Topic
  • 4 replies
  • Latest Post - ‏2012-03-20T12:29:15Z by SystemAdmin
SystemAdmin
SystemAdmin
30895 Posts

Pinned topic what is the difference between group member and groupmembership?

‏2012-03-19T18:46:30Z |
hi,

I need one clarification. i found this in websphere portal info center link
http://publib.boulder.ibm.com/infocenter/wpdoc/v6r1/index.jsp?topic=/com.ibm.wp.ent.doc_v6101/security/aix_groupconfig.html and which goes like this

"When you configure your LDAP user registry, a group membership is automatically created. You may need to adjust the group membership configuration if you notice high loads on the LDAP server and/or long response times on authentication requests."

Could someone explain what is this particular parameter is for and how it will improve the login performance?

Kind regards
Selva
Updated on 2012-03-20T12:29:15Z at 2012-03-20T12:29:15Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    30895 Posts

    Re: what is the difference between group member and groupmembership?

    ‏2012-03-19T19:36:12Z  
    Enabling a membership attribute greatly improves performance because it keeps VMM from having to do a broad search for groups, then evaluate their members lists to determine if a specific user is a member. Rather, given an individual's DN, VMM simply requests the membership attribute. This is especially helpful if there are several groups in the LDAP server. Configuring membershipAttribute in VMM gives better performance when searching for a group membership relationship.

    For example, at login Portal first validates the user credentials, then it checks authorization to see which resources the user has access to and which level of access the user is given. As access permission can be granted via groups, Portal checks for both the user and all the groups the user is a member of.

    If membership attribute is not enabled in the VMM configuration, Portal will need to query all groups in the LDAP, then list all members of each group and check the user ID against the groups' member list. If there is a match, it determines that the user is a member of that group, and the process continues until it goes through all the groups.

    On the other hand, if membership is enabled the VMM configuration, Portal will only needs to check the group membership of the user record itself. This lists all the groups that the user is a member of, so this is all Portall needs to do, as far as determining the user/group membership relationship is concerned.

    You can find more details in the WAS Information Center.

    http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/topic/com.ibm.websphere.wim.doc/MemberAndMembershipAttributeConfiguration.html

    Each LDAP vendor has its own group membership attribute and how to determine the user/group membership relationship. Below is an example for the Tivoli Directory Server:

    http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.IBMDS.doc/admin_gd431.htm

    Hope you find the information helpful.



    The postings on this site are my own and do not necessarily represent the positions, strategies, or opinions of IBM.
  • SystemAdmin
    SystemAdmin
    30895 Posts

    Re: what is the difference between group member and groupmembership?

    ‏2012-03-19T22:54:52Z  
    Enabling a membership attribute greatly improves performance because it keeps VMM from having to do a broad search for groups, then evaluate their members lists to determine if a specific user is a member. Rather, given an individual's DN, VMM simply requests the membership attribute. This is especially helpful if there are several groups in the LDAP server. Configuring membershipAttribute in VMM gives better performance when searching for a group membership relationship.

    For example, at login Portal first validates the user credentials, then it checks authorization to see which resources the user has access to and which level of access the user is given. As access permission can be granted via groups, Portal checks for both the user and all the groups the user is a member of.

    If membership attribute is not enabled in the VMM configuration, Portal will need to query all groups in the LDAP, then list all members of each group and check the user ID against the groups' member list. If there is a match, it determines that the user is a member of that group, and the process continues until it goes through all the groups.

    On the other hand, if membership is enabled the VMM configuration, Portal will only needs to check the group membership of the user record itself. This lists all the groups that the user is a member of, so this is all Portall needs to do, as far as determining the user/group membership relationship is concerned.

    You can find more details in the WAS Information Center.

    http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/topic/com.ibm.websphere.wim.doc/MemberAndMembershipAttributeConfiguration.html

    Each LDAP vendor has its own group membership attribute and how to determine the user/group membership relationship. Below is an example for the Tivoli Directory Server:

    http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.IBMDS.doc/admin_gd431.htm

    Hope you find the information helpful.



    The postings on this site are my own and do not necessarily represent the positions, strategies, or opinions of IBM.
    Sorry to interfere with this post but is this true for version 6.1.5.x as well. Hope so.

    Thanks,

    Joe
  • JMW98
    JMW98
    1097 Posts

    Re: what is the difference between group member and groupmembership?

    ‏2012-03-20T11:27:17Z  
    Sorry to interfere with this post but is this true for version 6.1.5.x as well. Hope so.

    Thanks,

    Joe
    Yes, it is true for 6.1.x as well. In fact, 6.0's WMM even supported membership attributes.

    Another important thing to consider when configuring a membership attribute is its scope. Your LDAP administrator should be able to tell you which of direct, nested, and dynamic groups are resolved in the membership attribute. Set the scope in VMM accordingly. This may enable you to further reduce load on the LDAP by configuring group reuse and disabling nested group resolution.

    For general information on Portal & LDAP groups:
    http://www-10.lotus.com/ldd/portalwiki.nsf/dx/Web_security_concepts_and_considerations_for_IBM_WebSphere_Portal_administrators#Authorization+and+the+user+repository

    & on minimizing the calls Portal makes to LDAP:
    https://www.ibm.com/developerworks/mydeveloperworks/blogs/PortalL2Thoughts/entry/go_easy_on_your_ldap17
  • SystemAdmin
    SystemAdmin
    30895 Posts

    Re: what is the difference between group member and groupmembership?

    ‏2012-03-20T12:29:15Z  
    • JMW98
    • ‏2012-03-20T11:27:17Z
    Yes, it is true for 6.1.x as well. In fact, 6.0's WMM even supported membership attributes.

    Another important thing to consider when configuring a membership attribute is its scope. Your LDAP administrator should be able to tell you which of direct, nested, and dynamic groups are resolved in the membership attribute. Set the scope in VMM accordingly. This may enable you to further reduce load on the LDAP by configuring group reuse and disabling nested group resolution.

    For general information on Portal & LDAP groups:
    http://www-10.lotus.com/ldd/portalwiki.nsf/dx/Web_security_concepts_and_considerations_for_IBM_WebSphere_Portal_administrators#Authorization+and+the+user+repository

    & on minimizing the calls Portal makes to LDAP:
    https://www.ibm.com/developerworks/mydeveloperworks/blogs/PortalL2Thoughts/entry/go_easy_on_your_ldap17
    Thank you all. It was really helpful.

    Now a days IBM infocenter is not that much clear enough to explain the facts. Anyhow always there is a developerworks forum to solve the problem and doubts.

    Note: In my previous project, we were using OpenWAVE with WP. OpenWAVE was not supported by default with WP. But we had no choice that time. When we faced huge login issues, We added objectclass called memberOf to personAccount manually with groups information to the user profile itself.

    And we configured VMM to read that groupMembership. It worked like a charm :). it greatly improved the login performance.
    Cheers
    Selva