Example: Supporting nested groups in IBM Directory Server
You can configure the product to support nested groups that are already defined on Directory Server.
The following example shows how to set configuration parameters for Directory Server, test search filters for users,
groups, and memberships to support static nested external (LDAP) groups on Cloud Pak System Software.
As a prerequisite, nested groups should already be defined
on Directory Server,
for example:
parent group :
dn:cn=PureDevAllGroups,ou=Groups, o=IBM, c=US
cn:PureDevAllGroups
objectclass:top
objectclass : container
objectclass: ibm-nestedGroup
ibm-memberGroup: cn=PureSecGroup, ou=Groups,o=ibm,c=US
...
sub group :
dn:cn=PureSecGroup, ou=Groups, o=IBM, c=US
cn:PureSecGroup
objectClass: top
objectClass: GroupOfNames
member: cn=secdev1, ou=WebSphere, o=ibm, c=us
member : cn=secdev2, ou=webSphere, o=ibm, c=us
...
member user :
dn: cn=secdev1,ou=WebSphere,o=IBM,c=US
objectclass: person
objectclass: organizationalPerson
objectclass: ePerson
objectclass: inetOrgPerson
objectclass: top
cn: secdev1
sn: secdev1
uid: secdev1
...
The Cloud Pak System Software administrator
does the following steps:
- Click Note: For information about configuring the remaining LDAP parameters in this window, click Setting LDAP parameters for IBM Directory Server in the Related tasks section below.
- LDAP base DN (users)
- ou=WebSphere, o=IBM,c=US
- LDAP base DN (groups)
- ou=Groups, o=IBM,c=US
- Search filter (users)
- (&(uid={0}) (|(objectClass=person)(objectClass=inetOrgPerson)))
- Search filter (groups)
- (&(cn={0}) (|((objectClass=groupOfNames)(objectClass=groupOfUniqueNames)(objectClass=ibm-nestedGroup)) ))
- LDAP membership search filter pattern
- ((& (|(member={0})(uniquemember={0})) (|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))
- LDAP user search attribute
- uid
- LDAP group search attribute
- cn
- LDAP server type
- IBM TDS
, and set the following LDAP configuration parameters. If you are
on 2.3.3.3, go to . - Perform LDAP authentication tests for users, groups, and memberships. Check that results are
successful for secdev1 as both external (LDAP) user name and LDAP membership
(user name). Also check that results are successful for both PureDevAllGroups
and PureSecGroup as external (LDAP) group names.
For more information about performing authentication tests, click Testing LDAP authentication settings in the Related tasks section below.
- Create PureDevAllGroups and PureSecGroup external (LDAP) groups on Cloud Pak System Software and assign them with different permissions.
- Log in to Cloud Pak System Software as external (LDAP) user secdev1 and confirm that this same user successfully inherited roles from both PureDevAllGroups and PureSecGroup external (LDAP) groups. For more information about user groups and use roles, see the related links.