LDAP parameters

Update the custom YAML file to provide the details that are relevant for your FileNet Content Manager and IBM Content Navigator LDAP environment. Parameters marked with (External users) apply only for environments that are using the 2-LDAP method for supporting External Share.

You can specify multiple LDAP providers for a container deployment. The initialization service covers a single LDAP provider, but you can manually add more providers by using the multi LDAP section in the custom resource file. Copy and paste the multi LDAP configuration section, uncomment, and provide values for your additional LDAP directory server:
## The beginning section of multi ldap configuration for FNCM
   #ldap_configuration_<id_name>:
    #lc_ldap_id: <id_name>
    ## The possible values are: "IBM Security Directory Server" or "Microsoft Active Directory"
    #lc_selected_ldap_type: "<Required>"

    ## The name of the LDAP server to connect
    #lc_ldap_server: "<Required>"

...

    ## The LDAP group membership ID map.  One possible value is "groupofnames:member" for TDS and "memberOf:member" for AD.
    #lc_ldap_group_member_id_map: "<Required>"
Note: Make sure to uncomment and include values for any additional parameter sections that apply to specific directory service providers.
Table 1. LDAP configuration parameters: ldap_configuration
Parameters Description Default Values Required

ad.lc_ad_gc_host

Active Directory host.   Yes

ad.lc_ad_gc_port

Active Directory port.   Yes

ad.lc_group_filter

Active Directory group filter. (&(cn=%v)(objectcategory=group)) No

ad.lc_user_filter

Active Directory user filter. (&(sAMAccountName=%v)(objectcategory=user)) No
caet.lc_group_filter CA eTrust group filter (&(objectClass=group)(cn=%v)) No
caet.lc_user_filter CA eTrust user filter (&(objectClass=person)(cn=%v)) No
ed.lc_group_filter NetIQ eDirectory group filter (&(objectclass=groupOfNames)(cn=%v)) No
ed.lc_user_filter NetIQ eDirectory user filter &(objectclass=Person)(cn=%v)) No

lc_bind_secret

User name and password for the bind user. The LDAP bind secret must have ldapUsername and ldapPassword keys. ldap_bind_secret  

lc_ldap_base_dn

The base distinguished name (DN) of an LDAP user who is allowed to search the LDAP directory if the LDAP server does not allow anonymous access. dc=hqpsidcdom,dc=com Yes

lc_ldap_group_base_dn

The base DN subtree that is used when searching for group entries on the LDAP server. dc=hqpsidcdom,dc=com Yes

lc_ldap_group_display_name_attr

Provide the format of the group display name. cn Yes

lc_ldap_group_member_id_map

The group id is a filter that is used to determine the group name. groupofnames:member Yes

lc_ldap_group_membership_search_filter

Filter for finding entries in the LDAP base DN (groups) subtree that match the group name.
(|(&(objectclass=groupofnames)
(member={0}))
(&(objectclass=groupofuniquenames)
(uniquemember={0})))
Yes

lc_ldap_group_name_attribute

Provide the format of the group name. *:cn Yes

lc_ldap_port

The port number for the LDAP server that you are using. 389 Yes
lc_ldap_precheck If the value is true, the operator verifies the LDAP connection during the validation phase before deploying. Else, the operator skips the validation. true No

lc_ldap_server

The host name for the LDAP server that you are using for the environment. <hostname> Yes

lc_ldap_ssl_enabled

Specify whether SSL is enabled. true No

lc_ldap_ssl_secret_name

Provide the name of the SSL secret that you created. " " Yes

lc_ldap_user_display_name_attr

Provide the format of the display name. cn Yes

lc_ldap_user_name_attribute

Provide the format of the user name. *:cn Yes

lc_selected_ldap_type

The type of the directory service provider you are using for your container environment. Choices are
  • IBM Security Directory Server
  • Microsoft Active Directory
  • NetIQ eDirectory
  • Oracle Internet Directory
  • Oracle Directory Server Enterprise Edition
  • Oracle Unified Directory
  • CA eTrust
  Yes
oracle.lc_group_filter Oracle Directory group filter (&(objectClass=group)(cn=%v)) No
oracle.lc_user_filter Oracle Directory user filter (&(objectClass=person)(cn=%v)) No

tds.lc_group_filter

IBM Security Directory group filter.
(&(cn=%v)
(|(objectclass=groupofnames)
(objectclass=groupofuniquenames)
(objectclass=groupofurls)))
No

tds.lc_user_filter

IBM Security Directory user filter (&(cn=%v)(objectclass=person)) No
Table 2. Multi LDAP configuration parameters: ldap_configuration_<id_name>
Parameters Description Default Values Required

ad.lc_ad_gc_host

Active Directory host.   Yes

ad.lc_ad_gc_port

Active Directory port.   Yes

ad.lc_group_filter

Active Directory group filter. (&(samAccountName=%v)(objectclass=group)) No

ad.lc_user_filter

Active Directory user filter. (&(samAccountName=%v)(objectClass=user)) No
caet.lc_group_filter CA eTrust group filter (&(objectClass=group)(cn=%v)) No
caet.lc_user_filter CA eTrust user filter (&(objectClass=person)(cn=%v)) No

ed.lc_group_filter

IBM Security Directory group filter.
(&(objectclass=groupOfNames)(cn=%v))
No

ed.lc_user_filter

IBM Security Directory user filter (&(objectclass=Person)(cn=%v)) No

lc_ldap_base_dn

The base distinguished name (DN) of an LDAP user who is allowed to search the LDAP directory if the LDAP server does not allow anonymous access. dc=example,dc=com Yes

lc_ldap_group_base_dn

The base DN subtree that is used when searching for group entries on the LDAP server. dc=example,dc=com Yes

lc_ldap_group_display_name_attr

Provide the format of the group display name. (For TDS) cn Yes

lc_ldap_group_member_id_map

The group id is a filter that is used to determine the group name.

(For TDS) groupofnames:member

(For AD) memberOf:member

Yes

lc_ldap_group_membership_search_filter

Filter for finding entries in the LDAP base DN (groups) subtree that match the group name.

(For TDS and AD) (|(&(objectclass=groupofnames)(member={0})) (&(objectclass=groupofuniquenames)(uniquemember={0})))

Yes

lc_ldap_group_name_attribute

Provide the format of the group name. (For TDS) *:cn Yes

lc_ldap_id

The LDAP id for your multi LDAP configuration. The <id_name> value could be ad, tds, edir, oid, ods or oud. <id_name> Yes

lc_ldap_port

The port number for the LDAP server that you are using. 389 Yes
lc_ldap_precheck If the value is true, the operator verifies the LDAP connection during the validation phase before deploying. Else, the operator skips the validation. true No

lc_ldap_server

The host name for the LDAP server that you are using for the environment.   Yes

lc_ldap_ssl_enabled

Specify whether SSL is enabled. true No

lc_ldap_ssl_secret_name

Provide the name of the SSL secret that you created. " " Yes

lc_ldap_user_display_name_attr

Provide the format of the display name.

(For TDS) cn

(For AD) sAMAccountName

Yes

lc_ldap_user_name_attribute

Provide the format of the user name.

(For TDS) *:cn

(For AD) user:sAMAccountName

Yes

lc_selected_ldap_type

The type of the directory service provider you are using for your container environment. Choices are
  • IBM Security Directory Server
  • Microsoft Active Directory
  • NetIQ eDirectory
  • Oracle Internet Directory
  • Oracle Directory Server Enterprise Edition
  • Oracle Unified Directory
  • CA eTrust
  Yes

oracle.lc_group_filter

Oracle Directory group filter (&(objectClass=group)(cn=%v)) No

oracle.lc_user_filter

Oracle Directory user filter (&(objectClass=person)(cn=%v)) No

tds.lc_group_filter

IBM Security Directory group filter.
(&(cn=%v)(|(objectclass=groupofnames)(objectclass=groupofuniquenames)(objectclass=groupofurls)))
No

tds.lc_user_filter

IBM Security Directory user filter (&(cn=%v)(objectclass=person)) No
Table 3. External LDAP Parameters Configuration: ext_ldap_configuration
Parameters Description Default Values Required

ad.lc_ad_gc_host

Active Directory host.   Yes

ad.lc_ad_gc_port

Active Directory port.   Yes

ad.lc_group_filter

Active Directory group filter. (&(cn=%v)(objectcategory=group)) No

ad.lc_user_filter

Active Directory user filter. (&(sAMAccountName=%v)(objectcategory=user)) No
caet.lc_group_filter CA eTrust group filter (&(objectClass=group)(cn=%v)) No
caet.lc_user_filter CA eTrust user filter (&(objectClass=person)(cn=%v)) No
ed.lc_group_filter NetIQ eDirectory group filter (&(objectclass=groupOfNames)(cn=%v)) No
ed.lc_user_filter NetIQ eDirectory user filter &(objectclass=Person)(cn=%v)) No
lc_bind_secret User name and password for the bind user. The LDAP bind secret must have ldapUsername and ldapPassword keys. ldap-bind-secret  

lc_ldap_base_dn

The base distinguished name (DN) of an LDAP user who is allowed to search the LDAP directory if the LDAP server does not allow anonymous access. dc=hqpsidcdom,dc=com Yes

lc_ldap_group_base_dn

The base DN subtree that is used when searching for group entries on the LDAP server. dc=hqpsidcdom,dc=com Yes

lc_ldap_group_display_name_attr

Provide the format of the group display name. cn Yes

lc_ldap_group_member_id_map

The group id is a filter that is used to determine the group name. groupofnames:member Yes

lc_ldap_group_membership_search_filter

Filter for finding entries in the LDAP base DN (groups) subtree that match the group name.
(|(&(objectclass=groupofnames)
(member={0}))
(&(objectclass=groupofuniquenames)
(uniquemember={0})))
Yes

lc_ldap_group_name_attribute

Provide the format of the group name. *:cn Yes

lc_ldap_port

The port number for the LDAP server that you are using. 389 Yes
lc_ldap_precheck If the value is true, the operator verifies the LDAP connection during the validation phase before deploying. Else, the operator skips the validation. true No

lc_ldap_server

The host name for the LDAP server that you are using for the environment. <hostname> Yes

lc_ldap_ssl_enabled

Specify whether SSL is enabled. true No

lc_ldap_ssl_secret_name

Provide the name of the SSL secret that you created.   Yes

lc_ldap_user_display_name_attr

Provide the format of the display name. cn Yes

lc_ldap_user_name_attribute

Provide the format of the user name. *:cn Yes

lc_selected_ldap_type

The type of the directory service provider you are using for your container environment. Choices are
  • IBM Security Directory Server
  • Microsoft Active Directory
  • NetIQ eDirectory
  • Oracle Internet Directory
  • Oracle Directory Server Enterprise Edition
  • Oracle Unified Directory
  • CA eTrust
  Yes
oracle.lc_group_filter Oracle Directory group filter (&(objectClass=group)(cn=%v)) No
oracle.lc_user_filter Oracle Directory user filter (&(objectClass=person)(cn=%v)) No

tds.lc_group_filter

IBM Security group filter.
(&(cn=%v)
(|(objectclass=groupofnames)
(objectclass=groupofuniquenames)
(objectclass=groupofurls)))
No

tds.lc_user_filter

IBM Security user filter (&(cn=%v)(objectclass=person)) No