A customer recently had the requirement to grant only a specific group of users access to Lotus Connections. As you probably know this can be achieved by configuring the user/group role mapping in WAS. Since a screenshot makes it more clear than following the Info Center, I’m providing the configuration I implemented:
You also need to modify LotusConnections-config.xml to set service_extension_auth for Communities and Profiles to “DSX-Admin”:
But when a User is not a member of the LotusConnectionsUsers group and still tries to login he will get an nasty error. This comes because for WAS itself you are able to login ! so you are authenticated and authorized in the eyes of WAS but you can’t get to URL’s which are protected by the person role in the ear file ! so how to solve this is to also tell WAS that only people in the LotusConnectionsUsers & LotusConnectionsAdmins should be able to login ! This can be doen but is an extra config requirement for your problem as stated in your blog !
If your goal is to filter users at WAS level you need to modified ldap-search query in the WAS member-management (VMM):
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/tsec_ldapfilter.html