ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/sec/secldapsun.htm

59 lines
2.9 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Configure dynamic and nested group support for the Sun ONE or iPlanet Directory Server</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h6><a name="secldapsun"></a>Configure dynamic and nested group support for the Sun ONE or iPlanet Directory Server</h6>
<p>The Sun ONE or iPlanet Directory Server uses two grouping mechanisms:</p>
<ul>
<li><p><em>Groups</em> are entries that name other entries as a list of members or as a filter for members.</p></li>
<li><p><em>Roles</em> are also entries that name other entries as a list of members or as a filter for members. Additional functionality is provided by generating the nsrole attribute on each role member.</p>
<p>The following types of roles are available:</p>
<ul>
<li><p><strong>Filtered roles</strong>
<br>Entries are members if they match a specified LDAP filter. In this way, the role depends upon the attributes that are contained in each entry. This role is equivalent to a dynamic group.</p></li>
<li><p><strong>Nested roles</strong>
<br>Create roles that contain other roles. This role is equivalent to a nested group.</p></li>
<li><p><strong>Managed roles</strong>
<br>Explicitly assigns a role to member entries. This role is equivalent to a static group.</p></li>
</ul></li>
</ul>
<p>Roles and groups are defined and administered similarly, with additional function so that member entries can have a generated attribute to indicate active roles. For example, an application can read the roles of an entry rather than select a group and browse the members list. This function simplifies and eases administration.</p>
<p>To configure dynamic or nested group support for Sun ONE or iPlanet Directory Server, perform the following steps in the WebSphere administrative console:</p>
<ol>
<li><p>Expand <strong>Security</strong> --&gt; <strong>User Registries</strong>, and click <strong>LDAP</strong>.</p></li>
<li><p>In the <strong>Type</strong> field, select <strong>Sun ONE</strong> for the LDAP server. Select the <strong>Ignore Case</strong> option. Click <strong>OK</strong>.</p></li>
<li><p>Under <strong>Additional Properties</strong>, click <strong>Advanced LDAP Settings</strong>.</p></li>
<li><p>On the Advanced LDAP Settings panel, change the value in the <strong>Group Filter</strong> field to the following value:</p>
<pre>&amp;(cn=%v)(objectclass=ldapsubentry)) </pre></li>
<li><p>On the Advanced LDAP Settings panel, change the value in the <strong>Group Member ID Map</strong> field to the following value:</p>
<pre>nsRole:nsRole</pre></li>
<li><p>Click <strong>OK</strong>.</p></li>
</ol>
</body>
</html>