A boolean that specifies whether an Active Directory configuration can use an email address or User Principal Name (UPN) as the user short name.

If the value of this property is false, the Active Directory security provider parses login user names (principal names) to determine if the name is in UPN format, meaning that it contains an @ character followed by at least one dot character (for example, jsmith@mydomain.com). If the principal name is in UPN format, it is assumed to take the form name@domain, where name is the user name and domain is the name of an Active Directory domain configured in Administration Console for Content Platform Engine. This special handling can be useful in some large Active Directory forest and domain setups, but prevents email addresses and certain UPNs from being used as the user short name.

If the value of this property is true, the Active Directory security provider does not parse the principal name, which allows email addresses and UPNs to be used as the user short name. Setting this property to true implies that ReturnNameAsDN is also set to true.

This property has a global effect. Therefore, it must be set the same (either all true or all false) for all Active Directory configurations defined for a Content Engine. If this property is not set the same for all configurations, the property value is implicitly false.

The realm name used to authenticate the user against.

The ClassDescription object containing the property metadata for the EngineObject.

Specifies the Active Directory Service provider connection timeout in milliseconds. The default is 500 milliseconds. If the connection is across a WAN, consider increasing the value.

When getting back a collection of domain controllers for a given domain, use this property in an LDAP connection request to determine if a given domain controller in the domain is up and running. If a timeout exception occurs in the specified time, assume the domain controller is not running and try the next one.

The UTF-8 encoded, non-encrypted user password for authenticating to a given directory server. To maintain password security, you can use this property only to set a password, not to read its value. Instead of returning a password value, this property returns a zero-length byte array if it has been set with a password and returns a null value if it has never been set.

The port number of the directory server.

Content Engine ignores this property when the value of the DirectoryServerHost property is a failover list. For information about failover lists, see the DirectoryServerHost property.

Specifies the user name for authenticating to the directory server. The following are examples of strings for Active Directory and Oracle Directory Server:

• For Active Directory: "CN=test1,CN=Users,DC=myCompany,DC=com"
• For Oracle Directory Server: "uid=admin,ou=administrators,ou=topologymanagement, o=netscaperoot"

The user-readable, provider-specific name of an object. This property is usually the designated Name property of the object's class.

For ICmAuditProcessingBookmark and IAuditDefinition objects, this property is intended to identify client applications that process the audit log. For ICmAuditProcessingBookmark objects, this property, in support of the audit disposition feature, identifies the client that created the object. For IAuditDefinition objects, this property identifies a set of audit definitions for a given client or client functionality.

For ICmAuditProcessingBookmark and IAuditDefinition objects, it is recommended that you set this property. Specify a unique value to distinguish one client application from another. Note, however, that the server does not prevent identical display names across multiple ICmAuditProcessingBookmark or IAuditDefinition objects. Therefore, the client application is responsible for enforcing uniqueness.

Specifies whether users from this directory should be excluded from being treated as being members of #AUTHENTICATED-USERS.

Specifies the base Distinguished Name (DN) for searching for groups in the directory server.

Specifies the directory server attribute to be used as the display name for a group. The default property value is dependent on the directory service type and is specified by the authentication provider's configuration.

Specifies the search filter or provider-specific attribute for group membership lookups. When a search filter is specified, Content Platform Engine issues an LDAP query. For some LDAP providers, you can optionally specify a provider-specific attribute instead of a search filter. The use of an attribute speeds up initial logins to Content Platform Engine, especially if the user logging in is a member of many groups.

The following table shows the default value of this property for each of the supported service providers. Note that you can use a lookup attribute for some providers. If you specify an attribute, make sure to include the angle brackets (<attribute>).

Defines the directory server attribute to be used as the short name for a group. The default value of this property is samAccountName for the Active Directory service provider and cn for all other supported directory service providers.

Specifies the search filter for querying a group or groups. The filter must be in the following format: "(&(objectClass=user_defined_class)(an_attribute={0}))", where user_defined_class is the object class you want (for example, user) and an_attribute is the LDAP server-specific attribute (for example, samAccountName, cn, or uid).

The default value of this property is unique to the directory service provider, as follows:

• ActiveDirectory: (&(objectClass=group)(samAccountName={0})), where samAccountName serves as the short name.
• ADAM and AD LDS: (&(objectClass=group)(person={0}))
• Oracle Directory Server: (&(objectClass=groupOfUniqueNames)(cn={0}))
• Novell: (&(objectClass=groupOfNames)(cn={0}))
• IBM: ((&(cn={0})(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)))
• OID: (&(cn={0})(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)))

Specifies the directory server attribute to be used as the unique identifier for a group, that is, for the Content Engine Group.Id property. The default property value is dependent on the directory server type and is specified by the authentication provider's configuration. See What are access rights? for a list of the default SID attributes for the supported authentication providers.

A representation of the Globally Unique Identifier (GUID), a unique 128-bit number, that is assigned to this Content Engine object when the object is created. When converted to a string, the Id property is typically depicted as 32 hexadecimal characters enclosed by brackets in the following format: {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}. For example, {3F2504E0-4F89-11D3-9A0C-0305E82C3301}.

For IUser and IGroup classes, the Id property takes the value of the Security Identifier (SID) rather than the 128-bit GUID. The string representation of the SID is in this example format: S-1-5-21-1559522492-2815155736-3711640725-55269. When Active Directory is used as the directory service for IBM Content Cortex, IUser.Id and IGroup.Id always return the current SID for the principal, even if this user or group has only historical SIDs populating the Active Directory server.

For a given property representation, the Id property has the following characteristics:

• PropertyDescription.Id is equal to PropertyTemplate.Id, which is equal to PropertyDefinition.PrimaryId.
• PropertyDefinition.Id is not equal to PropertyDefinition.PrimaryId.
• PropertyDefinition.Id is not equal to PropertyDescription.Id.

For a newly created document object, you can override the Id property of its associated VersionSeries object before you save or check in the document for the first time.

Specifies whether the Secure Sockets Layer (SSL) protocol is enabled (true) or disabled (false) for communication to the SMTP server.

Defines the category applied to users and groups in this directory realm.

The IProperties collection of properties for the EngineObject.

Restricts a group membership search to within the realms configured in Administration Console for Content Platform Engine.

A user can be in a configured realm but belong to a group in an unconfigured realm. By default (that is, when the property value is False), the server automatically searches cross-realm group membership (also called cross-domain group membership in Active Directory). If it reaches a realm that is not configured in Administration Console, the server returns a Realm not found error and group membership search processing stops. However, if the property value is True when this situation occurs, the server logs an informational message to the server error log and the group membership search continues.

NOTE This property is not supported for the Windows Active Directory Application Mode (ADAM) directory service provider. This is because ADAM does not support cross-realm group memberships (cross-partition memberships, in ADAM terminology).

Specifies whether to return the user or group name in Distinguished Name (DN) format for Active Directory Service provider. By default, the Active Directory Service provider returns the user and group names in UPN format. If this property is set to True, the service provider returns the names in DN format, which is consistent with other types of directory service providers.

Specifies whether the Active Directory Service provider performs cross-forest group membership searches. The default is False. To enable cross-forest group membership searches, set this property to True.

The programmatic identifier for this class description, class definition, property description, property definition, property template, or object store. The value of the property is treated in a case-insensitive manner.

For objects in which you can set the SymbolicName property (object store, class definition, and property template objects), the value of the SymbolicName property must begin with a letter and contain the following characters only: 'A' to 'Z', 'a' to 'z', '0' to '9', and '_' (underscore). No blanks or symbols are allowed. If you do not provide a value for the SymbolicName property, the server will generate it, based on the value of the DisplayName property, when you save the object. For class definition and property template objects, avoid assigning the symbolic name to a value beginning with one of the following reserved prefixes: Cm, Dita, and RM.

For object store objects, the symbolic name for an object store must be unique within a domain.

For class definition objects, the symbolic name for a class must be unique within an object store.

For a property template object, the symbolic name need not be unique relative to the other property template objects. However, when you use a property template to create a property definition and associate it with a class, that property definition's symbolic name must be unique within the class family. A class family is defined by a root class (for example, Document, Folder, or CustomObject) and all of its descendants.

Changing the symbolic name of a property template for a string-valued property will propagate to the property definitions based on that template. The property definitions that have been enabled for full-text indexing (IsCBREnabled property set to true) will require re-indexing of all objects containing that property. If you do not re-index, full-text searches on this property will fail to find any objects.

Specifies the base Distinguished Name (DN) for searching for users in the directory server.

Specifies the directory server attribute to be used as the display name for a user. The default property value is dependent on the directory server type and is specified by the authentication provider's configuration.

Defines the directory server attribute to be used as the short name for a user. The default value of this property is unique to the directory service provider as follows:

• Active Directory: samAccountName
• Sun One: uid
• Novell: cn
• IBM: cn
• ADAM: cn
• OID: cn

Specifies the search filter for querying a user or users. The filter must be in the following format: "(&(objectClass=user_defined_class)(an_attribute={0}))", where user_defined_class is the object class you want (for example, user or person) and an_attribute is the LDAP server-specific attribute (for example, samAccountName, cn, or uid).

The default value of this property is unique to the directory service provider, as follows:

• ActiveDirectory: (&(objectClass=user)(samAccountName={0})), where samAccountName serves as the short name.
• ADAM and AD LDS: (&(objectClass=person)(member={0}))
• Oracle Directory Server: (&(objectClass=person)(uid={0}))
• Novell: (&(objectClass=person)(cn={0}))
• IBM: (&(objectClass=person)(cn={0}))
• OID: (&(objectClass=person)(cn={0}))

Specifies the directory server attribute to be used as the unique identifier for a user, that is, for the Content Engine User.Id property. The default property value is dependent on the directory server type and is specified by the authentication provider's configuration. See What are access rights? for a list of the default SID attributes for the supported authentication providers.

Specifies whether the Active Directory Service provider uses the token group attribute to determine a users's group membership. To use this property, you must use objectSid as both the user and group unique ID. The default is False. To enable token group use, set this property to True.