Example: Supporting nested groups in IBM Directory Server

You can configure the product to support nested groups that are already defined on Directory Server.

The following example shows how to set configuration parameters for Directory Server, test search filters for users, groups, and memberships to support static nested external (LDAP) groups on Cloud Pak System Software.
As a prerequisite, nested groups should already be defined on Directory Server, for example:
parent group : 

   dn:cn=PureDevAllGroups,ou=Groups, o=IBM, c=US
   cn:PureDevAllGroups
   objectclass:top
   objectclass : container
   objectclass: ibm-nestedGroup
   ibm-memberGroup: cn=PureSecGroup, ou=Groups,o=ibm,c=US
   ...

sub group : 

   dn:cn=PureSecGroup, ou=Groups, o=IBM, c=US
   cn:PureSecGroup
   objectClass: top
   objectClass: GroupOfNames
   member:  cn=secdev1, ou=WebSphere, o=ibm, c=us
   member : cn=secdev2, ou=webSphere, o=ibm, c=us 
   ...

member user : 

   dn: cn=secdev1,ou=WebSphere,o=IBM,c=US
   objectclass: person
   objectclass: organizationalPerson
   objectclass: ePerson
   objectclass: inetOrgPerson
   objectclass: top
   cn: secdev1
   sn: secdev1
   uid: secdev1
   ...
The Cloud Pak System Software administrator does the following steps:
  1. Click System > System Security, and set the following LDAP configuration parameters. If you are on 2.3.3.3, go to Security and access > System Security.
    Note: For information about configuring the remaining LDAP parameters in this window, click Setting LDAP parameters for IBM Directory Server in the Related tasks section below.
    LDAP base DN (users)
    ou=WebSphere, o=IBM,c=US
    LDAP base DN (groups)
    ou=Groups, o=IBM,c=US
    Search filter (users)
    (&(uid={0}) (|(objectClass=person)(objectClass=inetOrgPerson)))
    Search filter (groups)
    (&(cn={0}) (|((objectClass=groupOfNames)(objectClass=groupOfUniqueNames)(objectClass=ibm-nestedGroup)) ))
    LDAP membership search filter pattern
    ((& (|(member={0})(uniquemember={0})) (|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))
    LDAP user search attribute
    uid
    LDAP group search attribute
    cn
    LDAP server type
    IBM TDS
  2. Perform LDAP authentication tests for users, groups, and memberships. Check that results are successful for secdev1 as both external (LDAP) user name and LDAP membership (user name). Also check that results are successful for both PureDevAllGroups and PureSecGroup as external (LDAP) group names.

    For more information about performing authentication tests, click Testing LDAP authentication settings in the Related tasks section below.

  3. Create PureDevAllGroups and PureSecGroup external (LDAP) groups on Cloud Pak System Software and assign them with different permissions.
  4. Log in to Cloud Pak System Software as external (LDAP) user secdev1 and confirm that this same user successfully inherited roles from both PureDevAllGroups and PureSecGroup external (LDAP) groups. For more information about user groups and use roles, see the related links.