Defining the LDAP configuration

The LDAP configuration contains values that are used by both the LDAP user import utility for automatic imports and the manual LDAP import. Values from the LDAP configuration are also used to generate the LDAP properties file.

The LDAP configuration contains data that is used to communicate with the LDAP server, including the LDAP server used, connection information for that server, and the distinguished name used to query objects on that server. The configuration also contains other data that defines how data is queried and imported when you are using the automatic or manual import. This data includes the LDAP attributes that become the Content Manager Enterprise Edition user name and user description, the scope of the search relative to the LDAP distinguished name used, and the number of records to retrieve. The configuration also includes options for setting up the Secure Sockets Layer (SSL) protocol to encrypt data imported from the LDAP server.

You set up the LDAP configuration as part of the LDAP integration steps. The data from the LDAP configuration is used to generate the LDAP properties file, cmbcmenv.properties, that is used on the system administration computer. The properties file might also be required on the library server and resource manager computers, depending on the configuration of your Content Manager Enterprise Edition system.

After you complete the LDAP integration for a content management system that is in production use, you might need to change the LDAP configuration data. For example, you might need to complete the following tasks:
  • Change the current default user attribute to a more useful one.
  • Rescale the base DN (distinguished name) to include other areas of the LDAP hierarchical structure so that you can search for either a broader or narrower group of user IDs.
  • Change the LDAP directory server host name so that the system administration client can import user IDs from a currently functioning LDAP directory server.
However, changing the LDAP configuration data generates a new LDAP properties file that contains the core LDAP configuration information. If you change the LDAP configuration for your production content management system after the initial LDAP integration is completed, then you must complete all steps in the LDAP integration process again. You must complete these steps to ensure that your content management system still functions correctly with LDAP.
Restriction: After the cmbcmenv.properties file is created, do not edit it directly. Always use the following procedure to the update the file.
  1. To define the LDAP configuration, complete the following steps:
  2. In the system administration client, click Tools > LDAP Configuration. The LDAP Configuration window opens
  3. Select Enable LDAP User import and authentication.
  4. Click the Server tab, and then set the following properties:
    Server type
    Specify whether you want to import users from IBM® Directory Server, Microsoft Active Directory, or other LDAP servers.
    Active Directory
    If you are using Active Directory, select Active Directory. For other server types, click LDAP.
    LDAP server Hostname
    Specify the host name of the server from which you want to import users.
    Use the following format: ldap://hostname.domain
    Port
    Specify the port number of the LDAP server.
    The default port numbers are 389 (non-Secure Sockets Layer) and 636 (Secure Sockets Layer). You can obtain more information about ports from your LDAP administrator.
    Base DN
    Select the distinguished name that you want to use to query the objects in the LDAP server.
    DN is the distinguished name; an entry in the LDAP Directory Information Tree (DIT) that has one or more user attributes associated with it. You indicate a base DN as a place to begin queries for user IDs. For example, you can designate a base DN of User Accounts, which can contain several user attributes. When you search for user IDs to import, the search then looks for value matches in the user attributes of User Accounts, such as a user ID. You can obtain more information about the distinguished name to select from your LDAP administrator.
    Tip: You can also click Lookup from Server to populate the list with all of the possible base DNs that are available from the server. However, the Lookup from Server selection might not work for your LDAP server. For most situations, you might want to enter a base DN that you design to narrow the LDAP search scope.
    User attribute
    Type the user attribute that is used to authenticate the user.
    The default user attribute for Content Manager Enterprise Edition is cn (common name). If you are using Microsoft Active Directory, change the user attribute to samaccountname so that Microsoft Active Directory verifies against the user ID instead of the common name. You can obtain a list of other user attributes from your LDAP administrator.
    Important: The selection of the user attribute for this field is an important choice. This user attribute is used as the Content Manager Enterprise Edition User Name when the LDAP users are imported into the library server. Content Manager Enterprise Edition does not allow duplicate user names, so use an attribute that has a unique scope in the LDAP server, or one that appears as unique in the search scope that you configure as the filter for the LDAP search.
    Description attribute
    Specify whether to use the distinguished name of the user as the description or another user attribute as the description after the user is imported to the system administration client.
    Search scope
    Click One level to limit the level of the search to users directly under the base DN or click Subtree to search for users in all branches under the base DN.
    Referral
    Click Follow to forward the request to import users to another LDAP server that might be configured into your LDAP server.
    Click Ignore to import only users from the LDAP server that you defined.
    Authentication scheme
    The system administration client specifies the Simple method to authenticate users.
    User name
    Specify the user name that allows you access to the users that you want to import.
    This user is not required to have administrative privileges, but to avoid problems with denial of access, administrative privileges are strongly recommended.
    Important: Some LDAP servers allow the use of the user name as the value for this field and other servers must use the full distinguished name (DN). For the best results for all servers, use the DN as the value for this field.
    Password
    Specify the password for the user name.
  5. Click the Authentication tab. Advanced authentication options include enabling the Secure Sockets Layer (SSL) protocol. If you want to encrypt the data that you import from the LDAP directory server, complete the following steps.
    Tip: If you are setting up LDAP integration for the first time to generate the properties file, you can omit this step and complete it later. A later step in the LDAP integration process contains more information about how to enable SSL and TLS with the LDAP server; the procedures for enabling SSL and TLS are the same.
    1. Select Secure Sockets Layer (SSL) enabled.
    2. Type the name of the key database file that you created. Do not include the .kdb filename extension.

      This file is just one of the pieces of information used to establish a secure connection to the LDAP directory server. The other piece of information required to establish a secure connection is the SSL authentication password.

    3. Type the password of the LDAP system administrator in the SSL authentication password field. You must have a valid LDAP system administrator password to connect to the LDAP directory server. Otherwise, any attempt to establish an SSL connection fails. Both the keyring file and password must contain trusted data to successfully connect to the LDAP directory server. If one of these objects has been tampered with or is no longer recognizable to the LDAP directory server, contact your LDAP system administrator for information to correct the problem.
    Attention: The system administration client specifies the Context Factory to the SUN context factory. You cannot change this setting. Context factory is the underlying Java™ code used to connect the library server to the LDAP directory server.
  6. Click the Advanced tab, and then set the following properties:
    Max. records to retrieve
    Type the maximum number of user records to retrieve from a search.
    Ensure that this number is large enough to process all of the users and groups combined in the LDAP server to avoid errors when importing users with the LDAP user import utility.
    You can check with your LDAP administrator to change the server configuration to return enough entries for the system administration client request. For example, Microsoft Active Directory can fetch only 1000 entries for one search request. The MaxPageSize parameter can be changed by using the ntdsutil.exe command on the Microsoft Windows 2000 Server computer.
    Server connection timeout
    Specify the number of seconds to wait before you receive an error if the connection between the LDAP server and system administration client is not made.
    The maximum value is 99.
  7. Click OK.