|
Home > Archive > WebSphere Portal Server > May 2007 > Use of LookAside=true in Portal v6
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Use of LookAside=true in Portal v6
|
|
|
| I've recently externalised security for Portal v6 to Tivoli Directory Server as my LDAP repository running on DB2.
It all works perfectly fine.
When I add users to Portal, however, or to LDAP, it appears in both resources. Is this what is meant by LookAside ? I was expecting that when I added users to LDAP or Portal, these users would only appear in LDAP.
My goal with the architecture is to have all permissions over content resource assigned to groups, with user participation in groups being defined within LDAP as my organisation changes.
Can anyone give me some clarity around how it should be working, whether my config might not be right (LookAside=true at present) or whether I need to perform additional steps.
Thx
| |
| Dinesh Subramanian 2007-03-02, 1:17 pm |
| Hi,
When portal is installed, by default it would configure wmm database as user registry. When u externalize it with TDS(with LookAside=true), TDS becomes your primary LDAP server for your portal. Any addition and deletion of users or groups will be ref
lected in TDS. However portal maintains a pointer to to wmm user registry. This can be optionally used for configuring your content management applications. Refer <PORTAL_HOME>/wmm/wmm_LDAP_LA_IDS.xml to know the runtime ldap referal structure.
Hope it helps.
Dinesh S
| |
|
| Thanks for that.
Does Portal have to maintain that pointer ?
If my goal is to maintain content access at the group level, and have group privileges allow / disallow different levels of user access, which is maintained in LDAP, is there a way I can only represent Groups in WMM and not users, and allow group/user mem
berships to be defined purely in LDAP ?
Also, can you extend the attributes of a user profile beyond what Portal allows in its user membership ? E.g. If I want to store Business Unit, Position, etc - if I define that in LDAP, will portal recognise it and if so, how ?
| |
|
| Sorry, I should have mentioned that my other goal is to prevent portal administrators from assigning privileges to individual users, only to groups. With user info appearing in the Portal WMM, this becomes a risk.
| |
| Wayne Jones 2007-03-05, 1:33 am |
| The lookaside database is used to store user attributes which you do not want to or cannot store in ldap. You didn't mention this as one of your reasons for setting lookaside=true. If you do not have this requirement, I would not recommend using the looka
side database. It would add complexity to the architecture without adding value.
It is not possible to limit a portal administrator from assigning permissions to groups except by policy. This is definitely the policy which should be followed but there isn't a way to enforce it. If the admin can assign permissions to groups then they c
an assign to users as well.
You can export the page/portlet permissions to xml and manually verify user permissions are not configured. You can also turn on auditing in the portal to record the changes that are made and review the audit logs.
| |
|
| Actually, I didn't want to intentionally set LookAside=true.
What I wanted to do was store and maintain all users and groups inside LDAP, including additional user attributes I might want to define.
The only information I want to store in portal regarding permissions is to associate resource permissions against groups we define, groups which are also stored in LDAP and against which our users are members.
So does this mean I should turn off LookAside ?
| |
| Wayne Jones 2007-03-05, 7:24 pm |
| Yes,
You will want to disable security by running "WPSConfig.sh disable-security" and then re-enable security as before but without the lookaside database.
If you did not manually set the the lookaside value to true you may be using a component which requires lookaside. In which case you should not try to disable it. You may have enabled security with realm support which requires a lookaside database. If you
do not have a specific need for realm support I would recommend enabling security without it (after first disabling it).
| |
|
| Ok, understand. Ours was set by default.
What exactly is the premise of 'realm support' when it comes to WebSphere Portal and is it useful?
| |
| Wayne Jones 2007-03-06, 1:24 pm |
| Realm support allows for multiple user registries. If you are planning to use virtual portals it can be helpful.
| |
| Harisankar Gopalan 2007-05-26, 7:22 am |
| Hi Warren,
I need to have some attribute in Lookaside DB.
How can i get the same in user object?
When I am trying to set value to custom attribute(DefaultPage,which is available in lookaside db),Its giving error like,
com.ibm.portal.puma.AttributeNotDefinedException: EJPSG0007E: One of the attribute specified is not defined for this member type.DefaultPage.
DefaultPage is custom attribute available in lookaside db.
How we can get user details which is availabale in LDAP and Lookaside?
I am using PUMA SPI for getting user details.
Could you please give me your suggestions?
Thanks.
|
|
|
|
|