Locating group membership with the Microsoft® Active Directory forest is necessary for authenticating users. There are several ways to approach finding group membership within the Microsoft Active Directory forest.
The following figure depicts an example of group membership with the Microsoft Active Directory forest. This figure is used to explain ways to find group membership.
Group Membership | Map Java EE Roles To | Bind to Which LDAP | Enable | Supported in WebSphere Application Server Version | Comments |
---|---|---|---|---|---|
Global Groups | Collection of global groups | Top domain controller using port 389/636 | Referrals |
|
|
Universal groups | Universal groups | Any Global catalog, using port 3268 | All | ||
Global groups in universal groups | Universal groups | Top domain controller using port 389/636 | referrals, nesting |
|
Cannot use Windows mixed domain functional level |
<supportedLDAPEntryType name="user" searchFilter="(objectCategory=user)"...> <supportedLDAPEntryType name="Group" searchFilter="(objectCategory=Group)"...>
User Filter: (&(sAMAccountName=%v)(objectCategory=user)) Group Filter: (&cn=%v)(objectCategory=group)
(objectCategory=user)