BUT I'd like to do things 'properly'...
Originally posted by louise rochford:
LDAP is only going to be used to hold username against password. I don't expect it to have any concept of which user is in which group / role - that would be left to the application.xml file.
... so there wouldn't be a way to change the access rights outside of WebSphere.
I think the problem may be that the controls over who can update LDAP are too restrictive. We're piggy-backing on an exisitng LDAP server that's already used for lots of other stuff well outside the realm of our department. They are fine with us accessing it to check against company-wide authentication rules, but don't want to be bothered with effectively administering fine-grained control over who can access what little resource in our app.