Troubleshooting
Problem
When you use the Process Admin Console of IBM Business Process Manager to manage nested groups, some of the users are not shown with Tivoli Directory Server.
Symptom
The parent of a nested group includes the direct members and the child nested group with additional members. In the Process Admin Console, only the direct members are shown. Users of the child group are not shown even though they should be listed.
Resolving The Problem
There are three main areas that need to be checked in the context of Tivoli Directory Server.
Note: For other LDAP server products, similar problems can arise. However, as the implementation of nested groups is specific to the LDAP server product, and in some cases not even possible, they are not covered in this document.
- The nested group definition
To utilize nested groups, the parent group needs to be defined in a Tivoli Directory Server-specific format including the ibm-nestedGroup auxiliary object class as given in the following example:
dn: cn=nestedGroupParent,ou=cdl,o=ibm
objectclass: groupOfNames
objectclass: ibm-nestedGroup
objectclass: top
cn: nestedGroupParent
description: Group composed of static, and nested members.
member: uid=one,ou=cdl,o=ibm
ibm-memberGroup: cn=nestedGroupChild,ou=cdl,o=ibm
- The LDAP server side
It is important to check the ibm-allGroups and ibm-allMembers attributes. These attributes provide a significant performance optimization for determining a group membership without doing a full directory scan.
In some earlier Tivoli Directory Server product releases, some APARs can lead to results that are not submitted correctly for the ibm-allGroups and ibm-allMembers attributes. As an example, you can use the following ldapsearch commands to verify the correct function. You might need to modify the sample depending on product configuration and version.
To query the ibm-allGroups attribute, see the following example:
ldapsearch -h 127.0.0.1 -p 389 -b "ou=cdl,o=ibm" -D "cn=root" -W "(objectclass=*)" ibm-allGroups
To query the ibm-allMembers attribute, see the following example:
ldapsearch -h 127.0.0.1 -p 389 -b "ou=cdl,o=ibm" -D "cn=root" -W "(objectclass=*)" ibm-allMembers
The output of the two ldapsearch commands must be consistent. You might notice that, for example, the ibm-allMembers attribute query does not show all of the users in the parent group. If users are missing, you must apply maintenance to Tivoli Directory Server.
- The Virtual Member Manager (VMM) security configuration for IBM Business Process Manager
The wimconfig.xml file needs to show the following or similar entries to use the ibm-allGroups and ibm-allMembers attributes. You can configure the corresponding settings from the Integrated Solutions Console.
<config:groupConfiguration>
<config:memberAttributes name="ibm-allMembers" objectClass="groupOfNames" scope="nested"/>
<config:membershipAttribute name="ibm-allGroups" scope="nested"/>
</config:groupConfiguration>
Complete the following steps to configure the Virtual Member Manager configuration for IBM Business Process Manager using the Integrated Solution Console, which is also called the Admin Console: - Login into the Integrated Solutions Consule as an administrative user.
- Click Security > Global security.
- Under User account security, select Federated repositories from the list of Available realm definitions.
- Click Configure.
- Under Related items, click Manage repositories.
- Click the repository identifier for your LDAP repository. The LDAP server configuration page displays. Because Tivoli Directory Server is already configured, you see the Group Attribute Definition selection at the bottom of the page.
- Click Group Attribute Definition. The page contains the Name of group membership attribute field.
- In the Name of group membership attribute field, enter ibm-allGroups. For a nested group, the scope of group membership attribute needs to be set to nested.
- Click the member attribute.
- Delete the default entry of "member" and add a new entry with the following data:
Name: ibm-allMembers
Scope: nested
Object Class: groupOfNames
- Save the changes and restart the system.
Ensure that you test the nested group behavior.
Product Synonym
BPM
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21646097