friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6290434003
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/sec/secldapn.htm

89 lines
4.6 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Using nested groups in user registries</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h6><a name="secldapn"></a>Using nested groups in user registries</h6>
<p>Using groups can vastly reduce the cost of administering authorization. However, for WebSphere Application Server - Express security, it is not possible to use nested groups (that is, groups that contain other groups) with the LocalOS user registry, and nested groups are not supported for LDAP user registries prior to WebSphere Application Server - Express Version 5.0.1.</p>
<p>The following reasons prohibit the use of nested groups:</p>
<ul>
<li><p>It is not possible for an i5/OS group profile to be a member of another group profile.</p></li>
<li><p>Prior to Version 5.0.1, the mechanism that WebSphere Application Server - Express uses for determining user membership in a group does not recognize nested groups. The mechanism only searches all groups for a user's member attributes. It cannot determine if a group is itself a member of another group.</p></li>
</ul>
<p>For LDAP servers without recursive searching capability, WebSphere Application Server - Express security provides a recursive function that is enabled by selecting the <strong>Perform a Nested Group Search</strong> option in the Advanced LDAP user registry settings. See <a href="secldaploc.htm">Locating a user's group memberships in LDAP</a> for more information.</p>
<p>WebSphere Application Server - Express Version 5.0.1 (and later) and Version 5.1 uses the nested group feature that is new in LDAP 4.1. These versions of WebSphere Application Server - Express support the nested group feature in any IBM Directory Server product that supports LDAP 4.1. The IBM Directory Server product that runs on iSeries is called i5/OS Directory Services, and ships with OS/400 V5R2 or later. Note that fixes are required to provide full LDAP 4.1 support. For more information about i5/OS Directory Services and the necessary fixes, see <a href="http://www.ibm.com/servers/eserver/iseries/ldap/whatsnew41.htm" target="_blank">iSeries Directory Services (LDAP): New V5R2 Enhancements</a>. <img src="www.gif" width="18" height="15" alt="Link outside of Information Center"> (http://www.ibm.com/servers/eserver/iseries/ldap/whatsnew41.htm)</p>
<p>When WebSphere security is configured to use <strong>IBM_Directory_Server</strong> as the LDAP server type and the IBM Directory Server LDAP directory server supports LDAP 4.1, group membership is determined with the <tt>ibm-allGroups</tt> attribute.</p>
<p>For example, suppose <tt>group92</tt> is bound to the Administrator role of the WebSphere administrative console. The <tt>group2</tt> group is a member of <tt>group92</tt>. Because <tt>group2</tt> contains <tt>user2</tt> and <tt>user4</tt>, these users are authorized to log into and use the administrative console.</p>
<p>In this example, the LDAP directory contains the following entries:</p>
<pre> dn: c=US
objectclass: top
objectclass: country
c: US
description=United States
dn: o=IBM, c=US
objectclass: top
objectclass: organization
o: IBM
description=International Business Machines
dn: cn=user2, o=IBM, c=US
objectclass: person
objectclass: inetOrgPerson
objectclass: top
objectclass: organizationalPerson
objectclass: ePerson
cn: user2
sn: Sec Two
uid: user2
userpassword: security
dn: cn=user4, o=IBM, c=US
objectclass: person
objectclass: inetOrgPerson
objectclass: top
objectclass: organizationalPerson
objectclass: ePerson
cn: user4
sn: Sec Four
uid: user4
userpassword: security
dn: cn=group2, o=IBM, c=US
objectclass: top
objectclass: groupOfNames
cn: group2
member: cn=user2, o=IBM, c=US
member: cn=user4, o=IBM, c=US
description: WSA Group Two
dn: cn=group92,o=IBM,c=US
objectclass: top
objectclass: groupOfNames
objectclass: ibm-nestedGroup
cn: group92
description: WSA Group Ninety Two
ibm-memberGroup: cn=<strong>group2</strong>, o=IBM, c=US</pre>
<p>Note that, in the last entry, <tt>group2</tt> is a member of <tt>group92</tt>. Its membership is specified in the <tt>ibm-memberGroup</tt> attribute for <tt>group92</tt>.</p>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink