Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Select a registry or repository > Configure LDAP user registries

Locate user group memberships in a LDAP registry

Overview

Search, directly or indirectly, static, nested, and dynamic groups

Configurations for supported LDAP servers are pre-defined to use the optimal group membership mechanisms. They assume that the standard object types and schemas for that LDAP vendor are in use on the LDAP server.

Static group membership

Supported by all LDAP servers. The group object lists of users and groups. To determine membership we...

1. Get the list of all groups
2. Query each group in turn

This method does not scale.

Serveral LDAP servers, including AD and eDirectory, have user objects that contain information about the groups to which they belong, enabling direct group searches. This is an efficient method.

Dynamic group memberships

Some LDAP servers, including IBM Directory Server and Sun ONE Directory Server, can compute group membership from user object attributes. For example, in IBM Directory Server, you can return all group memberships, including static, dynamic, and nested, using the ibm-allGroups attribute. With the Sun ONE directory server we can use the nsRole attribute.

Generally the computation is performed entirely by the LDAP server and is invisible to WAS. This approach is not as efficient as direct groups, but it is more efficient than using static group queries.

In cases where dynamic group membership computation is frequently reflected back to the LDAP client, WAS is required to compose the dynamic query against LDAP for each group. This method does not scale.

Use direct group membership where possible. Use the relatively efficient dynamic group membership where the LDAP computes membership within a single query. Use static group membership, or client side dynamic group membership as a secondary alternative. This option only performs well on systems where the number of groups within the LDAP server is "small".

Evaluate the LDAP registry configuration

• Standalone LDAP registry

  For LDAP servers outside of the list of pre-configured types, configure a value for Group Member ID map on the Advanced LDAP Settings panel using...

  • For static group membership, specify objectclass:attribute pairs.

    If the objectclass for the group object is, groupOfUniquePersons, and within that objectclass, members are listed as persons, then the static group membership Group Member ID map is groupOfUniquePersons:persons.

  • For direct group membership, use attribute:attribute pairs.

    For example, if the objectclass for the user is user and the objectclasst contains attributes called ingroup, which contains each group membership, then the direct group membership Group Member ID map is ingroup:member.

• LDAP Registry within a Federated Repositories Registry

  If you are configuring an LDAP server outside of the list of pre-configured types, configure the appropriate value in the Group attribute definition properties for the repository.

  • If static group membership is used, specify the name of the object class, and the attribute used for indicating membership in...
    Group attribute definition | Member attributes

    If the group objectclass for the user is, groupOfUniquePersons, and within that objectclass, members are listed as persons, then the static group Member attributes property is set follows:

    1. To specify a new external repository or select an external repository that is preconfigured.
       Security | Global security | Available realm definitions | Federated repositories | Configure | Security Attributes | User Realm | Customize for this domain | Realm type | Federated repositories | Configure | Related | Manage repositories | Add

       In a multiple security domain environment, click...

       Security domains | domain_name | Security Attributes | User Realm | Customize for this domain | Realm type | Federated repositories | Configure | Related | Manage repositories | Add

    2. To specify a new member attribute.
       Additional | Group attribute definition | Additional properties | Member attributes | New

       Set the Name of member attribute field to persons

       Set the Object class field to groupOfUniquePersons

       When you finish adding or updating your federated repository, go to the Security > Global security panel and click Apply to validate the changes.

  • If direct group membership is used, then attributes exist in the objectclass for the user and use the attribute.

    For example, if the objectclass for the user is user, and it contains attributes called ingroup that contain each group membership, then you specify the direct group membership in the Group attribute definition property for the repository. Perform the following steps:

    1. In the admin console, click...
       Security | Global security | User account repository | Available realm definitions | Federated repositories | Configure | Related items | Manage repositories

    2. Click Add to specify a new external repository or select an external repository that is preconfigured.

    3. Under Additional properties, click Group attribute definition.

    Set the Name of group membership attribute field to ingroup.

    When you finish adding or updating your federated repository, go to the Security > Global security panel and click Apply to validate the changes.

  • Nested Groups

    Groups can contain other groups, which is known as a nested group. To have WAS discover all groups by following this nesting...

    • Standalone LDAP Registry

      Performs only a single group membership query. If the groups returned are subgroups of other groups, go to...

      Security | Global security | User account repository | Available realm definitions | Standalone LDAP registry | Configure | Additional properties | Advanced LDAP user registry settings

      ...and enable the property...

      Perform a nested group search

    • LDAP Registry within a Federated Repositories Registry

      Configure what you expect the results of the query to return. Based on this information, the Federated repository makes the appropriate calls to establish all group membership. If the LDAP server returns all nested group information within a single direct group query, then go to...

      Security | Global security | User account repository | Available realm definitions | Federated repositories | Configure | Related items | Manage repositories | Add | Additional properties | Group attribute definition

      ...and set the property...

      Scope of group membership

      ...to Nested.

    • If the LDAP server returns only the direct membership, then the registry must then make subsequent queries to establish complete membership. To force the Federated Repository to issue subsequent queries, set the Scope of group membership attribute property in the Group attribute definition for the repository to Direct.

Results

While using the direct method, dynamic groups, recursive groups, and static groups can be returned as multiple values of a single attribute. For example, in IBM Directory Server all group memberships, including the static groups, dynamic groups, and nested groups, can be returned using the ibm-allGroups attribute. In Sun ONE, all roles, including managed roles, filtered roles, and nested roles, are calculated using the nsRole attribute. If an LDAP server can use the nsRole attribute, dynamic groups, nested groups, and static groups are all supported by WAS.

Some LDAP servers do not have recursive computing functionality. For example, although Microsoft Active Directory server has direct group search capability using the memberOf attribute, this attribute lists the groups beneath, which the group is directly nested only and does not contain the recursive list of nested predecessors. The Lotus Domino LDAP server only supports the indirect method to locate the group memberships for a user. We cannot obtain recursive group memberships from a Domino server directly. For LDAP servers without recursive searching capability, WAS security provides a recursive function that is enabled by clicking...

Perform a Nested Group Search

...in the Advanced LDAP user registry settings. Select this option only ifthe LDAP server does not provide recursive searches and you want a recursive search.

Related

Configure dynamic and nested group support for SunONE or iPlanet Directory Server
Configure dynamic and nested group support for IBM Tivoli Directory Server
Standalone LDAP registries
Dynamic groups and nested group support for LDAP
Use specific directory servers as the LDAP server
Configure LDAP user registries

+

Search Tips   |   Advanced Search