Spaces are not listed for user when access is through a group.

Technote (FAQ)


Question

Why do spaces fail to list for users that have access to spaces through group membership?

Cause

Often the cause is due to the filter used to search groups for a particular user. Consider the following trace for a standalone LDAP configuration (Business Space only; Mashup Center must use federated repository).

0000003b handler > com.ibm.mm.was.user.service.handler.StandardSecureNonWIMHandler findMembership -- userUniqueName ENTRY cn=testuser,cn=users,dc=ibm,dc=com
0000003b UserRegistryI > getGroupsForUser Entry
cn=testuser,cn=users,dc=ibm,dc=com
0000003b LdapRegistryI > getGroupsForUser Entry
cn=testuser,cn=users,dc=ibm,dc=com
0000003b LdapRegistryI 3 filter = (&(objectclass=memberof)(member=cn=testuser,cn=users,dc=ibm,dc=com))
0000003b LdapRegistryI 3 Using group base dn for the search: o=orcas
0000003b LdapRegistryI > search Entry
0000003b LdapRegistryI 3 DN: dc=ibm,dc=com
0000003b LdapRegistryI 3 Search scope: 2
0000003b LdapRegistryI 3 Filter: (&(objectclass=memberof)(member=cn=testuser,cn=users,dc=ibm,dc=com))
0000003b LdapRegistryI 3 Time limit: 0
0000003b LdapRegistryI 3 Attr[0]: 1.1
0000003b LdapRegistryI 3 Search 0 of 3
0000003b LdapRegistryI > getDirContext Entry
0000003b LdapRegistryI < getDirContext Exit
0000003b LdapRegistryI < getDirContext Exit
0000003b LdapRegistryI 3 enterJNDI:WebContainer : 6
0000003b LdapRegistryI 3 exitJNDI:WebContainer : 6
0000003b LdapRegistryI 3 Time elapsed: 17
0000003b LdapRegistryI < search Exit
0000003b LdapRegistryI 3 Number of groups returned = 0
0000003b LdapRegistryI < getGroupsForUser Exit
0000003b UserRegistryI < getGroupsForUser Exit
0
0000003b handler > com.ibm.mm.was.user.service.handler.StandardSecureNonWIMHandler findMembership -- groupList ENTRY []
0000003b handler < com.ibm.mm.was.user.service.handler.StandardSecureNonWIMHandler findMembership RETURN []

Note that the return value is an empty array implying that this user has no groups that he or she is a member. The problem is due to the LDAP filter, which does not properly search the LDAP. Memberof is the incorrect objectClass for this particular LDAP.

(&(objectclass=memberof)(member=cn=testuser,cn=users,dc=ibm,dc=com))


Answer

Depending on the LDAP, the groupMembership filter may require tuning. For example, the following are common LDAP settings.

  • ibm-allGroups:member for IBM Directory server
  • nsRole:nsRole for Sun ONE directory, if groups are created with role inside Sun ONE
  • memberOf:member in Microsoft Active Directory Server
  • groupMembership:member for eDirectory
  • dominoGroup:member for Lotus Domino

Consult the WebSphere Application Server administrator to adjust the groupMemberIdMap attribute found in security.xml to one of the above (or a custom) search pair.


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Mashup Center
Lotus Mashups

Software version:

2.0, 3.0

Operating system(s):

AIX, Linux, Windows

Reference #:

1509029

Modified date:

2011-12-29

Translate my page

Machine Translation

Content navigation