Preparing users and groups
About this task
Check the IBM® Software Product Compatibility Report for the appropriate versions of supporting software.
This procedure assumes that you have installed and prepared a directory service provider that can be used by your container environment. IBM Virtual Member Manager is not supported for container environments.
In SDS, nested groups are supported by extending one of the structural group object classes to
add the ibm-nestedGroup
auxiliary object class. For more information, see Nested groups in the IBM Security Directory Server documentation.
When you prepare your environment, record the settings so that these values are available to enter into the custom resource YAML file for deployment and configuration. For lists of the parameters that you need to collect, see the following section: IBM FileNet® Content Manager parameters.
- LDAP
-
Lightweight directory access protocol (LDAP) is a protocol that helps users find data about organizations, persons, and more. LDAP has two main goals. One is to store data in the directory server repository and the other is to authenticate users to access the directory. LDAP is used with a directory server repository to manage the users that access the FileNet P8 domain and the groups. The directory server helps define the permissions that those users are given. For more information, see Directory servers.
- Identity provider
-
Also, in your container environment, you can use an external OIDC/OAuth identity provider to manage authentication in the following two scenarios:
- Internal users of your content repository
- For internal users, you configure a managed user realm and set identity rules that govern which sets of users have access to your domain, based on email suffix or address. This configuration can apply both with and without an external share configuration. This configuration also requires a basic LDAP service for default configuration and admin user access to the domain.
- External users with whom you want to share limited access to items in your content repository
- Similarly, for external users, you configure an authentication realm for managing the external
users. You can combine external share OIDC/OAuth user authentication with traditional LDAP user
management for internal users, or use an identity provider for both internal and external users. If
you want to use LDAP authentication for both internal and external users, see Configuring the external user LDAP realm.Important: With an identity provider, user registration is by the user email address. The email address must be unique not only across all managed users, but also must not collide with the short name of any LDAP user or group. Configuration settings that are called identity rules can restrict which email addresses can be registered as managed users and control which users can register themselves.
- Internal user provisioning with an identity provider
- You can use an identity provider to manage your users. For details, see topic Identity provider configuration parameters.
- Multiple LDAP support
- You can specify multiple LDAP providers for a container deployment. The initialization service covers a single LDAP provider, but you can manually add more providers by using the multi LDAP section in the custom resource file.
Procedure
To prepare your directory server:
Directory server type | Configuration steps |
---|---|
IBM Security Verify Directory | Configuring IBM Security Directory Server |
Windows Active Directory | Configuring Windows Active Directory |
Oracle Directory Server Enterprise Edition | Configuring Oracle Directory Server Enterprise Edition |
Oracle Internet Directory | Configuring Oracle Internet Directory |
Oracle Unified Directory | Configuring Oracle Unified Directory |
Novell eDirectory | Configuring Novell eDirectory |
CA eTrust | Configuring CA Directory |
SCIM | SCIM Directory |
For details on the users and groups to consider, see the following information: .
What to do next
- If you're not using the scripts, see Creating the FileNet Content Manager databases and secrets without running the provided scripts.
- To prepare the required storage, see Exporting and importing LTPA keys.