IBM BS029ML Self Help Guide - Page 144
LDAP servers, such as IBM Tivoli Directory Server and Microsoft Active Directory, a user
![]() |
View all IBM BS029ML manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 144 highlights
If you have trouble finding either users or groups, use an LDAP tool to verify that the settings in the WMM configuration is correct. When WMM issues search requests to the LDAP server, it generates the search filter to use the parameters "wmmSecurityAttributeName", "objectClassForRead", and "SearchFilter" in wmm.xml. For example, assume that you search on "john*" on attribute "uid", and have the WMM configuration shown in Example 4-19. Example 4-19 WMM LDAP entry configuration ...... The search filter sent to the LDAP by WMM would look like (&(uid=john*)(objectclass=inetorgperson)) with a search base of "ou=people,ou=dept,o=acme.com". Using an LDAP utility such as ldapsearch, we issue the following command to verify the same configuration: ldapsearch -h corpldap.acme.com -p 389 -b "ou=people,ou=dept,o=acme.com" -D -w "(&(uid=john*)(objectclass=inetorgperson))" where is the bind user used in WMM configuration, and is the password for the bind user. If you are able to search for users or groups by attributes, but there is a problem of finding their membership information, such as a failure to find the groups a user belongs to, or the users in a group, then the problem likely resides in the configuration of group to member relationships. The first step is to check the user to group membership mapping. Without realm support, you should check the setting in "group member ID map" of the advanced LDAP configuration in WebSphere Application Server global security. There are two ways to specify the user to group relationship in the field: Multiple "objectclass:property" pairs separated by semicolons. In an objectclass:property pair, the object class value is the same object class that is defined in the group filter, and the property is the member attribute. The examples are "groupOfUniqueNames:uniqueMember" and "groupOfNames:member". Note that "uniqueMember" always goes with "groupOfUniqueNames", and "member" with "groupOfNames". Never mix them. Multiple "group attribute:member attribute" pairs separated by semicolons. For some LDAP servers, such as IBM Tivoli Directory Server and Microsoft Active Directory, a user entry is automatically assigned an implicit "group attribute" in which all groups the user belongs to would be stored. Its purpose is to improve performance when you search the groups of a user. Without such an attribute, the search has to exhaust all the groups within 130 IBM WebSphere Portal V6 Self Help Guide
![](/manual_guide/products/ibm-bs029ml-self-help-guide-6d3dd71/144.png)