Options for finding group membership within a Microsoft Active Directory forest

Locating and finding group membership with the Microsoft® Active Directory forest is necessary for authenticating users. There are several ways to approach finding group membership within the Microsoft Active Directory forest.

The following figure depicts an example of group membership with the Microsoft Active Directory forest. This figure is used to explain ways to find group membership.

Figure 1. Finding group membership.. An illustration of ways to find group membership.Finding group membership

Summary

The following table summarizes how to find group membership within a Microsoft Active Directory forest.
Table 1. Finding group membership.. The following table identifies group membership levels supported in a Microsoft Active Directory forest.
Group Membership Map Java EE Roles To Bind to Which LDAP Enable Supported in WebSphere Application Server Version Comments
Global Groups Collection of global groups Top domain controller using port 389/636 Referrals
  • Federated repositories in WebSphere Application Server
 
Universal groups Universal groups Any Global catalog, using port 3268   All  
Global groups in universal groups Universal groups Top domain controller using port 389/636 referrals, nesting
  • Federated repositories in WebSphere Application Server
Cannot use Windows mixed domain functional level

Configuring to use objectCategory attribute

A federated repository uses the objectCategory attribute by default for Active Directory user search filters. You can ensure that the federated repository is configured to use the objectCategory attribute. For example, the federated repositories configuration file, wimconfig.xml, should be as shown in the following example:
<supportedLDAPEntryType name="user" searchFilter="(objectCategory=user)"...>
<supportedLDAPEntryType name="Group" searchFilter="(objectCategory=Group)"...>
Configure the user filter and group filter (advanced properties) like the following example:
User Filter: (&(sAMAccountName=%v)(objectCategory=user))
Group Filter: (&cn=%v)(objectCategory=group)
Follow the following instructions from the administrative console to complete the search filter with the objectCategory attribute.
  1. Click Security.
  2. Select Global security.
  3. Under Available realm definitions, use the drop-down list to select Federated repositories.
  4. Click Configure.
  5. Under Related items, click Manage repositories.
  6. Select Forest > LDAP entity types > PersonAccount. Under General Properties, find the Search filter box.
  7. Fill in the search filter.
    (objectCategory=user)
Avoid trouble Avoid trouble: When you select any of these scenarios to use, consult the appropriate Microsoft Active Directory information to completely understand any implications the scenarios might have on your configuation planning.gotcha



Related concepts
Authentication using Microsoft Active Directory
Groups spanning domains with Microsoft Active Directory
Options for finding group membership within a Microsoft Active Directory forest
Related tasks
Locating user group memberships in a Lightweight Directory Access Protocol registry
Authenticating users with LDAP registries in a Microsoft Active Directory forest
Using Microsoft Active Directory for authentication
Concept topic Concept topic    

Terms of Use | Feedback

Last updatedLast updated: Sep 19, 2011 6:15:55 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-express-dist&topic=csec_was_ad_group_mem
File name: csec_was_ad_group_mem.html