You can configure the memberAttributes and membershipAttribute
in virtual member manager to search for a group membership relationship
in an LDAP server.
There are two main ways to store a group and its members, for example,
PersonAccount entities:
- The PersonAccount entity has an attribute, for example, memberof,
which points to the groups that this person belongs. The memberof
attribute in this example is called the group membership attribute.
- The Group entity has an attribute, for example, member, which
points to its members. The member attribute in this example is called
the group member attribute.
The following example shows a group membership in an LDAP server:
- Group
cn=grp1,dc=com with attribute 'member' value: uid=usr1,dc=com
- PersonAccount
uid=usr1,dc=com with attribute 'memberof' value: cn=grp1,dc=com
The corresponding member and membership configuration in the wimconfig.xml
file is shown here:
<config:groupConfiguration>
<config:memberAttributes name="member" objectClass="group" scope="direct"/>
<config:membershipAttribute name="memberof" scope="direct"/>
</config:groupConfiguration>
- memberAttributes
- Use the memberAttributes configuration to specify the LDAP attribute
that stores the member of a group entity in LDAP.
- membershipAttribute
- Use the membershipAttribute configuration to specify the LDAP
attribute that stores the group of a PersonAccount entity in LDAP.
Performance tip: If there are several
groups in the LDAP server, configure membershipAttribute in virtual
member manager for better performance when searching for a group membership
relationship. If both memberAttributes and membershipAttribute are
configured at the same time, membershipAttribute takes precedence
when getting groups to which a user belongs, such as in a login scenario,
whereas memberAttributes take precedence when getting users of a group.