LDAP configuration file (ldapentry.xml)

The WCServer_enterprise_archive/xml/ldap/ldapentry.xml file is used when HCL Commerce is configured to use an LDAP server as the master profile repository for users and organizations. HCL Commerce interacts with the LDAP server using WebSphere Application Server's federated repository. The federated repository is implemented using Virtual Member Manager (VMM).

The ldapentry.xml file provides the mapping between HCL Commerce attributes and VMM attributes, to synchronize data between HCL Commerce database and LDAP. This mapping file provides a default mapping for the most commonly used attributes. The attributes can be customized. See List of attributes that can be synchronized with LDAP for more information.

Note: Ensure that you check the wc-server.xml file to verify which ldapentry file is used:

Microsoft Active Directory: typically uses ldapentry_ad.xml
Other LDAP servers: typically uses ldapentry.xml

For information about mapping VMM attributes to LDAP attributes, see Default LDAP configuration mapping based on LDAP server type.
If the VMM attribute that you specified is not defined in the VMM entity you are using, define it in VMM. For more information, see Using addIdMgrPropertyToEntityTypes command to add a new property to one or more existing entity types.
Property types supported by virtual member manager, where HCL Commerce User corresponds to PersonAccount in VMM, and HCL Commerce Organizational Entity corresponds to OrgContainer in VMM.

Sample data in the ldapentry.xml file


<?xml version="1.0"?>
<!DOCTYPE ldapentry SYSTEM "ldapentry.dtd">
<ldapentry>
   <entry entryName="User">
      <ldapsetting>       
              <ldaprdn rdnName="uid" keyAttrName="logonId" keyObjName="UserRegistry"/>
          </ldapsetting>
      <ldapmap>
         <map>
            <objectAttribute attrName="logonPassword"/>
            ldapAttribute name="password" operation="replace" flow="wcsToLdap"/>
         </map>
         <map>
            <objectAttribute attrName="lastName"/>
            <objectAttribute attrName="firstName"/>
            <objectSeparator attrSeparator="/"/>
            <ldapAttribute name="cn" operation="replace" flow="wcsToLdap"/>
         </map>
         <map>
            <objectAttribute attrName="lastName"/>
            <ldapAttribute name="sn" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="firstName"/>
            <ldapAttribute name="givenName" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="phone1"/>
            <ldapAttribute name="homePhone" operation="add" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="email1"/>
            <ldapAttribute name="mail" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="zipCode"/>
            <ldapAttribute name="postalCode" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="address1" size="50"/>
            <objectAttribute attrName="address2" size="50"/>
            <objectAttribute attrName="address3" size="50"/>
            <objectSeparator attrSeparator="/"/>
            <ldapAttribute name="postalAddress" operation="replace" flow="bothDirections"/>
         </map>
      </ldapmap>
   </entry>
   <entry entryName="Organization">
      <ldapsetting>   
              <ldaprdn rdnName="o" keyAttrName="orgEntityName" keyObjName="Organization"/>
          </ldapsetting>
      <ldapmap>
         <map>
            <objectAttribute attrName="businessCategory"/>
            <ldapAttribute name="businessCategory" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="description"/>
            <ldapAttribute name="description" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="address1" size="50"/>
            <objectAttribute attrName="address2" size="50"/>
            <objectAttribute attrName="address3" size="50"/>
            <objectSeparator attrSeparator="/"/>
            <ldapAttribute name="postalAddress" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="phone1"/>
            <ldapAttribute name="telephoneNumber" operation="add" flow="bothDirections"/>
         </map>
      </ldapmap>
   </entry>
   <entry entryName="OrganizationalUnit">
          <ldapsetting>                   
              <ldaprdn rdnName="ou" keyAttrName="orgEntityName" keyObjName="Organization"/>
          </ldapsetting>
      <ldapmap>
         <map>
            <objectAttribute attrName="businessCategory"/>
            <ldapAttribute name="businessCategory" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="description"/>
            <ldapAttribute name="description" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="address1" size="50"/>
            <objectAttribute attrName="address2" size="50"/>
            <objectAttribute attrName="address3" size="50"/>
            <objectSeparator attrSeparator="/"/>
            <ldapAttribute name="postalAddress" operation="replace" flow="bothDirections"/>
         </map>
         <map>
            <objectAttribute attrName="phone1"/>
            <ldapAttribute name="telephoneNumber" operation="add" flow="bothDirections"/>
         </map>
      </ldapmap>
   </entry>
</ldapentry>

The format of the ldapentry.xml file is as follows:

entry

The entry element identifies which type of member the mappings are for. Valid values are User, Organization, or OrganizationalUnit.

ldapsetting - ldaprdn - rdnName

Specifies which LDAP attribute is the RDN attribute

ldapsetting - ldaprdn - keyAttrName

Specifies which HCL Commerce attribute maps to the RDN attribute.

ldapsetting - ldaprdn - keyObjName

Specifies the HCL Commerce access bean that contains the keyAttrName attribute.

ldapsetting - ldapocs - objClass

This option is no longer used. It has been moved to the wimconfig.xml file.

ldapsetting - ldapbase - defaultBase

This option is no longer used. It has been moved to the wimconfig.xml file.

ldapsetting - ldapbase - searchBase

This option is no longer used. It has been moved to the wimconfig.xml file.

map -objectAttribute - attrName

an HCL Commerce attribute name. See List of attributes that can be synchronized with LDAP for more information.

map -ldapAttribute - name

Name of the VMM attribute to be mapped to the HCL Commerce attribute specified in attrName. The VMM attribute name is commonly the same as the LDAP attribute name. In cases where it is different, the mapping is defined in the attributeConfiguration element of the wimconfig.xml file.

map -ldapAttribute - flow

Specifies how the attribute value is read from and written to LDAP. Valid values are:

ldapToWcs

The value flows from LDAP to HCL Commerce database only. This is used during authentication and get operations.

wcsToLdap

The value flows from HCL Commerce database to LDAP only. This setting applies when creating or updating a member in HCL Commerce.

bothDirections

The value flows both ways, between HCL Commerce database and LDAP.

If HCL Commerce is used to create or update a user or organization using the member commands, for example, UserRegistrationAddCmd or OrgEntityUpdateCmd, then the flow of data is HCL Commerce to LDAP. On a read or get request, for example at Logon time or when populating a data bean, the flow of data is LDAP to HCL Commerce, because LDAP is considered the master of record. However, data is only transferred if the record in LDAP has been updated more recently than it has been last synchronized with HCL Commerce. This last synchronized time is stored in the WMMMAP table.

ldapOnly

The value exists only on LDAP, not the HCL Commerce database. These attributes will be accessible from the following APIs:

UserSyncBean.getProperty(String propertyName)
OrganizationSyncBean.getProperty(String propertyName)

That will in turn make it available to the following data beans:

UserRegistrationDataBean.getAttribute(String attributeName)
OrgEntityDataBean.getAttribute(String attributeName)

In turn, the GetPerson and GetOrganization services will populate the Person and Organization SDOs with these attributes when using the IBM_All access profile:

/Person/Attributes
/Organization/Attributes

map -ldapAttribute - operation

Specifies whether how the attribute value should be modified for LDAP. Valid values are replace or add. A value of replace updates the current user information with the new information provided (for example, replace a existing phone number with a new one). A value of add includes another entry for the user (for example, adding a new phone number to the current user information, making a list of phone numbers for the user).

map - objectSeparator - attrSeparator

Separator character used when storing or retrieving multiple HCL Commerce attributes to or from a single LDAP attribute. Replicating multivalued attributes is not supported.

Synchronization of multi-valued LDAP attributes to the MBRATTRVAL table

The MBRATTRVAL table is used for storing custom member attributes. The table can store multiple values (rows) for a single attribute and user. LDAP can handle multi-valued attributes.

For example:


<map>
     <objectAttribute attrName="JobFunction_10001_r_n"/>
     <ldapAttribute name="telephoneNumber" operation="replace" flow="bothDirections"/>
</map>

Original mapping:


<!--
<map>
     <objectAttribute attrName="phone1"/>
     <ldapAttribute name="telephoneNumber" operation="add" flow="bothDirections"/>
</map>
-->

The telephoneNumber VMM attribute maps to the JobFunction_10001_r_n HCL Commerce attribute. This HCL Commerce attribute, based on the naming convention, is a custom member attribute, whose values are stored in the MBRATTRVAL table. Note that the member attribute name ends with _n to indicate that it is multivalued.

If there are multiple values in the MBRATTRVAL table, they are synchronized over to multiple values in LDAP. Conversely, if there are multiple values in LDAP, they are synchronized to multiple rows in the MBRATTRVAL table.

The following URL is an example of how to add or update two JobFunction values for the current user:

https://localhost/webapp/wcs/stores/servlet/UserRegistrationUpdate?storeId=10101&catalogId=10101&langId=-1
&editRegistration=Y&JobFunction_10101_r_1=manager&JobFunction_10101_r_2=clerk&URL=UserRegistrationForm

Note the two occurrences of JobFunction updates in the URL string. The first being JobFunction_10101_r_1 for manager and the second being JobFunction_10101_r_2 for clerk.

Synchronization of single-valued LDAP attributes to the MBRATTRVAL table

With synchronization of a single-valued LDAP attribute to the MBRATTRVAL table, the single-valued attribute must be defined like a multi-valued attribute. For example, for an LDAP attribute partyID with a single value on LDAP:

In the ldapentry XML file, the mapping would be

<map>
<objectAttribute attrName="partyID_10001_r_1"/>
<ldapAttribute name="partyID" operation="replace" flow="wcsToLdap"/>
</map>

In the WebSphere Application Server wimxmlextension.xml file, set the multiValued parameter to true for partyID.

<wim:propertySchema nsPrefix="wim" 
  nsURI="http://www.ibm.com/websphere/wim" dataType="string" multiValued="true" propertyName="partyID">
     <wim:applicableEntityTypeNames>OrgContainer</wim:applicableEntityTypeNames>
</wim:propertySchema>

Set the attribute value in the URL with the following format:
```
partyID_10001_r_1=newParty
```
.