|
Problem(Abstract) |
We will officially support dynamic group for iPlanet in
IBM® WebSphere® Application Server V5.1.1 if dynamic group is created by
Filter Roles.
We will support dynamic group for any LDAP if the user's dynamic group
membership can be calculated from the user object directly; in other
words, if the user's group membership is an attribute in the user object.
Creating dynamic group with filter roles is very straight forward.
1. The direction to support dynamic group in application is through
"direct group" method, in other words, application can find user's dynamic
group memberships though user's object.
In iPlanet, if dynamic group is created with filter role, user's dynamic
group could be calculated directly from user object by enumerating nsRole
attribute.
However, if dynamic group is created with GroupOfURL, iPlanet does not
have the capability to calculate user's dynamic group memberships from
user object directly.
2. The filter to create dynamic group in LDAP could be changed on the fly
at will as long as the group name does not get changed.
The dynamic group and nested group are NOT currently officially supported
in WebSphere versions precursing V5.1.1. Below I document how it could be
enabled for customer testing in V5.0.2. Please understand it is not an
official supported function, and use it "As-Is" in V5.0.2. |
|
|
SunONE or iPlanet Directory Server provides two grouping
mechanisms: groups and roles.
- Groups are entries that name other entries, either as a list of
members or as a filter for members.
- Roles provide the same functionality as group, and more, through a
mechanism that generates the nsrole attribute on each member of a
role.
WebSphere Security supports both groups and Roles as grouping mechanism.
However, if role based grouping mechanism is used as the only grouping
mechanism, WebSphere security could be configured to support nested groups
(nested roles) and dynamic groups (filtered roles) and static groups
(managed roles).
According to SUN's document, Roles are a new grouping mechanism that
are designed to be more efficient and easier to use for applications.
Roles are defined and administered like groups, but in addition, member
entries also have a generated attribute that indicates the roles in which
they participate.
For example, an application can simply read the roles of an entry,
rather than select a group and browse the member's list. Like traditional
grouping, there are three types of roles:
"Managed roles" Explicitly assigns a role to member entries. This is
equivalent to static group. "Filtered roles" - Entries are members if they
match a specific LDAP filter. In this way, the role depends upon the
attributes contained in each entry.
This is equivalent to dynamic group. "Nested roles - Allows you to create
roles that contain other roles. This is equivalent to nested group. To
have dynamic and nested groups working in WebSphere security you have to
run WebSphere release V5.0.2 or up.
- First, select iPlanet in V5.0.2 (or SunONE in V5.1) as
LDAP type from LDAP registry panel, and check "ignore case" box.
- Then edit advanced LDAP settings, and make the Group
Filter to (&(cn=%v)(objectclass=ldapsubentry)), and make Group Member
ID Map to nsRole:nsRole.
- Finally, please keep in mind that we do not support mixing
use of Role and traditional group, and you can only choose one way or
another.
- To have dynamic grouping support in WebSphere, groups
could only be generated by Roles, managed role, nested Role, or Filter
Role.
- If you intend to use traditional group(GroupofName, etc)
in WebSphere, you can not configure WebSphere to use Role, thus dynamic
group does not work.
Here are some additional documentation links from Sun regarding
DynamicGroup api implementations for DG management, Dynamic group, role
& filter setup information & examples and Static and Dynamic group
contrast comparison overview. This information should help to increase
understanding of the basic fundamentals and mechanics behind Dynamic
Groups and Filtered Roles.
http://docs.sun.com/source/816-6698-10/rolesCoS.html
(ROLES and FILTERS plus examples)
http://docs.sun.com/source/816-6902-10/com/sun/identity/um/DynamicGroup.html
(Java API Manage Dynmaic Groups)
http://docs.sun.com/source/816-6902-10/com/iplanet/am/sdk/AMDynamicGroup.html
(Java API Manage Dynamic Groups - super interface)
|