IPlanet LDAP Server implements dynamic ldap groups by having schema as objectclass = groupOfURLs. A groupOfURLS class can have multiple memberURL attributes, each one consisting of an LDAP URL that enumerates a set of objects in the directory. The members of the group would be the union of these sets.
In the example below, TestDynamic Group has a single memberURL attribute
memberURL ldap:///dc=oracle,dc=com??sub?(&(objectclass=person)(description=dynUser))
All users having the description as dynUser belong to this group.
In this article we will learn to configure Weblogic Sever with iPlanet Authenticator having dynamic ldap groups.
Create a User in the iPlanet Server.
uid=faisal,ou=People,dc=oracle,dc=com
Go to Advance Properties of the user
Click on Add Attribute and select description
Give the description as dynUser and click OK.
Create a Group
cn=TestDynamic,ou=Groups,dc=oracle,dc=com
Select Members, Dynamic Members, click Add
Give the following ldap url
ldap:///dc=oracle,dc=com??sub?(&(objectclass=person)(description=dynUser))
Click Test
Create an iPlanetAuthenticator on Weblogic Server
Under Provider Specific
Principal:uid=faisal,ou=People,dc=oracle,dc=com
Host:localhost
Port:500 (the port at which your ldap server is running)
User Base DN:ou=People,dc=oracle,dc=com
Group Base DN:ou=Groups,dc=oracle,dc=com
Credential: password
Leave the others as default.
IPlanet Authenticator has the default settings to determine dynamic group membership.
Restart the server, go to Security Realm and click on Users tab.
Check the group faisal belongs to.
Dynamic Membership is successfully determined by Weblogic Server.
References
http://docs.sun.com/app/docs/doc/820-5704/bhact?a=view
Comments are closed.