Expanded membership increases the maximum number of place members from 900 to 4000. Since a place set up to use expanded membership cannot revert to standard membership, consider the implications for directory services, access control and user interfaces before using this feature.
IBM® Lotus® Quickr™ by default lists the names of place members in the database access control lists (ACLs) of the rooms in a place. The combined names in an access control lists cannot exceed 32K in size, which limits a place to approximately 300 to 900 members, depending on the length of the members' distinguished names. Expanded membership removes this limitation by generating groups in an LDAP directory to store the names of individual members, and using these groups, rather than the individual user names, in room access control lists.
Consider the following points before you use the expanded membership model (EMM):
- The effective use of groups in the LDAP directory is the best approach to handling large member access lists. The EMM feature should be considered an alternative method. If you are currently using Expanded Membership Model or would like to use it, refer to this technote before installing or upgrading Lotus Quickr.
- Flat Domino groups are unsupported and will lead to group expansion issues and product limitations.
- After you have set up a place to use expanded membership, you cannot revert the place to standard membership.
- Expanded membership is supported only when Lotus Quickr, not IBM Lotus Domino®, controls directory services.
- If the directory server used for the expanded membership groups is also the Lotus Quickr user directory, specify a base distinguished name for the expanded membership groups that is outside the scope of the base distinguished name that Lotus Quickr uses for group lookups generally.
- Do not modify the expanded membership groups.
- The LDAP directory that stores the expanded membership groups must allow write access.
- The user name and password used uses to manage the expanded membership groups (configured through Site Administration
User Directory page) must have write access to the base distinguished name configured for the groups.
- Expanded membership is certified for 4000 external user members in a place.
- LDAP directory servers can limit the number of members allowed in groups.
- Places that use expanded membership cannot be used to create PlaceTypes.
- Expanded membership pertains to individual external members and not to local members or to external group members.
- Users who are members of external groups cannot take a place offline.
- Do not disable expanded membership on the server if there are places that use it.
Expanded membership groups
When a place uses expanded membership, Lotus Quickr creates room-specific access control groups in an LDAP directory. The LDAP directory can be one that Lotus Quickr uses generally, or a different directory.
Lotus Quickr creates the following groups in this LDAP directory for the main room (Main.nsf) of a place and adds them to the main room database ACL:
is the name of the place.
is a base distinguished name for the expanded membership groups that is configured through the qpconfig.xml file.
When an external user member is added to the place, Lotus Quickr adds the user's name to one of these groups, according to the access assigned to the user. For example, Lotus Quickr adds an external user member with Reader access to the place's "cn=h_Readers...." group.
If someone creates a subroom, Lotus Quickr creates the following groups in the directory, and adds the groups to the subroom ACL:
is the unique number XXXXXXXX in the room name "PageLibraryXXXXXXXX.nsf" that identifies the room.
is the name of the place that contains the room.
is the base distinguished name configured for the expanded membership groups.
Removing an external user member from a place removes the user's name from the expanded membership groups associated with the place. Removing an external user member from a subroom, removes the user's name from the appropriate Lotus Quickr group associated with the subroom. Removing a place or a subroom removes the expanded membership groups associated with the place or subroom.
Examples of expanded membership groups
Suppose a place named salestrends uses expanded membership and the base distinguished name specified in the qpconfig.xml file for the expanded membership groups is ou=groups,o=teamworkplace. If someone adds an external user member to salestrends with Author access, Lotus Quickr adds the user's name to a group created in the LDAP directory called cn=h_Authors,ou=salestrends,ou=groups,o=teamworkplace. The group is included in salestrends' Main.nsf room ACL.
Suppose someone creates a subroom named PageLibrary85256CD200797D7B.nsf within salestrends and adds an external user member to the subroom with Reader access. Then Lotus Quickr adds the user's name to a group generated in the LDAP directory called cn=h_Readers,ou=85256CD200797D7B,ou=salestrends,ou=groups,o=teamworkplace. The group is included in the subroom ACL.
Access control in places that use expanded membership
Expanded membership uses group names in room ACLs rather than individual user names to control the access of individual external user members. As a result, the access given to an individual external user member no longer takes precedence over the access assigned to groups the user belongs to, or over super user access. The access control behavior for expanded membership differs from standard membership in the following ways:
- With expanded membership, an external user who is an explicit member of a place and who is also a super user has super user access to the place. With standard membership, the external user has the access the place assigns the user, not the super user access.
- With expanded membership, if an external user is an explicit member of a place (through a Lotus Quickr group) and also belongs to another group that is a member of the place, the user's access is the higher access of the two groups. With standard membership, the user has the access assigned to the individual user member.
User interface differences in places that use expanded membership
If you enable expanded membership for a place, users see the following changes:
- When usersadd members they are no longer presented with a list of members with check boxes next to the member names. Instead, they click a button to display a window from which they can search for the members to add.
- To create PlaceBots in a place, users must add a local user as a manager and then log in as that manager.
- When posting, the option to notify all members is not available.
- Users cannot create a PlaceType from a place that uses expanded membership.
Parent topic: Managing expanded membership: qd85