Synchronizing Tivoli dynamic LDAP groups with User Management | LiveCycle ES (8.x) and LiveCycle ES2 (9.0)Products affected
Background
While members of a static LDAP group are listed individually, a dynamic LDAP group uses a search query to define and list its members. Thus, the results of this search query determine the members of the dynamic LDAP group.
User Management in LiveCycle ES2 does not currently support dynamic LDAP groups. However, if a dynamic LDAP group contains an attribute which lists the Distinguished Names (DNs) of the members of a group, User Management in LiveCycle ES or LiveCycle ES2 can successfully synchronize that group.
Dynamic LDAP groups in Tivoli LDAP Server have the ibm-allMembers operational attribute that displays all members of a group. These LDAP groups can therefore be successfully synchronized with User Management in LiveCycle ES or LiveCycle ES2.
Solution
To synchronize dynamic LDAP groups with User Management in LiveCycle ES or LiveCycle ES2 using a Tivoli LDAP Server, configure the directory group settings for the enterprise domain such that the LDAP search filter fetches dynamic groups. While creating or editing an enterprise domain, follow these steps in LiveCycle Administration Console under Settings > User Management > Domain Management:
- Change the value of the Member DN attribute on the Group Settings page from member to ibm-allMembers.
- Change the Search Filter settings on the Group Settings page from (&(objectclass=groupOfNames)) to (&(objectclass=groupOfURLs)). For Tivoli, the objectClass for dynamic LDAP Groups is groupOfURLs.
Note: Dynamic LDAP groups are different from the dynamic groups created in LiveCycle ES2 through User Management.
Doc ID
(cpsid_84729)
Last updated
2011-01-25
OS
AIX
Linux
Windows (All)
Solaris
Products affected
