IBM Connections using Active Directory and Nested Groups

Posted by:

Case:
Customer wants to use nested groups in Access control for Communities, also it should be reflected in I'm a Member when user is looking for their communitys and so on. Connections was 4.5CRx

Google search Links that where tried, but did not work for me (for some reason unknown).
https://www.lbenitez.com/2015/11/how-to-enable-nested-ldap-groups-in-ibm.html
https://www-01.ibm.com/support/docview.wss?uid=swg21321308
https://www-10.lotus.com/ldd/lcforum.nsf/869c7412fe5d56b7852569fa007826e3/4aa9a40d4818785f85257b3b004e3240?OpenDocument
https://www.communardo.de/home/techblog/2014/06/04/nested-groups-ibm-connections/

Found something that worked for me (seems logical looking at the description).
https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
coming from thread
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/f238d2b0-a1d7-48e8-8a60-542e7ccfa2e8/recursive-retrieval-of-all-ad-group-memberships-of-a-user?forum=ITCG

Description:
All groups specified user belongs to, including due to group nesting (Notes 10, 19)
eg. (member:1.2.840.113556.1.4.1941:=cn=Jim Smith,ou=West,dc=Domain,dc=com)
All members of specified group, including  due to group nesting (Note 10)
eg. (memberOf:1.2.840.113556.1.4.1941:=  cn=Test,ou=East,dc=Domain,dc=com) 
Note 10.
The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN. This applies only to DN attributes. This is an extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match. This reveals group nesting. It is available only on domain controllers with Windows Server 2003 SP2 or Windows Server 2008 (or above).

NOTE: 
All of this is of course done in the context of Deployment Manager.
After doing the changes a full resynch needs to be done with all nodes in the cluster (sometimes also take down node and use synchNode from the node) and restart the node.

Solution is to change my setting in Websphere to reflect this:
nestgroup1
nestgroup2
nestgroup3

Also changed for performance reasons the following (optional):
Reason:
https://www.ibm.com/support/knowledgecenter/SSAW57_8.0.0/com.ibm.websphere.wim.doc/disablingnestedgroupsearches.html
Solution is to change according to instructions

How does it look in the files before and after the change, here are snippets of this:

wimconfig.xml before the change:
      <config:groupConfiguration>
        <config:memberAttributes name="member" objectClass="group" scope="nested"/>
        <config:membershipAttribute name="memberof" scope="nested"/>
      </config:groupConfiguration>

wimconfig.xml after the change:
      <config:groupConfiguration>
        <config:memberAttributes name="member:1.2.840.113556.1.4.1941:" objectClass="group" scope="nested"/>
        <config:membershipAttribute name="memberOf:1.2.840.113556.1.4.1941:" scope="nested"/>
      </config:groupConfiguration>

security.xml before the change (you can not cut and paste any of these because some parameters are unique to your environment):
  <userRegistries xmi:type="security:WIMUserRegistry" xmi:id="WIMUserRegistry_1" serverId="" serverPassword="{xor}" realm="defaultWIMFileBasedRealm" ignoreCase="true" useRegistryServerId="false" primaryAdminId="wasadmin" registryClassName="com.ibm.ws.wim.registry.WIMUserRegistry"/>

security.xml after the change (you can not cut and paste any of these because some parameters are unique to your environment):
  <userRegistries xmi:type="security:WIMUserRegistry" xmi:id="WIMUserRegistry_1" serverId="" serverPassword="{xor}" realm="defaultWIMFileBasedRealm" ignoreCase="true" useRegistryServerId="false" primaryAdminId="wasadmin" registryClassName="com.ibm.ws.wim.registry.WIMUserRegistry">
    <properties xmi:id="VMMURProperty_1" name="com.ibm.ws.wim.registry.grouplevel" value="1"/>
  </userRegistries>

 

Shortcut to this document: https:// https://https://stage.infoware.com/?p=7180
Thats all folks

0

Add a Comment