Configuring IBM Lotus Workplace Web Content Management for use with LDAP

Theresa Smit (tsmit@us.ibm.com), WebSphere Portal content publishing, Customer Partnership Team, IBM, Software Group

Theresa Smit has a wide breath of application development knowledge in her more than 28 years in computing technologies. Currently she is part of the IBM WebSphere Portal development organization, working with external and internal customers to use portal technologies to manage and deliver Web content. In additional to the WebSphere Portal product, she also supports usage of IBM Lotus Workplace Web Content Management, WebSphere Portal content publishing, and Personalization components. She has authored other articles and presented at developerWorks, WebSphere Portal, Lotus, and IBM Content Manager technical conferences.

Brian Cheng (blcheng@us.ibm.com), WebSphere Portal System Test, IBM, Software Group

Brian Cheng is part of the IBM Portal Development Organization, working in System Verification Test. His main focus is Content Management and Personalization Systems Integration within the Portal Environment.

Summary: IBM Lotus Workplace Web Content Management v1.1(Java Edition) includes a sample LDAP configuration that can be used "as is" or modified as needed to authenticate Users, establish Groups and determine User categories. This article describes how to use this sample to implement User authentication and Group access using the IBM Directory Server LDAP in a Portal environment.

Tag this!

Date: 18 Feb 2004
Level: Introductory
Activity: 291 views

Introduction

The IBM Lotus Workplace Web Content Management (hereafter called Web Content Management) technology, acquired from Presence Online/Aptrix, delivers end-to-end Web content management for Internet, intranet, extranet and portal sites. Web Content Management leverages content in back-end systems and reduces development and implementation time, placing content creation and management firmly in the hands of content experts for "author once, publish everywhere" control. It runs on both Domino and WebSphere Application Server and provides for the integration of WebSphere Portal and DB2 Content Manager. This makes this offering fit well with IBM middleware and allows you to leverage existing investments. However, while Web Content Management can handle user and group management internally, many customers instead use an external LDAP server such as IBM Directory Server or Domino Server.

The IBM Lotus Workplace Web Content Management v1.1 (Java Edition) includes a sample LDAP configuration that can be used as is or modified as needed to authenticate Users, establish Groups, and determine User categories. This document describes how to use this sample to implement User authentication and Group access using IBM Directory Server LDAP in a Portal environment. Before you begin the process it is assumed that you have installed and configured your Web Content Management UI and also installed the Content Portlet.

Figure 1 shows the sample configuration discussed in this article. The sample scenario (1) uses LDAP connection attributes and properties file locations specified in the Web Content Management connect.cfg file to (2) map LDAP attributes for the user to an existing Web Content Management Group and define the user€™s profile categories, (3) resulting in content that is specific to the group and user.

Figure 1: The sample authentication configuration

This article describes the supplied LDAP samples. It explains how to configure the Web Content Management properties and configuration files to correspond to those configured with the IBM Directory Server LDAP. It then shows you how to test your configuration to make sure that your scenario behaves properly. It also includes an alternative scenario, which includes modifications to the sample to enable it to access group membership directly from LDAP group membership.

The article first steps you through how to configure the environment to authenticate users via IBM Directory Server (using the default schema) and to use the LDAP attribute givenname to identify group membership. For this group to be recognized by Web Content Management, this exact group name has to be created in the Web Content Management Administrator User Interface (UI).

Prerequisites

Before going through the steps in this example, WebSphere Portal, Web Content Management, and IBM Directory Server must be installed on the system or accessible on another system. All components are operational and Portal has been configured to run with LDAP. Default installation directories and LDAP Attributes are assumed.

The sample files are located in the [WebContentMangement-base]\app\samples\LDAP are all the files used in this Sample LDAP configuration, where [WebContentMangement-base]is the directory in which the Web Content Management product is installed.

To verify your LDAP attributes, run the following ldapsearch command:

ldapsearch -D uid=wpsadmin,cn=users,dc=raleigh,dc=ibm,dc=com -w wpsadmin  
         -b dc=raleigh,dc=ibm,dc=com uid=*

Results should include a list of all user attributes for all registered users, as shown in Figure 2.

Figure 2: Results of the ldapsearch command
Results of the ldapsearch command

Configuring Web Content Management for use with the LDAP sample

The first step in configuring the environment is to change the settings in the connect.cfg file:

Change to the configuration directory for your application (for example, to D:\Aptrix1.1\app\config).
Make a backup copy of the connect.cfg file.

Edit the config.cfg file to specify the following values according to the the LDAP server you are using. In the <ModuleConfig> section, add:

<ModuleConfig>
   <Sample>
      <SampleLDAPProperties value="../config/sampleldaprum.properties" />  
      <SampleLDAPAdministratorProperies value="../config/sampleldapadmin.properties" />
  </Sample>

Add the following section for the LDAP Connection replacing your LDAP values:

<LDAPConnector>
    <OrganizationName value="raleigh.ibm.com" />
    <DefaultHost value="tsmit30.raleigh.ibm.com" />
    <DefaultPort value=389 />
    <DefaultScope value=SUBTREE />
    <!-- The version identifier: 2 or 3 -->
    <DefaultVersion value=3 />
    <!-- The base search scope within the DIT -->
    <DefaultBaseSearchDN value="dc=raleigh,dc=ibm,dc=com" />
    <DefaultAuthDN value="uid=wpsbind,cn=users,dc=raleigh,dc=ibm,dc=com" />
    <DefaultAuthPwd value="wpsbind" />
    <DirectoryManagerAuthDN value="cn=root" />
    <DirectoryManagerAuthPwd value="password" />
    <DefaultTimeout value=1000 />
    <ConnectionManager>
       <MaxConnectionPools value=1000 />
       <MaxConnectionsPerPool value=64 />
    </ConnectionManager>
    <UseSSL value=false />
</LDAPConnector>

Modify the UserManager and AuthorizationManager sections as follows:

<UserManager class="com.ilwwcm.sample.ldaprum.framework.SampleCombinedUserManager" >
   <LDAPUserManager>
      <DefaultUniqueIDFieldName value="uid" />
      <DefaultAuthDN value="uid=wpsbind,cn=users,dc=raleigh,dc=ibm,dc=com" />
      <DefaultAuthPwd value="wpsbind" />
      <DefaultBaseDN value="cn=users,dc=raleigh,dc=ibm,dc=com" />
   </LDAPUserManager>
</UserManager>

<AuthorisationManager class= 
      "com.ilwwcm.sample.ldaprum.framework.SampleCombinedAuthorisationManager" >
   <LDAPAuthorisationManager>
      <DefaultUniqueIDFieldName value="uid" />
   </LDAPAuthorisationManager>
</AuthorisationManager>

The next step is to change the properties file:

Copy the sample LDAP runtime user manager configuration files (sampleldapadmin.properties and sampleldaprum.properties) to the configuration directory for your Web Content Management application (for example, D:\Aptrix1.1\app\config).
Change the sampleldapadmin.properties file to include the specifications for the LDAP administrator user ID and password:
DirectoryManagerAuthDN=uid=wpsbind,cn=users,dc=raleigh,dc=ibm,dc=com DirectoryManagerAuthPwd=wpsbind

Change the sampleldaprum.properties file to include the specifications for the Web Content Management user group (NewsUser) mapping to the LDAP attribute (givenname) as follows:

#---------------------------------------------------------------------
# LDAP Configuration Properties
#---------------------------------------------------------------------

username_att=uid
password_att=userpassword
member_att=uniquemember
user_class=person
group_class=groupOfUniqueNames
org_unit_att=cn
org_unit_att_value=users
org_att=dc
org_att_value=raleigh,dc=ibm,dc=com
common_name_att=cn
object_class_att=objectclass

#---------------------------------------------------------------------
# Group and Category LDAP attributes
#---------------------------------------------------------------------
€¦
#the LDAP attributes that define group membership of Users
#user_grps=groupSample1,groupSample2
USER_GRPS=GIVENNAME
€¦
#map an LDAP value to IBM Lotus Workplace Web Content Management Group values via:
#e.g. sampleRoleName_GrpMap=groupSample1
GIVENNAME_GRPMAP=GIVENNAME

Edit the aptrixjpe.properties file (located in your config directory) to specify the Runtime User Manager class for the manager.runtimeUser property:
manager.runtimeUser=[CLASS_NAME] manager.runtimeUser=com.ilwwcm.sample.ldaprum.server.SampleRuntimeUserManager

Next, place the JAR files in the appropriate directories.

Place the ilwwcm-sample-ldaprum.jarfile file into the WEB-INF/lib directory of your IBM Lotus Workplace Web Content Management WAR file, which is located in the AppServer\installedApps\[Server-name]\[ILWWCM.ear]\ilwwcm.war\WEB-INF\lib directory in your IBM WebSphere installation.
Ensure that the permissions are set correctly for the files. If you do not, a java.lang.ClassNotFoundException will be thrown when you run the application.
If the LDAP ldapjdk.jar and ldapfilt.jar files listed below are not in the system class path, then you must copy them into the WEB-INF/lib directory of your IBM Lotus Workplace Web Content Management WAR file (the same listed in the previous step). If you do not have these JAR files, you can use the LDAP jars provided with this sample may be used instead, though it is recommended that you use the JAR files provided with your LDAP server. For more information on the configuration files see the .txt files in the ILWWCM-HOME\app\samples\LDAP directory
Restart the server.

Setting up users and groups

The next step is to set up the users and groups needed:

Using the Portal Sign-up page (see the upper right corner of the Portal Login page in Figure 3), add a new user named theresa, be sure to set the givenname attribute to NewsUser.
Figure 3: The Portal Login page
Add the user group in Web Content Management:
1. Log into the Web Content Management UI as Administrator and create a new group named NewsUser. Also make NewsUser a member of the UI AccessGroup. This access in only for testing purpose.
2. Verify that user theresa does not exist as a Web Content Management user.

Testing configurations

The sample scenario delivers content that is targeted to the NewsUser group, so you want to assure that those who have the LDAP attribute givenname set to NewsUser are allowed to see only the news content and those who do not belong to this group do not see the news content.

Set Content Security. Select one piece of content in the Content Library, and set the security so NewsUser has edit rights.
Verify the configuration. Open a new Web Content Management UI and log in as theresa. Only the authorized components should be displayed.
Log into Portal as theresa and access the DeptNews page created in the End2End doc. You should only see the news that was secured for NewsUser.
Log into Portal as wpsadmin and access the DeptNews page. You should not see the news content.

Alternative scenarios

It is quite common to maintain group membership for users in the LDAP database. The alternative sample scenario, shown in Figure 4, uses LDAP connection attributes and properties file locations specified in the connect.cfg file to (1) query the LDAP to obtain a list of the groups in which the User is a member, (2) which maps to an existing Web Content Management Group, (3) again resulting in content that is specific to the group and user.

Figure 4: Alternate authentication scenario

First, we need to obtain a group membership from LDAP. With some coding changes to the UserAuthorization manager, you can implement a solution that not only authenticates the user using LDAP but also looks up the LDAP group membership for each user and applies that to the Web Content Management resources.

The group membership query in this sample code is similar to the following LDAP search command:

ldapsearch -D uid=wpsadmin,cn=users,dc=raleigh,dc=ibm,dc=com -w wpsadmin 
     -b dc=raleigh,dc=ibm,dc=com uniqueMember=uid=theresa,cn=users,dc=raleigh,dc=ibm,dc=com cn

In this command, the €“D and €“w options are the user id and password specified in the connect.config file in the the LDAP connector stanza.

<DefaultAuthDN value="uid=wpsbind,cn=users,dc=raleigh,dc=ibm,dc=com" />
<DefaultAuthPwd value="wpsbind" />

The €“b option is the base dn from the DefaultBaseSearchDN stanza:

<DefaultBaseSearchDN value="dc=raleigh,dc=ibm,dc=com" />

The uniqueMember and cn attributes are both defined in the sampleldaprum.properties file and are used with the authenticated user to retrieve the groups name for the user.

member_att=uniqueMember
€¦
common_name_att=cn

For limitations see the "Known Limitations" section.

Follow these steps for the alternate scenario:

Create a Project in WebSphere Studio Application Developer.
Import the source from the Web Content Management INSTALL/app/samples/LDAP/source directory
Edit the Project Java Build Path. Right-click on Project Name -> Properties -> Java Build Path -> Add Libraries and add the following files:
- Ilwwcm-framework.jar
- ilwwcm-server.jar
- ldapjdk.jar
- ldapfilt.jar
- ilwwcm-commons-xmlpersistency.jar
- ilwwcm-commons-utils.jar
- ilwwcm-commons-version.jar
- ilwwcm-commons-properties.jar
Add the resource bundle property classes to the package com.ilwwcm.sample.ldarum. To add the resource bundles, you must extract them from ilwwcm-ldaprum.jar file and import them into your project. The resource bundles should be:
- ldaprum_de.properties
- ldaprum_en.properties
- ldaprum_es.properties
- ldaprum_fr.properties
- ldaprum_it.properties
- ldaprum_ja.properties
- ldaprum_ko.properties
- ldaprum.properties
- ldaprum_sv.properties
- ldaprum_zh.properties
- ldaprum_zh_TW.properties

Edit the SampleLDAPUser.java file to add the following imports to the import section.

/** Imports for Checking Groups in LDAP */
import com.presence.connect.utils.Config;
import com.presence.connect.utils.ConfigKeys;
import com.presence.connect.connector.ldap.LDAPConnectionParam;
import com.presence.connect.connector.ConnectionManager;
import com.presence.connect.connector.ConnectorException;
import com.presence.connect.connector.ldap.LDAPConnector;

Add the following global variables to the class:

/** LDAP Connection Parameters*/
private LDAPConnectionParam m_dirMgrParam;
/** LDAP Host*/
private String m_ldapHost = null;

/** LDAP port */
private int m_ldapPort;

/** Use SSL */
private boolean m_useSSL;

/** Connection Timeout */
private int m_timeout = 
   Connect.getAppConfig().getInt(ConfigKeys.BASE_CONNECTOR + ConfigKeys.SEPARATOR 
   + ConfigKeys.LDAP_CONNECTOR_CONFIG + ConfigKeys.SEPARATOR + ConfigKeys.LDAP_TIMEOUT, -1);

Add the Connection setup and creation information to the top of the SampleLDAPUser(ConnectLDAPEntry p_ldapEntry) method.

/** Create new LDAPConnector and set host, port, and SSL configuration from the values in connect.cfg*/
LDAPConnector connector = new LDAPConnector();
Config config = connector.getConnectorConfig();	
m_ldapHost = config.getString(ConfigKeys.LDAP_HOST);
m_ldapPort = config.getInt(ConfigKeys.LDAP_PORT);
m_useSSL = config.getBoolean(ConfigKeys.USE_SSL);
  // set up an LDAP connector for the search using the
  // directory manager connection parameters
  // create directory manager connection param, to be used for all searches
 m_dirMgrParam = new LDAPConnectionParam(m_ldapHost,
		m_ldapPort,
		SampleAdministratorProperties.getDirectoryManagerAuthDN(),
		SampleAdministratorProperties.getDirectoryManagerAuthPwd(),
		m_timeout);
 m_dirMgrParam.setSSL(m_useSSL);

Add the following line to get the User Distinguished Name in the SampleLDAPUser(ConnectLDAPEntry p_ldapEntry) method. This code is used in the LDAP query to find the groups of which the user is a member.
//get the User DN to be used when finding the user's groups String userDN = p_ldapEntry.getDN();
Add this immediately immediately after:
// get the User name String[] values = p_ldapEntry.getValues(SampleLDAPProperties.getUsernameAtt());
Change the setUserGroups call in the SampleLDAPUser(ConnectLDAPEntry p_ldapEntry) method to pass the UserDN:
// get the UserGroups by user DN setUserGroups(userDN);

Override the setUserGroups method with the following method.

private void setUserGroups(String userDN) {
//create the search string, get the search property from SampleLDAPRum.properties
String p_search = new String(SampleLDAPProperties.getMemberAtt()+ "=" + userDN );

//get the Group Name Attribute from the SampleLDAPRum.properties
String groupNameAtt = SampleLDAPProperties.getCommonNameAtt();
   	
s_log.info(2, ResourceBundleUtils.getFormattedString  
          (SampleLdapRumBundleKeyConstants.SAMPLE_LDAPRUM_BUNDLE_NAME,
            SampleLdapRumBundleKeyConstants.SEARCHING_FOR_1,
            new Object[] {p_search}));

	LDAPConnector connector = new LDAPConnector();
	connector.setConnectionParam(m_dirMgrParam); 

	 // Explicitly connect
	 try
	 {
	   connector.connect();
	  }
	  catch (ConnectorException ce)
	  {
		s_log.warn(1, ResourceBundleUtils.getFormattedString
		    (SampleLdapRumBundleKeyConstants.SAMPLE_LDAPRUM_BUNDLE_NAME,
		    	 SampleLdapRumBundleKeyConstants.SEARCH_FAILED_WARNING_3,
			 new Object[] {null, ce, ce}));
	   }

	  // perform search to find group.
	  // we may need to retry because a connection could have timed-out at the LDAP Server
	  // or from the other end.
	  // A connection may also timeout via AbstractConnection.
	  ConnectionManager connMgr = connector.getConnectionManager();
	  ConnectLDAPEntry[] results = null;
	  ConnectLDAPEntry result = null;
	  boolean continueAttempts = true;

	  for (int attempt = 0, maxAttempts = connMgr.getMax() + 1;
		   attempt < maxAttempts && continueAttempts;
		   attempt++)
	  {
		 s_log.info(2, ResourceBundleUtils.getFormattedString
		      (SampleLdapRumBundleKeyConstants.SAMPLE_LDAPRUM_BUNDLE_NAME,
			  SampleLdapRumBundleKeyConstants.SEARCH_ATTEMPT_1,
			  new Object[] {String.valueOf(attempt)}));

		// ask the Connector to perform a search for the group given a member 
		// attribute equal to the user dn multiple groups may be returned.
		try
		{
			results = connector.search(null, null, p_search);
			for (int i=0; i < results.length; i++){
				ConnectLDAPEntry groupObject = results[i];
				String[] groupNames = groupObject.getValues(groupNameAtt);
				if (groupNames.length > 0 ){
				    //we assume that each group only has 1 group name, or 1 CN,  
				    // and we add it to our User's Group attribute
				    m_groups.add(groupNames[0]);
				}		  
		     }
				
			// the search finished without an exception, no need keep going
			continueAttempts = false;
		}
		
		// if we get an exception, there is something wrong with the connection
		// it may have been broken from the other end, so disconnect internally
		// so we can try again
		catch (ConnectorException e)
		{
			s_log.warn(1, ResourceBundleUtils.getFormattedString
			  (SampleLdapRumBundleKeyConstants.SAMPLE_LDAPRUM_BUNDLE_NAME,
			   SampleLdapRumBundleKeyConstants.SEARCH_FAILED_WARNING_3,
			  new Object[] {p_search, e, e}));
			try
			{
			   // disconnect the connection first because it's not working, and
			   // we want it to reconnect if it's used again
			   if (connector.getConnection() != null)  {
				  connector.getConnection().disconnect();
			   }
			   connector.disconnect();

			   // try and flush any broken connections out of the pool.
			   connMgr.releaseFree();
			}
			catch (ConnectorException ce)
			{
				s_log.warn(1, ResourceBundleUtils.getFormattedString
				  (SampleLdapRumBundleKeyConstants.SAMPLE_LDAPRUM_BUNDLE_NAME,
				   SampleLdapRumBundleKeyConstants.FAILED_TO_DISCONNECT_EXCEPTION_2,
				   new Object[] {ce, ce}));

				// can't continue to retry if we get an error here
				break;
			}
		 }	 
	 }

	  // free the connection by disconnecting the connector
      try
	  {
		 // disconnect the connection first so we don't re-use it
		 if (connector.getConnection() != null)
		 {
			connector.getConnection().disconnect();
		 }
		 connector.disconnect();

		 // try and flush any broken connections out of the pool.
		 connMgr.releaseFree();
	  }
	  catch (ConnectorException e)
	  {
		 s_log.warn(2, ResourceBundleUtils.getFormattedString
		   (SampleLdapRumBundleKeyConstants.SAMPLE_LDAPRUM_BUNDLE_NAME,
		    SampleLdapRumBundleKeyConstants.COULDNT_DISCONNECT_AFTER_AUTH_2,
	         new Object[] {e, e}));
	  }  	 	
}

Save the files and rebuild the project.
Export the project as ilwwcm-sample-ldaprum.jar.
Replace the ilwwcm-sample-ldaprum.jar in the WEB-INF/lib dir of the ilwwcm war file with the one you exported.
From the WebSphere Administration Console, restart the Web Content Management application.
Test your modifications.
- Verify that theresa is member of NewsUser LDAP/Portal group and wpsadmin is not a member of this group.
- Login to Portal as theresa, navigate to the news page and you should see the news items created in the End2End doc.
- Login to WebSphere Portal as wpsadmin and you should see an authorization message
Any debugging messages are written to the server's system out log.

Debugging tips

Traces can be enhanced to provide more detail level information from Web Content Management. To do this, edit the connect.cfg file, find the entry for the LogManager, and change the TraceLevel to the following:

<LogManager>
   <ErrorLog>
      <File LogFile="../connect/log/error.log" FlushLog=false Buffered=true TraceTime=true TraceDate=true
             TraceLevel=3 Rollover=Size MaxFileSize=5M />
   </ErrorLog>
   <FullLog>
      <File LogFile="../connect/log/connect.log" FlushLog=false Buffered=true TraceTime=true TraceLevel=3
                    TraceDate=true TraceThread=true Rollover=Size MaxFileSize=5M />
      <Screen Buffered=false TraceTime=true TraceLevel=0 TraceDate=false TraceThread=true />
   </FullLog>
   <DebugLog>
      <File LogFile="../connect/log/debug.log" FlushLog=false Buffered=false TraceTime=true TraceLevel=3 
                     Rollover=Size MaxFileSize=5M>
         <Packages>
            <!-- by default not debugging any package -->
         </Packages>
      </File>
   </DebugLog>
</LogManager>

Error message can be found in the following locations:

Informational and error messages from WebSphere Portal are in the [WAS-HOME]\PortalServer\log\SystemOut.log and [WAS-HOME]\PortalServer\log\SystemErr.log.
Informational and error messages from Web Content Management are posted to [ILWWCM-Base]\app\connect\log\connect.log. You cannot open this file directly with a text editor such as WordPad, however if you make a copy, the copy is accessible for viewing with WordPad.

Delete the logs each time WebSphere Portal is started. On Windows systems, you can do this with a BAT file similar to the following:

d:
del D:\ILWWCM11GM\app\connect\log\*.*
del D:\WebSphere\PortalServer\log\*.*
cd \WebSphere\AppServer\bin
call startserver.bat WebSphere_Portal -user uid=wpsbind,cn=users,dc=raleigh,dc=ibm,dc=com -password wpsbind
pause

Known limitations

The following are known limitations:

Groups must be defined to Web Content Management even if they exist in the LDAP.
Menus that use the users matching categories will not apply to categories profiled for the group. Categories associated to Users Profile only are used in menus specifying Matching Profile rule of Current User Categories.
User access to the Web Content Management UI using LDAP is not fully supported and may have unpredictable results in some UI administrative actions

Conclusions

This article provided two configuration examples for using externally managed LDAP to deliver managed content to users based on their group membership. Your configuration may vary based on your LDAP attributes and content delivery requirements. This article can assist you in implementing a configuration that matches your specific needs and environment..

Download

Name	Size	Download method
ContentMgmtLDAP.zip	8 KB	FTP\|HTTP

Information about download methods

About the authors

Comments (Undergoing maintenance)

Trademarks | My developerWorks terms and conditions

Close [x]

Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Close [x]

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/

SITE_ID=1

Zone=WebSphere

ArticleID=14473

ArticleTitle=Configuring IBM Lotus Workplace Web Content Management for use with LDAP

publish-date=02182004

author1-email=tsmit@us.ibm.com

author1-email-cc=

author2-email=blcheng@us.ibm.com

author2-email-cc=