GitHubContribute in GitHub: Open doc issue|Edit online

LDAP Group Support

You can set permissions in the User Registry for a group the same way as you would for a user. You can distinguish between users and groups through the listed properties.

To ease administration, IBM® Security Verify Directory Integrator allows permissions to be configured for groups the same way as they are configured for users. You can set permissions in the User Registry using exactly the same syntax as you would for a user. The fact is that the User Registry does not care whether a security entity is a group or a user. The distinction between users and groups is drawn during the authentication process.

Group membership is configured in the LDAP directory, against which IBM® Security Verify Directory Integrator authenticates users. If a user is a member of some LDAP group, all permissions for that group are automatically inherited by the user when the user is authenticated. Group support is disabled by default, so you must turn it on.

The system properties that are related to LDAP group support are:

api.custom.authentication.ldap.groupsupport
This is an pptional property - a boolean flag. If this property is missing, the default value "false" is used. Specifies whether group membership is resolved when authenticating users. If the group membership is resolved, it is taken into account during authorization.

api.custom.authentication.ldap.usermembershipattribute
This property is required only if api.custom.authentication.ldap.groupsupport is set to true. Specifies the name of the attribute of a user in LDAP that contains a list of the groups of which the user is a member.

api.custom.authentication.ldap. usermembershipattributecontent
This property is required only if api.custom.authentication.ldap.groupsupport is set to true. Specifies how groups are named in the membership attribute of a user. For example, if the user's membership attribute contains values that correspond to the "objectSID" attributes of groups, set this property to "objectSID". If the user's membership attribute contains distinguished names of groups, then set this property to "dn".

api.custom.authentication.ldap.groupnameattribute
This property is required only if api.custom.authentication.ldap.groupsupport is set to true. Specifies the name of a group's attribute in LDAP which corresponds to the way the group is named in the IBM® Security Verify Directory Integrator User Registry. For example, if LDAP groups are addressed in the IBM® Security Verify Directory Integrator registry by their common name, then set this property to "cn". If the User Registry contains the distinguished names of the groups, then set this property to "dn".

api.custom.authentication.ldap.groupsearchbase
This property is required only if api.custom.authentication.ldap.groupsupport is set to true. Represents the LDAP directory context, where groups are searched.

api.custom.authentication.ldap.binaryattributes
This is an optional property - it represents a list of space-separated attribute names. Specifies attributes which have non-string syntax.

Active Directory example

This example shows how to configure group support to work with an Active Directory server:

api.custom.authentication.ldap.groupsupport=true
api.custom.authentication.ldap.usermembershipattribute=tokenGroups
api.custom.authentication.ldap.usermembershipattributecontent=objectSID
api.custom.authentication.ldap.groupnameattribute=sAMAccountName
api.custom.authentication.ldap.groupsearchbase=DC=mytestadserver,DC=com
api.custom.authentication.ldap.binaryattributes=objectSID tokenGroups

The 'tokenGroups' attribute is a calculated attribute that exists for all users in Active Directory.

It contains a collection of the Security Identifiers (SIDs) for all security groups that the user is a member of.

This collection contains only security groups (distribution groups, used for email, are not included) and it contains all security groups including nested and primary groups.

The Security Identifiers are binary attributes so they must be set in the api.custom.authentication.ldap.binaryattributes property.

In the above example, groups are named by their "sAMAccountName" LDAP attribute in the IBM® Security Verify Directory Integrator User Registry.

IBM Security Directory Server example

This example shows how to configure group support to work with IBM Security Directory Server:

api.custom.authentication.ldap.groupsupport=true
api.custom.authentication.ldap.usermembershipattribute=ibm-allGroups
api.custom.authentication.ldap.usermembershipattributecontent=dn
api.custom.authentication.ldap.groupnameattribute=dn
api.custom.authentication.ldap.groupsearchbase=ou=mytestou,c=mytestcountry

For a given user entry, the "ibm-allGroups" operational attribute enumerates all static, dynamic and nested groups, to which that user has membership.

Note:

  1. IBM® Security Verify Directory Integrator determines group membership by directly examining the LDAP user entry (as opposed to indirectly determining membership by scanning through all groups). For this approach to work correctly, the user entry must have an attribute that enumerates the groups, of which the user is a member. The group support works only with LDAP Servers that do support such a membership attribute on each user entry.
  2. If you modify the group membership of a user, this does not affect existing Server API sessions. It is, however, reflected in sessions established after the modification.
  3. Group support is currently provided only for LDAP authentication. There is no group support for JAAS authentication or authentication with custom JavaScript.
  4. When SSL client authentication is enabled in the Server API, clients that do not specify a username are to be authenticated and authorized based on the owner of the SSL client certificate. If LDAP authentication with group support is also enabled (along with the SSL client authentication), group membership is resolved for the owner of the SSL client certificate.