Default LDAP configuration mapping based on LDAP server type
Virtual member manager configuration CLIs and WebSphere federated repository LDAP configuration GUI set default values in the wimconfig.xml file, based on the selected LDAP server type.
Default values are set for following properties:
- External identifier:
- The name of the LDAP attributes that is used as external ID. For
example, “ibm-entryUUID”, “objectGUID”. A
special name “distinguishedName” indicates that the DN
of the entity is used as the external ID.
<config:attributeConfiguration> <config:externalIdAttributes name="dominounid"/> ... </config:attributeConfiguration>
- Entity types:
- Maps the entity type to an objectClass.
<config:ldapEntityTypes name="PersonAccount" searchFilter=""> <config:objectClasses>dominoPerson</config:objectClasses> </config:ldapEntityTypes>
- RDN attribute types:
- If there is more than one RDN attribute for an entity, maps the
RDN property to the objectClass.
<config:ldapEntityTypes name="OrgContainer"> <config:rdnAttributes name="o" objectClass="organization"/> <config:rdnAttributes name="ou" objectClass="organizationalUnit"/> ... </config:ldapEntityTypes>
- Member attribute types:
- Specifies the Member attribute of the group objects
<config:groupConfiguration> <config:memberAttributes dummyMember="uid=dummy" name="member" objectClass="groupOfNames" scope="direct"/> </config:groupConfiguration>
- Attribute types:
- Maps the virtual member manager property name to the LDAP attribute
name (globally or per entity type).
<config:attributeConfiguration> <config:externalIdAttributes name="dominounid"/> <config:attributes name="userPassword" propertyName="password"/> <config:attributes name="cn" propertyName="displayName"> <config:entityTypes>PersonAccount</config:entityTypes> </config:attributes> <config:attributes name="cn" propertyName="cn"> <config:entityTypes>Group</config:entityTypes> </config:attributes> <config:propertiesNotSupported name="businessAddress"/> </config:attributeConfiguration>
- Unsupported properties:
- Maps properties that are not supported by the LDAP.
<config:attributeConfiguration> ... <config:propertiesNotSupported name="businessAddress"/> </config:attributeConfiguration>
- Context pool and cache:
<config:contextPool enabled="true" initPoolSize="1" maxPoolSize="0" poolTimeOut="0" poolWaitTime="3000" prefPoolSize="3"/> <config:cacheConfiguration cachesDiskOffLoad="false"> <config:attributesCache attributeSizeLimit="2000" cacheSize="4000" cacheTimeOut="1200" enabled="true" cacheDistPolicy="none"/> <config:searchResultsCache cacheSize="2000" cacheTimeOut="600" enabled="true" searchResultSizeLimit="1000" cacheDistPolicy="none"/> </config:cacheConfiguration>
Active Directory
External identifier:
objectguid
- Entity types
- Group
- objectClasses: group SearchFilter: (ObjectCategory=Group)
- OrgContainer
- objectClasses: organization, organizationalUnit, domain, container
- PersonAccount
- objectClasses: user SearchFilter: (ObjectCategory=User)
- RDN attribute types for OrgContainer
- o
- objectClass: organization
- ou
- objectClass: organizationalUnit
- dc
- objectClass: domain
- cn
- objectClass: container
- Member attribute types:
- Specifies the member attribute of the group objects, which is
used when searching for members of a group.
- member
- name: member objectClass: group scope: direct
- Membership attribute types:
- Specifies the membership attribute of the user objects, which
is used when searching for groups to which a user belongs.
- membership
- name: memberOf scope: direct
- Attribute Type
- userAccountControl
- DefaultValue: 544 EntityTypes: PersonAccount
- samAccountName
- DefaultValue: uid EntityTypes: PersonAccount
- samAccountName
- DefaultValue: cn EntityTypes: Group
- groupType
- DefaultValue: 8 EntityTypes: Group
- unicodePwd
- PropertyName: password Syntax: unicodePwdNote: ADAM does not use samAccountName. The following are the mappings for ADAM
- uid
- DefaultValue: uid EntityTypes: PersonAccount
- cn
- DefaultValue: cn EntityTypes: Group
- description
- jpegPhoto
- labeledURI
- carLicense
- pager
- roomNumber
- localityName
- stateOrProvinceName
- countryName
- employeeNumber
- employeeType
- businessCategory
- departmentNumber
- homeAddress
- businessAddress
IBM Directory Server and z/OS Directory Server
External
identifier: ibm-entryuuid
- Entity types
- Group
- objectClasses: groupOfNames
- OrgContainer
- objectClasses: organization, organizationalUnit, domain, container
- PersonAccount
- objectClasses: inetOrgPerson
- RDN attribute types
- o
- objectClass: organization
- ou
- objectClass: organizationalUnit
- dc
- objectClass: domain
- cn
- objectClass: container
- Member attribute type
- member
- objectClass: groupOfNames DummyMember: uid=dummy scope: direct
- Attribute type
- userPassword
- PropertyName: password
- homeAddress
- businessAddress
Domino Server
External identifier:
dominounid (not set by the CLI because it is not defined by default
in all of the Domino LDAP schema)
- Entity types
- Group
- objectClasses: groupOfNames
- OrgContainer
- objectClasses: organization, organizationalUnit, domain, container
- PersonAccount
- objectClasses: inetOrgPerson
- RDN attribute types
- o
- objectClass: organization
- ou
- objectClass: organizationalUnit
- dc
- objectClass: domain
- cn
- objectClass: container
- Member attribute type
- member
- objectClass: groupOfNames DummyMember: uid=dummy scope: direct
- Attribute type
- userPassword
- PropertyName: password
- homeAddress
- businessAddress
Novell Directory Services, Sun ONE and Sun Java System Directory Servers
External identifier: guid (NDS),
nsuniqueid (Sun)
- Entity types
- Group
- NDS: objectClass: groupOfNames
- Sun: objectClass: groupOfUniqueNames
- OrgContainer
- objectClasses: organization, organizationalUnit, domain, container
- PersonAccount
- objectClasses: inetOrgPerson
- RDN attribute types
- o
- objectClass: organization
- ou
- objectClass: organizationalUnit
- dc
- objectClass: domain
- cn
- objectClass: container
- Member attribute type
- member
- NDS: Name: member objectClass: groupOfNames scope: direct
- Sun: Name: uniquemember objectClass: groupOfUniqueNames scope: direct
- Attribute type
- userPassword
- propertyName: password
- homeAddress
- businessAddress
Context pool and cache configuration for all directory servers
- Context pool
- enabled: true
- initPoolSize: 1
- maxPoolSize: 0
- prefPoolSize: 3
- poolTimeout: 0
- poolWaitTime: 3000
- Attributes Cache
- enabled: true
- cacheSize: 4000
- cacheTimeOut: 1200
- attributeSizeLimit: 2000
- cacheDistPolicy: none
- Search cache
- enabled: true
- cacheSize: 2000
- cacheTimeOut: 600
- searchResultSizeLimit: 1000
- cacheDistPolicy: none
Default LDAP datetime format based on LDAP server type
- Active Directory
- Format: yyyyMMddHHmmss.SZ
- Example: 20100708135722.0Z
- Tivoli Directory Server
- Format: yyyyMMddHHmmss[.fraction]Z (Fraction of the second is optional.)
- Example 1: 20090711150348.000000Z
- Example 2: 20090711150348.000Z
- Example 3: 20090711150348Z
- SunONE
- Format: yyyyMMddHHmmssZ
- Example: 20090721194630Z
- Domino
- Format: yyyyMMddHHmmssZ
- Example: 20090721194630Z
- Novell Directory Server
- Format: yyyyMMddHHmmssZ
- Example: 20090721194630Z
- Custom
- Custom LDAP adapter supports the following formats:
- Format: yyyyMMddHHmmss.SZ (for example, 20040708135722.0Z)
- Format: yyyyMMddHHmmssZ (for example, 20060120153334Z)
- If the LDAP time stamp format is different from the supported
formats, then you need to use the ldapTimestampFormat custom
property.
To set the ldapTimestampFormat custom property for a custom LDAP repository, you must use the setIdMgrCustomProperty command, and run it from the wsadmin command line. After the property is set, restart the server to put the property into effect.
The following example shows the syntax to set the ldapTimestampFormat property:$AdminTask setIdMgrCustomProperty { -id <ldap repository id > -ldapTimestampFormat "yyyyMMddHHmmssZ" }
Note: The format yyyyMMddHHmmssZ might vary according to the LDAP's date format.