Configuring LDAP User Group Mode

The group mode and related settings are specified in the Configuration Information field of the Security Manager definition in the Enterprise Server Administration web interface:

[LDAP]
group type=MF|custom|AD|both
group class=group-class-name
group member attribute=member-attribute-name

group type

The group type configuration setting has four possible values:

MF
Is the default and enables Micro Focus group mode.
custom
Enables custom group mode.
AD
Enables Active Directory group mode.
both
Enables combined group mode.

The default group mode is MF. See Using Non-Micro Focus Group Objects with LDAP-based Security for more information on the group modes.

Note: For AD and combined modes it might be necessary to specify the base and container settings as well. See Other configuration settings section below.

group class and group member attribute

In custom mode, use these to set the name of the LDAP object class containing group information, and the name of the LDAP attribute listing group members.

In combined mode, these attributes apply only to non-AD groups.

The default for group class is microfocus-MFDS-Group and for group member attribute is microfocus-MFDS-Group-Member.

Other configuration settings

When using a group type other than MF, the group container is often in a different part of the LDAP repository hierarchy than the other Enterprise Server LDAP data. This might require the base, user container, group container, and resource container to be configured appropriately.

In some cases, it might be necessary (or simplest) to set base to an empty value, and then send each of the container settings to the full Distinguished Name (DN) of the associated container object.

With the combined groups mode (group type=both), Active Directory groups and custom groups can be in different container objects. To enable the MLDAP ESM Module to find groups in both containers, set group container to the common ancestor of the two group containers, and enable subtree searching with search scope=tree.

Note: If the base is specified, do not including this component when setting the group container.

If you are using more than one Security Manager, you might need to enable federation in the region's security configuration. See Security Federation for more information.