Optimizing group membership retrieval during user login

Use this method to optimize group retrieval for users and their group memberships between Lightweight Directory Access Protocol (LDAP) and the IBM® BPM database.

Before you begin

  • Your environment must be configured for federated repositories.
  • The attached LDAP directory must expose the ibm-allGroups attribute or a similar attribute. The ibm-allGroups attribute determines the set of groups of which a user is a member within a single LDAP query.
Important: You can use this method only if all required group memberships of a user can be computed using the VMM property memberof. This is the case only for LDAP directories that are appropriately configured for VMM. For other repositories this may not hold true. For example, groups defined in the VMM file registry are not reflected with the memberof property.

About this task

Complete the following steps to optimize group membership retrieval during user login:

Procedure

  1. Extend the VMM entity type PersonAccount to include an additional property with the name memberof. Include the wimxmlextension.xml file located in the profile_root/config/cells/cell/wim/model directory:
    <sdo:datagraph xmlns:sdo="commonj.sdo"
        xmlns:wim="http://www.ibm.com/websphere/wim">
      <wim:schema>
    	<wim:propertySchema nsURI="http://www.ibm.com/websphere/wim" dataType="STRING"
            multiValued="true" propertyName="memberof">
          <wim:applicableEntityTypeNames>PersonAccount</wim:applicableEntityTypeNames>
        </wim:propertySchema>
      </wim:schema>
    </sdo:datagraph>
    where profile_root is the root directory for either the stand-alone profile (IBM BPM Express, the Unit Test Environment (UTE) of IBM Integration Designer) or the root directory for the deployment manager profile (IBM BPM Standard or IBM BPM Advanced).
    Note: If you cannot find the file wimxmlextension.xml in the profile_root/config/cells/cell/wim/model directory, you can access the file and copy it to this directory from the IBM BPM template directory install_root/profileTemplates/BPM/BpmServer/databases.
  2. Define the mapping between the VMM property name memberof and the available LDAP attribute, for example, ibm-allGroups. In the file install_root/profiles/profile/config/cells/cell/wim/config/wimconfig.xml , include the following entry:
    <config:repositories xsi:type="config:LdapRepositoryType" ...>
    		...
    		<config:attributeConfiguration>
    		...
    		<config:attributes name="ibm-allGroups" propertyName="memberof">
              <config:entityTypes>PersonAccount</config:entityTypes>
            </config:attributes>
    		...
          </config:attributeConfiguration>
        </config:repositories>
    In a cluster, perform this action on the deployment manager for each server in the cluster.
  3. Tune your LDAP configuration in the wimconfig.xml file to allow for potentially retrieving all groups in one VMM query. Consult the VMM tuning documents. In particular, select an appropriate setting for the configurationProvider->maxSearchResults attribute.
  4. Enable the use of the memberof property by BPM. Include the following lines in the 100Custom.xml file:
    <common merge="mergeChildren">
    	<security>
    		<vmm-options>
    			<member-of-group-prop>memberof</member-of-group-prop>
    		</vmm-options>
    	</security>
    </common>
    In a cluster, perform this action on the deployment manager for each server in the cluster.