Dynamic Groups and Filtered Roles for iPlanet and SunONE in WebSphere Application Server V5.0.2 and V5.1.1
 Technote (troubleshooting)
 
Problem(Abstract)
We will officially support dynamic group for iPlanet in IBM® WebSphere® Application Server V5.1.1 if dynamic group is created by Filter Roles.

We will support dynamic group for any LDAP if the user's dynamic group membership can be calculated from the user object directly; in other words, if the user's group membership is an attribute in the user object.

Creating dynamic group with filter roles is very straight forward.

1. The direction to support dynamic group in application is through "direct group" method, in other words, application can find user's dynamic group memberships though user's object.

In iPlanet, if dynamic group is created with filter role, user's dynamic group could be calculated directly from user object by enumerating nsRole attribute.

However, if dynamic group is created with GroupOfURL, iPlanet does not have the capability to calculate user's dynamic group memberships from user object directly.

2. The filter to create dynamic group in LDAP could be changed on the fly at will as long as the group name does not get changed.

The dynamic group and nested group are NOT currently officially supported in WebSphere versions precursing V5.1.1. Below I document how it could be enabled for customer testing in V5.0.2. Please understand it is not an official supported function, and use it "As-Is" in V5.0.2.
 
Cause
Mixing Role and Traditional Group Creates Problem
 
Resolving the problem
SunONE or iPlanet Directory Server provides two grouping mechanisms: groups and roles.
  1. Groups are entries that name other entries, either as a list of members or as a filter for members.
  2. Roles provide the same functionality as group, and more, through a mechanism that generates the nsrole attribute on each member of a role.

WebSphere Security supports both groups and Roles as grouping mechanism.

However, if role based grouping mechanism is used as the only grouping mechanism, WebSphere security could be configured to support nested groups (nested roles) and dynamic groups (filtered roles) and static groups (managed roles).

According to SUN's document, Roles are a new grouping mechanism that are designed to be more efficient and easier to use for applications. Roles are defined and administered like groups, but in addition, member entries also have a generated attribute that indicates the roles in which they participate.

For example, an application can simply read the roles of an entry, rather than select a group and browse the member's list. Like traditional grouping, there are three types of roles:


"Managed roles" Explicitly assigns a role to member entries. This is equivalent to static group. "Filtered roles" - Entries are members if they match a specific LDAP filter. In this way, the role depends upon the attributes contained in each entry.

This is equivalent to dynamic group. "Nested roles - Allows you to create roles that contain other roles. This is equivalent to nested group. To have dynamic and nested groups working in WebSphere security you have to run WebSphere release V5.0.2 or up.
  • First, select iPlanet in V5.0.2 (or SunONE in V5.1) as LDAP type from LDAP registry panel, and check "ignore case" box.
  • Then edit advanced LDAP settings, and make the Group Filter to (&(cn=%v)(objectclass=ldapsubentry)), and make Group Member ID Map to nsRole:nsRole.
  • Finally, please keep in mind that we do not support mixing use of Role and traditional group, and you can only choose one way or another.
  • To have dynamic grouping support in WebSphere, groups could only be generated by Roles, managed role, nested Role, or Filter Role.
  • If you intend to use traditional group(GroupofName, etc) in WebSphere, you can not configure WebSphere to use Role, thus dynamic group does not work.

    Here are some additional documentation links from Sun regarding DynamicGroup api implementations for DG management, Dynamic group, role & filter setup information & examples and Static and Dynamic group contrast comparison overview. This information should help to increase understanding of the basic fundamentals and mechanics behind Dynamic Groups and Filtered Roles.

    http://docs.sun.com/source/816-6698-10/rolesCoS.html
    (ROLES and FILTERS plus examples)

    http://docs.sun.com/source/816-6902-10/com/sun/identity/um/DynamicGroup.html
    (Java API Manage Dynmaic Groups)

    http://docs.sun.com/source/816-6902-10/com/iplanet/am/sdk/AMDynamicGroup.html
    (Java API Manage Dynamic Groups - super interface)
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server for z/OS Security OS/390, z/OS 5.1 All Editions
 
 


Document Information


Current web document: swg21177945.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Enterprise Edition (EE)
Operating system(s): Windows
Software version: 5.1
Software edition:
Reference #: 1177945
IBM Group: Software Group
Modified date: Aug 31, 2004