Member and membership attribute configuration
You can configure the memberAttributes and membershipAttribute in virtual member manager to search for a group membership relationship in an LDAP server.
There are two main ways to store a group and its members, for example, PersonAccount entities:
- The PersonAccount entity has an attribute, for example, memberof, which points to the groups that this person belongs. The memberof attribute in this example is called the group membership attribute.
- The Group entity has an attribute, for example, member, which points to its members. The member attribute in this example is called the group member attribute.
The following example shows a group membership in an LDAP server:
- Group
cn=grp1,dc=com with attribute 'member' value: uid=usr1,dc=com
- PersonAccount
uid=usr1,dc=com with attribute 'memberof' value: cn=grp1,dc=com
The corresponding member and membership configuration in the wimconfig.xml file is shown here:
<config:groupConfiguration>
<config:memberAttributes name="member" objectClass="group" scope="direct"/>
<config:membershipAttribute name="memberof" scope="direct"/>
</config:groupConfiguration>
- memberAttributes
- Use the memberAttributes configuration to specify the LDAP attribute that stores the member of a group entity in LDAP.
- membershipAttribute
- Use the membershipAttribute configuration to specify the LDAP attribute that stores the group of a PersonAccount entity in LDAP.
Performance tip: If there are several
groups in the LDAP server, configure membershipAttribute in virtual
member manager for better performance when searching for a group membership
relationship. If both memberAttributes and membershipAttribute are
configured at the same time, membershipAttribute takes precedence
when getting groups to which a user belongs, such as in a login scenario,
whereas memberAttributes take precedence when getting users of a group.