Use this method to optimize group retrieval for
users and their group memberships between Lightweight Directory Access
Protocol (LDAP) and the IBM® BPM database.
Before you begin
- Your environment must be configured for federated repositories.
- The attached LDAP directory must expose the ibm-allGroups attribute
or a similar attribute. The ibm-allGroups attribute
determines the set of groups of which a user is a member within a
single LDAP query.
Important: You can use this method only if all required
group memberships of a user can be computed using the VMM property memberof.
This is the case only for LDAP directories that are appropriately
configured for VMM. For other repositories this may not hold true.
For example, groups defined in the VMM file registry are not reflected
with the memberof property.
About this task
Complete the following steps to optimize group membership
retrieval during user login:
Procedure
- Extend the VMM entity type PersonAccount to
include an additional property with the name memberof. Include the wimxmlextension.xml file located
in the profile_root/config/cells/cell/wim/model directory:
<sdo:datagraph xmlns:sdo="commonj.sdo"
xmlns:wim="http://www.ibm.com/websphere/wim">
<wim:schema>
<wim:propertySchema nsURI="http://www.ibm.com/websphere/wim" dataType="STRING"
multiValued="true" propertyName="memberof">
<wim:applicableEntityTypeNames>PersonAccount</wim:applicableEntityTypeNames>
</wim:propertySchema>
</wim:schema>
</sdo:datagraph>
where profile_root is
the root directory for either the stand-alone profile (IBM BPM
Express, the
Unit Test Environment (UTE) of IBM Integration
Designer)
or the root directory for the deployment manager profile (IBM BPM
Standard or IBM BPM
Advanced).Note: If
you cannot find the file wimxmlextension.xml in
the profile_root/config/cells/cell/wim/model directory,
you can access the file and copy it to this directory from the IBM
BPM template directory install_root/profileTemplates/BPM/BpmServer/databases.
- Define the mapping between the VMM property name memberof and
the available LDAP attribute, for example, ibm-allGroups. In the file install_root/profiles/profile/config/cells/cell/wim/config/wimconfig.xml ,
include the following entry:
<config:repositories xsi:type="config:LdapRepositoryType" ...>
...
<config:attributeConfiguration>
...
<config:attributes name="ibm-allGroups" propertyName="memberof">
<config:entityTypes>PersonAccount</config:entityTypes>
</config:attributes>
...
</config:attributeConfiguration>
</config:repositories>
In a cluster, perform this
action on the deployment manager for each server in the cluster.
- Tune your LDAP configuration in the wimconfig.xml file
to allow for potentially retrieving all groups in one VMM query. Consult the VMM tuning documents. In particular, select an appropriate
setting for the configurationProvider->maxSearchResults attribute.
- Enable the use of the memberof property
by BPM. Include the following lines in the 100Custom.xml file:
<common merge="mergeChildren">
<security>
<vmm-options>
<member-of-group-prop>memberof</member-of-group-prop>
</vmm-options>
</security>
</common>
In a cluster, perform this action on the deployment
manager for each server in the cluster.