Defining the LDAP configuration

The LDAP configuration contains values that are used by both the LDAP user import utility for automatic imports and the manual LDAP import. Values from the LDAP configuration are also used to generate the LDAP properties file.

About this task

The LDAP configuration contains data that is used to communicate with the LDAP server, including the LDAP server used, connection information for that server, and the distinguished name used to query objects on that server. The configuration also contains other data that defines how data is queried and imported when you are using the automatic or manual import. This data includes the LDAP attributes that become the Content Manager Enterprise Edition user name and user description, the scope of the search relative to the LDAP distinguished name used, and the number of records to retrieve. The configuration also includes options for setting up the Secure Sockets Layer (SSL) protocol to encrypt data imported from the LDAP server.

You set up the LDAP configuration as part of the LDAP integration steps. The data from the LDAP configuration is used to generate the LDAP properties file, cmbcmenv.properties, that is used on the system administration machine. The properties file might also be required on the library server and resource manager machines, depending on the configuation of your Content Manager Enterprise Edition system.

After you complete the LDAP integration for a content management system that is in production use, you might need to change the LDAP configuration data. For example, you might need to do the following tasks:

Change the current default user attribute to a more useful one.
Rescale the base DN (distinguished name) to include other areas of the LDAP hierarchical structure so that you can search for either a broader or narrower group of user IDs.
Change the LDAP directory server host name so that the system administration client can import user IDs from a currently functioning LDAP directory server.

However, changing the LDAP configuration data generates a new LDAP properties file that contains the core LDAP configuration information. If you change the LDAP configuration for your production content management system after the initial LDAP integration is completed, then you must complete all steps in the LDAP integration process again. You must complete these steps to ensure that your content management system still functions correctly with LDAP.

Restriction: After the cmbcmenv.properties file is created, do not edit it directly. Always use the following procedure to the update the file.

Procedure

To define the LDAP configuration:

From the system administration client, click Tools > LDAP Configuration to open the LDAP Configuration window.
Select Enable LDAP User import and authentication.
Click the Server tab to configure the LDAP server information for use within Content Manager Enterprise Edition.
1. In the Server type field, specify whether you want to import users from IBM® Directory Server, Microsoft™ Active Directory, or other LDAP servers.
  Click Active Directory if you are using Active Directory. For other server types, click LDAP.
2. In the LDAP server Hostname field, type the host name of the server from which you want to import users.
  Specify the host name by using the following format: ldap://hostname.domain.
3. In the Port field, type the port number of the LDAP server.
  The default port numbers are 389 (non-Secure Sockets Layer) and 636 (Secure Sockets Layer). You can obtain more information about ports from your LDAP administrator.
4. In the Base DN field, select the distinguished name that you want to use to query the objects in the LDAP server from the list.
  DN is the distinguished name; an entry in the LDAP Directory Information Tree (DIT) that has one or more user attributes associated with it. You indicate a base DN as a place to begin queries for user IDs. For example, you can designate a base DN of User Accounts, which can contain several user attributes. When you search for user IDs to import, the search then looks for value matches in the user attributes of User Accounts, such as a user ID. You can obtain more information about the distinguished name to select from your LDAP administrator.
  Tip: You can also click Lookup from Server to populate the list with all of the possible base DNs that are available from the server. However, the Lookup from Server selection might not work for your LDAP server. For most situations, you might want to enter a base DN that you design to narrow the LDAP search scope.
5. In the User attribute field, type the user attribute that is used to authenticate the user.
  The default user attribute for Content Manager Enterprise Edition is cn (common name). If you are using Microsoft Active Directory, change the user attribute to samaccountname so that Microsoft Active Directory verifies against the user ID instead of the common name. You can obtain a list of other user attributes from your LDAP administrator.
  Important: The selection of the user attribute for this field is an important choice. This user attribute is used as the Content Manager Enterprise Edition User Name when the LDAP users are imported into the library server. Content Manager Enterprise Edition does not allow duplicate user names, so it is best to use an attribute that has a unique scope in the LDAP server, or one that appears as unique in the search scope that you configure as the filter for the LDAP search.
6. In the Description attribute field, specify whether to use the distinguished name of the user as the description or another user attribute as the description after the user is imported to the system administration client.
7. In the Search scope field, specify the level of your search.
  Click One level to limit the level of the search to users directly under the base DN or click Subtree to search for users in all branches under the base DN.
8. In the Referral field, click Follow to forward the request to import users to another LDAP server that might be configured into your LDAP server.
  Click Ignore to import only users from the LDAP server that you defined.
9. In the Authentication scheme field, notice that the system administration client specifies the Simple method to authenticate users.
10. In the User name field, type the user name that allows you access to the users that you want to import.
  This user is not required to have administrative privileges, but to avoid problems with denial of access, administrative privileges are strongly recommended.
  Important: Some LDAP servers allow the use of the user name as the value for this field and other servers must use the full distinguished name (DN). For the best results for all servers, use the DN as the value for this field.
11. In the Password field, type the password for the user name.
Optional: Click the Authentication tab to configure advanced authentication options.
Advanced authentication options include enabling the Secure Sockets Layer (SSL) protocol. If you want to encrypt the data that you import from the LDAP directory server, complete the following steps.
Tip: If you are setting up LDAP integration for the first time to generate the properties file, then you can skip this step and complete it later. A later step in the LDAP integration process contains more complete instructions about how to enable SSL with the LDAP server.
1. Select Secure Sockets Layer (SSL) enabled.
2. Type the absolute path and name of an existing keyring file in the SSL keyring file field. The keyring file has an extension of kdb. For example: c:\absolute_path\keyringfile.kdb.
  This file is just one of the pieces of information used to establish a secure connection to the LDAP directory server. The other piece of information required to establish a secure connection is the SSL authentication password.
3. Type the password of the LDAP system administrator in the SSL authentication password field.
  You must have a valid LDAP system administrator password to connect to the LDAP directory server. Otherwise, any attempt to establish an SSL connection fails. Both the keyring file and password must contain trusted data to successfully connect to the LDAP directory server. If one of these objects has been tampered with or is no longer recognizable to the LDAP directory server, contact your LDAP system administrator for information to correct the problem.
Attention: The system administration client specifies the Context Factory to the SUN context factory. You cannot change this setting. Context factory is the underlying Java™ code used to connect the library server to the LDAP directory server.
Click the Advanced tab to configure the advanced server options.
1. In the Max. records to retrieve field, type the maximum number of user records to retrieve from a search.
  Ensure that this number is large enough to process all of the users and groups combined in the LDAP server to avoid errors when importing users with the LDAP user import utility.
  You can check with your LDAP administrator to change the server configuration to return enough entries for the system administration client request. For example, Microsoft Active Directory, which is a part of Microsoft Windows™ 2000 Server, allows fetching only 1000 entries per one search request. The MaxPageSize parameter can be changed by using the ntdsutil.exe file on the Microsoft Windows 2000 Server machine. When you type ntdsutil in a command prompt, you must connect to your LDAP server first. Then, change MaxPageSize to the maximum number wanted and save your changes.
2. In the Server connection timeout field, type the number of seconds to wait before you receive an error if the connection between the LDAP server and system administration client is not made.
  The maximum value is 99.
Click OK to save the changes.