre></li>
|
|
|
|
<li><p>On the Advanced LDAP Settings panel change the value in the <strong>Group Member ID Map</strong> field to the following value:</p>
|
|
<pre>ibm-allGroups:member;ibm-allGroups:uniqueMember</pre></li>
|
|
|
|
<li><p>Click <strong>OK</strong>.</p></li>
|
|
</ol>
|
|
|
|
</body>
|
|
</html>
|