Preparing users and groups

You set up and configure a directory server to provide the authentication repository for your FileNet P8 Platform container environment.

About this task

Check the IBM® Software Product Compatibility Report for the appropriate versions of supporting software.

This procedure assumes that you have installed and prepared a directory service provider that can be used by your container environment. IBM Virtual Member Manager is not supported for container environments.

In SDS, nested groups are supported by extending one of the structural group object classes to add the ibm-nestedGroup auxiliary object class. For more information, see Nested groups in the IBM Security Directory Server documentation.

When you prepare your environment, record the settings so that these values are available to enter into the custom resource YAML file for deployment and configuration. For lists of the parameters that you need to collect, see the following section: IBM FileNet® Content Manager parameters.

Note: Make sure to uncomment and include values for any additional parameter sections that apply to specific directory service providers.
LDAP

Lightweight directory access protocol (LDAP) is a protocol that helps users find data about organizations, persons, and more. LDAP has two main goals. One is to store data in the directory server repository and the other is to authenticate users to access the directory. LDAP is used with a directory server repository to manage the users that access the FileNet P8 domain and the groups. The directory server helps define the permissions that those users are given. For more information, see Directory servers.

Identity provider

Also, in your container environment, you can use an external OIDC/OAuth identity provider to manage authentication in the following two scenarios:

Internal users of your content repository
For internal users, you configure a managed user realm and set identity rules that govern which sets of users have access to your domain, based on email suffix or address. This configuration can apply both with and without an external share configuration. This configuration also requires a basic LDAP service for default configuration and admin user access to the domain.
External users with whom you want to share limited access to items in your content repository
Similarly, for external users, you configure an authentication realm for managing the external users. You can combine external share OIDC/OAuth user authentication with traditional LDAP user management for internal users, or use an identity provider for both internal and external users. If you want to use LDAP authentication for both internal and external users, see Configuring the external user LDAP realm.
Important: With an identity provider, user registration is by the user email address. The email address must be unique not only across all managed users, but also must not collide with the short name of any LDAP user or group. Configuration settings that are called identity rules can restrict which email addresses can be registered as managed users and control which users can register themselves.
Internal user provisioning with an identity provider
You can use an identity provider to manage your users. For details, see topic Identity provider configuration parameters.
Multiple LDAP support
You can specify multiple LDAP providers for a container deployment. The initialization service covers a single LDAP provider, but you can manually add more providers by using the multi LDAP section in the custom resource file.

Procedure

To prepare your directory server:

Follow the steps for your directory server type:
Directory server type Configuration steps
IBM Security Verify Directory Configuring IBM Security Directory Server
Windows Active Directory Configuring Windows Active Directory
Oracle Directory Server Enterprise Edition Configuring Oracle Directory Server Enterprise Edition
Oracle Internet Directory Configuring Oracle Internet Directory
Oracle Unified Directory Configuring Oracle Unified Directory
Novell eDirectory Configuring Novell eDirectory
CA eTrust Configuring CA Directory
SCIM SCIM Directory

For details on the users and groups to consider, see the following information: .

What to do next

Your next step depends on whether you are using the provided scripts.