Configuring IBM BPM to handle white space and letter case variations in the LDAP server

You can configure IBM® BPM to enable or disable the actions of detecting and removing white spaces and normalizing capitalization in distinguished names in a Virtual Member Manager (VMM) LDAP repository.

This feature requires the latest service level and fixes for your version of IBM BPM.

When you synchronize group membership between your user repository (for example, LDAP) and the IBM Business Process Manager database by using one of the administrative scripts (syncGroupMembershipForGroups or syncGroupMembershipForAllGroups), run time can be very long. When you run one of the scripts, IBM BPM matches the distinguished names (DNs) of the group members in the user repository to the DNs stored for users in the IBM BPM database. This process relies on removing unexpected white spaces from the DNs as well as normalizing the capitalization used in them, which you can do by configuring IBM BPM.

About this task

For white space detection and capitalization normalization actions, configure the following properties in the 100Custom.xml file in your topology:
  • normalize-whitespaces-for-distinguished-names-prop with a true or false value
    • Set this property to false if you have a well-maintained VMM LDAP repository that avoids variations in white space usage.
    • Set this property to true if the DNs stored in a VMM LDAP repository show varying usage of white spaces in DNs referring to the same user or group, for example
      • DN for user entry: uid=user1, ou=mycomp
      • DN for group member reference: uid =user1, ou =mycomp
    • By default, the property is not set and IBM BPM assumes that the property is associated with true.
  • normalize-case-for-distinguished-names-prop with an INSQL or INJAVA value
    • You do not need to set this property if you have a well-maintained VMM LDAP repository that avoids variations in capitalization.
    • Set this property if the DNs stored in a VMM LDAP repository show varying usage of capitalization in DNs referring to the same user or group, for example
      • DN for user entry: uid=user1, ou=mycomp
      • DN for group member reference: uiD=UsEr1, ou=MyComp
    • By default, the property is not set and IBM BPM assumes that the property is associated with INSQL. Note that this value does not have performance implications for a well-maintained VMM LDAP repository.
    INSQL
    During group membership synchronization for a group, IBM BPM performs the following actions:
    • Queries the group entry for the group members in the user repository
    • Resolves the user record in the IBM BPM database for each group member by using the retrieved group member DN
    • Updates the group membership in the IBM BPM database table by using the retrieved user ID for each group member

    Some user repositories provide inconsistent variations of capitalization when they are queried for group members versus user names. With the default setting of INSQL, an IBM BPM database with case-insensitive-security-cache set to true (which is the default for all database systems other than Microsoft SQL Server) first performs a case-sensitive search for users based on the response to the group members queries. For group members that are not found during this case-sensitive search, a second case-insensitive query is required. Case insensitivity is achieved by applying the SQL function UPPER to the user name, which can have a significant performance impact.

    As a result, the default setting of INSQL is good for the following environments:
    • Environments that receive consistent data from the user registry (and, therefore, never require a second case insensitive query)
    • Environments that receive inconsistent data from the user registry only occasionally (and, therefore, fall back to the second query only in exceptional cases)
    • Environments that have the case-insensitive-security-cache flag set to false (which is the default for MS SQL Server) because the second query (that would provide the same result) is not necessary and omitted anyway
    INJAVA

    If your environment has frequent inconsistent responses from the user registry, set the value to INJAVA. This setting achieves case insensitivity by storing the corresponding distinguished name for each user in a normalized fashion, converting it to lower case as part of user synchronization performed with one of the available user synchronization scripts or, implicitly, when the user logs in.

    When you synchronize group memberships, group members in the IBM BPM database are searched for by transforming the group member name to its normalized counterpart, such as by converting it to lowercase in Java. This configuration avoids a second database query for synchronizing group memberships by increasing the processing cost of user synchronization.

    Note: The normalization procedure requires normalized values to be available for user DNs in the user records in the IBM BPM database. As a consequence, you must recompute the user DNs in the user records whenever the setting is switched from INSQL to INJAVA by running the syncExistingUsers administrative script. Conversely, whenever you switch the setting from INJAVA to INSQL, recompute the user DNs in the user records to restore non-normalized DNs. The same action applies when the value for white space-related normalization is changed; the syncExistingUsers script must be run as well.

Procedure

  1. To normalize white spaces and capitalization, complete the following steps:
    • For white space normalization, include the following setting in your 100Custom.xml file in your topology:
      <common merge="mergeChildren">
   <security>
    <vmm-options>
        <normalize-whitespaces-for-distinguished-names-prop>true
        </normalize-whitespaces-for-distinguished-names-prop>
    </vmm-options>
   </security>
</common>
    • If you know of or suspect variations in capitalization which need normalization, include the following setting in your 100Custom.xml file in your topology:
      <common merge="mergeChildren">
   <security>
      <vmm-options>
         <normalize-case-for-distinguished-names-prop>INJAVA
         </normalize-case-for-distinguished-names-prop>
      </vmm-options>
   </security>
</common>
  2. Restart servers and execute the syncExistingUsers script to refresh the user entries in the IBM BPM database.
  3. Execute one of the group membership synchronization scripts.
Parent topic: Synchronizing group membership by groups