Accessing LDAP attributes

When the IBM® WebSphere® Application Server Network Deployment user registry is configured as a federated repository, you can use the DirectoryAdmin tool to map the attributes. When this is done, the directory service is able to access the user and group attributes stored in the LDAP user registry. For example, when you search for user and group attributes, the mapped attributes are also retrieved. The IBM InfoSphere® Information Server user and group information includes the mapped attribute values from the federated repositories.

Procedure

To use the DirectoryAdmin tool to set and display LDAP attribute mappings, refer to the WebSphere Application Server Network Deployment documentation to first configure the user registry as a federated repository, using the WebSphere Application Server Virtual Member Manager (VMM) interface:
- V8.5: http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/topic/com.ibm.websphere.nd.multiplatform.doc/ae/twim_managing_realm.html
Once configured, use the DirectoryAdmin tool with the -set_attribute_map parameter to map attribute names in the federated repository configuration to the InfoSphere Information Server attribute names. The mapping configuration settings are stored in the repository.
Restart WebSphere Application Server.
After the mappings are set and the application server is restarted, you can use the DirectoryAdmin tool with the -display_attribute_map parameter to display them for verification.

After the mappings are made, searches on the mapped attribute values are done in the VMM, that is, on the external user registries for the mapped attributes. Attributes that are not mapped will continue to be used to search the internal user registry. The results of the external and internal user registry searches are merged into a single result set.

Syntax

DirectoryAdmin.sh
  [-{set_attribute_map|sam}
    -{user_map|um} user_mapping
    -{group_map|gm} group_mapping]
  [-{display_attribute_map|dam}]

DirectoryAdmin.bat
  [-{set_attribute_map|sam}
    -{user_map|um} user_mapping
    -{group_map|gm} group_mapping]
  [-{display_attribute_map|dam}]

Parameters

The following options are available for the DirectoryAdmin command.

-{set_attribute_map|sam}

The command parameter used to create mappings between VMM attributes and IBM InfoSphere Information Server attributes. Use this parameter in conjunction with the -user_map parameter, the -group_map, or both.

-{user_map|um} user_mapping

The mapping to use to associate VMM user attributes with IBM InfoSphere Information Server user attributes. The user_mapping value is specified as ldapAttr=isfAttr[,ldapAttr=isfAttr]+, where ldapAttr is the name of the attribute in the VMM-configured registry, and isfAttr is the corresponding attribute in the IBM InfoSphere Information Server internal user registry. For a reference of the available VMM attributes see http://pic.dhe.ibm.com/infocenter/wasinfo/v8r0/topic/com.ibm.websphere.wim.doc/dataobjectperson.html. In WebSphere Application Server, it is also possible to configure different VMM attributes.

isfAttr	Description (and a typical ldapAttr to use in the mapping, if any)
mail	email address (mail)
firstName	first name (givenName)
lastName	last name (sn)
title	title (title)
jobTitle	job title
homePhone	home phone
imName	instant messaging name
location	location
officePhone	office phone number (telephoneNumber)
cellPhone	mobile phone number (mobile)
pagerNumber	pager phone number (pager)
faxNumber	FAX phone number (facsimileTelephoneNumber)
businessAddr	business address (businessAddress)
organization	organization name

If the -user_map argument is specified with no data, then the configuration setting will be cleared.

-{group_map|gm} group_mapping

The LDAP group mapping to map to the LDAP user. The group_mapping value is specified as ldapAttr=isfAttr[,ldapAttr=isfAttr]+, where ldapAttr is the name of the attribute in the VMM-configured registry, and isfAttr is the corresponding attribute in the IBM InfoSphere Information Server internal user registry.

isfAttr	Description (and a typical ldapAttr to use in the mapping, if any)
name	group name (cn)
type	group type
webAddr	web address
location	location
mail	email address
organization	organization

If the -group_map argument is specified with no data, then the configuration setting will be cleared.

-{display_attribute_map|dam}

Displays the current attribute mapping information.

Example

After configuring the IBM WebSphere Application Server user registry as a federated repository, run the DirectoryAdmin tool to set the mapping.

DirectoryAdmin.bat -sam -um "mail=mail,sn=lastName,givenName=firstName" -gm "cn=name"

Display the mapping to verify its settings.

DirectoryAdmin.bat -dam

Example output:

User attribute mappings:
   mail = mail
   sn = lastName
   givenName = firstName
Group attribute mappings:
   cn = name

Now, you can access the mapping in the user registry, for example to search for and retrieve LDAP user and group attributes.

The following example illustrates how to delete the user attribute mapping:

DirectoryAdmin.bat -sam -um