Enabling WebSphere Portal to support dynamic LDAP groups

Technote (troubleshooting)


Problem

How do you configure IBM WebSphere® Portal to recognize dynamic groups?

Resolving the problem

To configure WebSphere Portal to recognize dynamic groups, perform the following steps:
1. Add the ObjectClass of the dynamic group to the "objectClassesForRead" parameter in the wmm.xml file.

    a) Save a copy of the original wmm.xml file (default location is <wps_home>/shared/app/wmm in 5.0.x, and <wps_home>/wmm in 5.1.x and 6.0.x) and edit the file.

    b) Add the ObjectClass of the dynamic group (for example, groupOfURLs) to the "objectClassesForRead" parameter of the Group member type. If in doubt about the correct class, your LDAP administrator should be able to assist you.
    Example:
      <supportedLdapEntryType name="Group"
        rdnAttrTypes="cn"
        objectClassesForRead="groupOfNames;groupOfURLs"
        objectClassesForWrite="groupOfNames"/>


2. Set the ObjectClassesNotForUpdate attribute.
    The ObjectClassesNotForUpdate attribute (set in wmm.xml) specifies ObjectClasses that are not to be added to existing members who do not have ObjectClasses associated with them.

    The ObjectClasses specified in the "ObjectClassesForRead" attribute are used to determine if an LDAP entry belongs to this member type. In the example above, if an LDAP entry's ObjectClass attribute contains either "groupOfNames" or "groupOfURLs", this entry is considered as a Group member type in WMM.

    If no entry for ObjectClassesNotForUpdate is specified when a member that does not contain all ObjectClassesForRead is returned, the Member Manager will update the ObjectClass attribute of this member to include the rest. For example, for a group whose ObjectClass is "groupOfURLs", the Member Manager will add "groupOfNames" to the ObjectClass of this group. Sometimes this addition is not desired. To prevent this from occurring, add "groupOfNames" to the ObjectClassesNotForUpdate attribute:
      <repositories>
        <ldapRepository name="wmmLDAP"
        UUID="LDAP1"
      adapterClassName="com.ibm.ws.wmm.ldap.ibmdir.IBMDirectoryAdapterImpl"
        supportDynamicAttributes="false"
        configurationFile="wmm/xml/wmmLDAPAttributes_IDS.xml"
        wmmGenerateExtId="true"
        supportGetPersonByAccountName="true"
        profileRepositoryForGroups="LDAP1"
        supportTransactions="false"
        adminId="cn=root"
        adminPassword="XXXXXX"
        ldapHost="localhost"
        ldapPort="636"
        ldapTimeOut="6000"
        ldapAuthentication="SIMPLE"
        ldapType="0"
        java.naming.security.protocol="ssl"
        memberOfAttributeName="ibm-allGroups"
        groupCacheRefreshInterval="-1"
          objectClassesNotForUpdate="groupOfNames">

    Note that memberOfAttributeName was replaced by groupMembershipAttributeMap in WMM 5.1. This is documented in the WebSphere Portal Information Center.

3. Add or specify groupMemberURL mapping.
    In the Member Manager LDAP attribute mapping wmmLDAPServerAttributes.xml file (default location is <wp_root>/shared/app/wmm for 5.0.x, and <wp_root>/wmm for 5.1.x and 6.0), add a mapping for the groupMemberURL attribute (commented out in 5.1 and 6.0 by default).

    For example, if you use memberURL as the attribute to store the dynamic group query, add the following mapping to wmmLDAPServerAttributes.xml.
      <attributeMap wmmAttributeName="groupMemberURL"
        pluginAttributeName="memberURL"
        applicableMemberTypes="Group"
        dataType="String"
        valueLength="1024"
        multiValued="true" />
4. For WebSphere Portal 5.1 and 6.0 only.
    In WMM 5.1 and later, a new parameter was introduced in the wmm.xml file named groupDynamicMemberAttributeMap. It gives multiple pairs of dynamic group mappings, such as "groupOfURLs:memberURL". Note that this configuration in wmm.xml will overwrite the settings in Step 3.
    Using the same example as above:
      <repositories>
        <ldapRepository name="wmmLDAP"
        UUID="LDAP1"
      adapterClassName="com.ibm.ws.wmm.ldap.ibmdir.IBMDirectoryAdapterImpl"
        supportDynamicAttributes="false"
        configurationFile="wmm/xml/wmmLDAPAttributes_IDS.xml"
        wmmGenerateExtId="true"
        supportGetPersonByAccountName="true"
        profileRepositoryForGroups="LDAP1"
        supportTransactions="false"
        adminId="cn=root"
        adminPassword="XXXXXX"
        ldapHost="localhost"
        ldapPort="636"
        ldapTimeOut="6000"
        ldapAuthentication="SIMPLE"
        ldapType="0"
        java.naming.security.protocol="ssl"
          groupMemberAttributeMap="groupOfNames:member;groupOfUniqueNames:uniqueMember"
          groupMembershipAttributeMap="ibm-allGroups:all"
          groupDynamicMemberAttributeMap="groupOfURLs:memberURL"
        groupCacheRefreshInterval="-1"
        objectClassesNotForUpdate="groupOfNames">

5. Restart the Portal server after the changes are made.

NOTE: Be aware of the conditions specified in the link below regarding the WebSphere Portal Development LDAP Statement of Support.

Related information

WebSphere Portal LDAP Statement of Support

Cross reference information
Segment Product Component Platform Version Edition
Organizational Productivity- Portals & Collaboration WebSphere Portal End of Support Products Installation & Configuration AIX, HP-UX, i5/OS, Linux, Solaris, Windows 5.0.2.3, 5.0.2.2, 5.0.2.1, 5.0.2 Enable, Experience, Extend

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Portal End of Support Products
WebSphere Portal

Software version:

6.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, i5/OS

Software edition:

Enable, Express, Extend, Server

Reference #:

1198344

Modified date:

2013-08-03

Translate my page

Machine Translation

Content navigation