I need one clarification. i found this in websphere portal info center link
http://publib.boulder.ibm.com/infocenter/wpdoc/v6r1/index.jsp?topic=/com.ibm.wp.ent.doc_v6101/security/aix_groupconfig.html and which goes like this
"When you configure your LDAP user registry, a group membership is automatically created. You may need to adjust the group membership configuration if you notice high loads on the LDAP server and/or long response times on authentication requests."
Could someone explain what is this particular parameter is for and how it will improve the login performance?
This topic has been locked.
4 replies Latest Post - 2012-03-20T12:29:15Z by SystemAdmin
Pinned topic what is the difference between group member and groupmembership?
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-03-20T12:29:15Z at 2012-03-20T12:29:15Z by SystemAdmin
Re: what is the difference between group member and groupmembership?2012-03-19T19:36:12Z in response to SystemAdminEnabling a membership attribute greatly improves performance because it keeps VMM from having to do a broad search for groups, then evaluate their members lists to determine if a specific user is a member. Rather, given an individual's DN, VMM simply requests the membership attribute. This is especially helpful if there are several groups in the LDAP server. Configuring membershipAttribute in VMM gives better performance when searching for a group membership relationship.
For example, at login Portal first validates the user credentials, then it checks authorization to see which resources the user has access to and which level of access the user is given. As access permission can be granted via groups, Portal checks for both the user and all the groups the user is a member of.
If membership attribute is not enabled in the VMM configuration, Portal will need to query all groups in the LDAP, then list all members of each group and check the user ID against the groups' member list. If there is a match, it determines that the user is a member of that group, and the process continues until it goes through all the groups.
On the other hand, if membership is enabled the VMM configuration, Portal will only needs to check the group membership of the user record itself. This lists all the groups that the user is a member of, so this is all Portall needs to do, as far as determining the user/group membership relationship is concerned.
You can find more details in the WAS Information Center.
Each LDAP vendor has its own group membership attribute and how to determine the user/group membership relationship. Below is an example for the Tivoli Directory Server:
Hope you find the information helpful.
The postings on this site are my own and do not necessarily represent the positions, strategies, or opinions of IBM.
JMW98 2000000MY6992 PostsACCEPTED ANSWER
Re: what is the difference between group member and groupmembership?2012-03-20T11:27:17Z in response to SystemAdminYes, it is true for 6.1.x as well. In fact, 6.0's WMM even supported membership attributes.
Another important thing to consider when configuring a membership attribute is its scope. Your LDAP administrator should be able to tell you which of direct, nested, and dynamic groups are resolved in the membership attribute. Set the scope in VMM accordingly. This may enable you to further reduce load on the LDAP by configuring group reuse and disabling nested group resolution.
For general information on Portal & LDAP groups:
& on minimizing the calls Portal makes to LDAP:
Re: what is the difference between group member and groupmembership?2012-03-20T12:29:15Z in response to JMW98Thank you all. It was really helpful.
Now a days IBM infocenter is not that much clear enough to explain the facts. Anyhow always there is a developerworks forum to solve the problem and doubts.
Note: In my previous project, we were using OpenWAVE with WP. OpenWAVE was not supported by default with WP. But we had no choice that time. When we faced huge login issues, We added objectclass called memberOf to personAccount manually with groups information to the user profile itself.
And we configured VMM to read that groupMembership. It worked like a charm :). it greatly improved the login performance.