Accessing LDAP attributes
When the IBM® WebSphere® Application Server Network Deployment user registry is configured as a federated repository, you can use the DirectoryAdmin tool to map the attributes. When this is done, the directory service is able to access the user and group attributes stored in the LDAP user registry. For example, when you search for user and group attributes, the mapped attributes are also retrieved. The IBM InfoSphere® Information Server user and group information includes the mapped attribute values from the federated repositories.
Procedure
- To use the DirectoryAdmin tool to set and display LDAP attribute mappings, refer to the WebSphere Application Server Network Deployment documentation to first configure the user registry as a federated repository, using the WebSphere Application Server Virtual Member Manager (VMM) interface.
- Once configured, use the DirectoryAdmin tool with the
-set_attribute_map
parameter to map attribute names in the federated repository configuration to the InfoSphere Information Server attribute names. The mapping configuration settings are stored in the repository. - Restart WebSphere Application Server.
- After the mappings are set and the application server is restarted,
you can use the DirectoryAdmin tool with the
-display_attribute_map
parameter to display them for verification.
After the mappings are made, searches on the mapped attribute values are done in the VMM, that is, on the external user registries for the mapped attributes. Attributes that are not mapped will continue to be used to search the internal user registry. The results of the external and internal user registry searches are merged into a single result set.
Syntax


DirectoryAdmin.sh
[-{set_attribute_map|sam}
-{user_map|um} user_mapping
-{group_map|gm} group_mapping]
[-{display_attribute_map|dam}]

DirectoryAdmin.bat
[-{set_attribute_map|sam}
-{user_map|um} user_mapping
-{group_map|gm} group_mapping]
[-{display_attribute_map|dam}]
Parameters
The following options are available for the DirectoryAdmin command.- -{set_attribute_map|sam}
- The command parameter used to create mappings between VMM attributes and IBM InfoSphere Information Server attributes. Use this parameter in conjunction with the -user_map parameter, the -group_map, or both.
- -{user_map|um} user_mapping
- The mapping to use to associate VMM user attributes with IBM
InfoSphere Information Server user
attributes. The user_mapping value is specified as
ldapAttr=isfAttr[,ldapAttr=isfAttr]+
, whereldapAttr
is the name of the attribute in the VMM-configured registry, andisfAttr
is the corresponding attribute in the IBM InfoSphere Information Server internal user registry. For a reference, see available VMM attributes. In WebSphere Application Server, it is also possible to configure different VMM attributes.isfAttr Description (and a typical ldapAttr to use in the mapping, if any) mail email address (mail) firstName first name (givenName) lastName last name (sn) title title (title) jobTitle job title homePhone home phone imName instant messaging name location location officePhone office phone number (telephoneNumber) cellPhone mobile phone number (mobile) pagerNumber pager phone number (pager) faxNumber FAX phone number (facsimileTelephoneNumber) businessAddr business address (businessAddress) organization organization name If the -user_map argument is specified with no data, then the configuration setting will be cleared.
- -{group_map|gm} group_mapping
- The LDAP group mapping to map to the LDAP user. The group_mapping value
is specified as
ldapAttr=isfAttr[,ldapAttr=isfAttr]+
, whereldapAttr
is the name of the attribute in the VMM-configured registry, andisfAttr
is the corresponding attribute in the IBM InfoSphere Information Server internal user registry.isfAttr Description (and a typical ldapAttr to use in the mapping, if any) name group name (cn) type group type webAddr web address location location mail email address organization organization If the -group_map argument is specified with no data, then the configuration setting will be cleared.
- -{display_attribute_map|dam}
- Displays the current attribute mapping information.
Example
After configuring the IBM WebSphere Application Server user registry as a federated repository, run the DirectoryAdmin tool to set the mapping.
DirectoryAdmin.bat -sam -um "mail=mail,sn=lastName,givenName=firstName" -gm "cn=name"
Display the mapping to verify its settings.
DirectoryAdmin.bat -dam
Example output:
User attribute mappings: mail = mail sn = lastName givenName = firstName Group attribute mappings: cn = name
Now, you can access the mapping in the user registry, for example to search for and retrieve LDAP user and group attributes.
The following example illustrates how to delete the user attribute mapping:
DirectoryAdmin.bat -sam -um