Table of Contents
Advertisement
dc=uk, dc=acme, dc=com
ou=people
uid=user1
uid=user2
uid=user3
uid=user4
uid=........
Figure 2-5 LDAP Basic DIT Design
LDAP schema design
By default, the WebSphere Portal Server configuration assumes that the underlying LDAP
directory schema uses the object class applicable to the selected LDAP directory version, for
example, InetOrgPerson when using IBM Tivoli Directory Server (TDS) V6.0. This is sufficient
for most organizations, as it was defined to meet the requirements found in today's internet
and intranet directory service deployments. However, in some cases it may not be sufficient
enough. For example, it may be necessary to add the information of an employee's Account
Number, Insurance Number, and Employment Band. These attributes do not exist in the
standard InetOrgPerson object class.
Modifying the default object class, in an attempt to add or change an attribute, is not
recommended. If the definition of one of the default attributes, for example, givenName,
needs to be changed, then we recommend that a new attribute be created. However, such an
attribute should only ever be created in a new custom object class. Objects can be derived
from other objects. This is known as sub classing. An object class of AbcPerson could be
defined as a subclass of the inetOrgPerson object class. The AbcPerson object class would
have the same attributes as the inetOrgPerson object class and could add other attributes
such as Account Number, Insurance Number, and Employment Band. This prevents potential
conflicts when a new version of the directory is installed and the default schema is refreshed.
One special object class, called top, has no superiors. The top object class includes the
mandatory object Class attribute. Therefore, the attributes in top object class appear in all
directory entries.
LDAP directory server selection
Make no mistake, all LDAP directory servers are not created equal. Tivoli Directory Server
(TDS) was designed as standards-compliant enterprise directory server from inception. One
of the main strengths that TDS has over other directories is that data is retained in an
underlying DB2 database. Here, the DB2 database engine provides scalability to tens of
millions of entries, as well as groups of hundreds of thousands of members. When this alone
is compared to directories that store data as metadata on a file system, there is a distinct
performance and integrity advantage.
The Lotus Domino LDAP implementation only supports the indirect method to locate the
group memberships for a user. As such, it is not possible to determine the group membership
of a given user by querying the user object directly. Instead, group membership is achieved by
44
IBM WebSphere Portal V6 Self Help Guide
ou=groups
cn=groupA
or
cn=groupB
cn=groupC
cn=groupD
cn=...........
com
acme
uk
de
people
groups
user1
groupA
user2
groupB
user3
(uid)
groupC
user4
groupD
........
........
(dc)
(dc)
hk
(dc)
(ou)
(cn)
Advertisement
Table of Contents
Troubleshooting
