Directory Configuration Properties (Active Directory)
A list of the properties in the DirectoryConfigurationAD class.
- For authentication, use Configuration Manager Configure LDAP task to view or modify editable properties.
- For authorization, use Administration Console for Content Platform Engine to view or modify editable properties.
Property Name | Editable? | Description |
---|---|---|
AllowEmailOrUPNShortNames | Yes | Set this property to Y to allow the at sign (@) in user names. Set this property the same way on all Active Directory directory configurations. |
ClassDescription | No | A ClassDescription object containing the fixed description of the class from which a given object is instantiated. |
ConnectionTimeout | Yes | Specifies the Active Directory Service provider connection timeout in milliseconds. The default is 500 ms. If the connection is across a WAN, consider increasing the value. |
DirectoryServerHost | Yes | Specifies the name of the host that is running the directory server product. |
DirectoryServerPassword | Yes | Specifies the user password used to authenticate to a given directory server. |
DirectoryServerPort | Yes | Specifies the port number of the directory server. The value of this property defaults to port 389 for all supported directory server types. |
DirectoryServerProviderClass | Yes | Specifies the directory server provider class name: com.filenet.engine.security.ActiveDirectoryProvider |
DirectoryServerType | No | Specifies the type of directory server: AD |
DirectoryServerUserName | Yes | Specifies the user name for authenticating to the directory server. Example: "CN=test1,CN=Users,DC=myCompany,DC=com" |
DisplayName | Yes | The user-readable, provider-specific name of an object. This property is usually the designated Name property of the object class. |
GroupBaseDN | Yes | The base DN for searching for groups in the directory server. |
GroupDisplayNameAttribute | Yes | Specifies the display name for a Group object generated by the authentication provider. The default property value is dependent on the authentication provider and is specified by the provider configuration. |
GroupMembershipSearchFilter | Yes | The search filter for group membership queries. |
GroupNameAttribute | Yes | Defines the directory server attribute to be used as the short name for a group. |
GroupSearchFilter | Yes | Specifies search filter for groups. Example: where samAccountName will serve as the short name. GroupSearchFilter must use the same LDAP attribute as GroupNameAttribute. |
GroupUniqueIDAttribute | Yes | The directory service attribute that serves as the security identifier (SID) for each group. Select an attribute whose values are unique and do not change over time. Typically, this attribute is the same as the UserUniqueIDAttribute. You must use only those LDAP attributes that return Java String in the LDAP Java API. Content Platform Engine defines an LDAP attribute as the default for this property to obtain the unique SIDs. You can choose to configure a different LDAP attribute, a non-default LDAP attribute, for this property. If you do so, remember that the workflow system places additional limitations on the size of the SID. These limitations are related to how the Content Engine API returns the string representation for the user and group SIDs. The limit for an SID value for use with the workflow system is 256 characters. For more specific information about SID limits, see What are access rights? |
Id | No | The globally unique ID (GUID) of the object. |
IsSSLEnabled | Yes | Defines whether Secure Sockets Layer (SSL) protocol is enabled for a given DirectoryConfiguration object. The default value is false, indicating that SSL is disabled. |
RestrictMembershipToConfiguredRealms | Yes | Restricts a group membership search to within the realms configured in Administration Console for Content Platform Engine. A user can be in a configured realm but belong to a group in an unconfigured realm. By default (that is, when the property value is False), the server automatically searches cross-realm group membership (also called cross-domain group membership in Active Directory). If it reaches a realm that is not configured in Administration Console for Content Platform Engine, the server returns a Realm not found error and group membership search processing stops. However, if the property value is True when this situation occurs, the server logs an informational message to the server error log and the group membership search continues. |
ReturnNameAsDN | Yes | Specifies whether to return the user or group name in Distinguished Name (DN) format. By default, the Active Directory Service provider returns the user and group names in UPN format. If you set AllowEmailOrUPNShortNames to Y (true), Content Platform Engine will automatically treat the ReturnNameAsDN property as Y (true) on all configured Active Directories, regardless of how it is set. |
SearchCrossForest GroupMembership | Yes | Specifies whether the Active Directory Service provider performs cross-forest group membership searches. The default is false. To enable cross-forest group membership searches, set this property to true. |
UserBaseDN | Yes | The base DN for searching for users in the directory server. |
UserDisplayNameAttribute | Yes | Specifies the display name for a User object generated by the authentication provider. The default property value is dependent on the authentication provider and is specified by the provider configuration. |
UserShortNameAttribute | Yes | The directory service attribute that has been configured as the Logon Attribute. |
UserSearchFilter | Yes | Specifies search filter for users. Example: where samAccountName will serve as the short name. UserSearchFilter must use the same LDAP attribute as UserNameAttribute. |
UserUniqueIDAttribute | Yes | The directory service attribute that serves as the security identifier (SID) for each user. Select an attribute whose values are unique and do not change over time. Typically, this attribute is the same as the GroupUniqueIDAttribute. You must use only those LDAP attributes that return Java String in the LDAP Java API. Content Platform Engine defines an LDAP attribute as the default for this property to obtain the unique SIDs. You can choose to configure a different LDAP attribute, a non-default LDAP attribute, for this property. If you do so, remember that the workflow system places additional limitations on the size of the SID. These limitations are related to how the Content Engine API returns the string representation for the user and group SIDs. The limit for an SID value for use with the workflow system is 256 characters. For more specific information about SID limits, see What are access rights? |
UseTokenGroups | Yes | Specifies whether to use the token group attribute to determine a user's group memberships.
This setting optimizes LDAP call performance by preventing expensive recursive calls for nested
groups. To use this property, you must use objectSid as both the user and group unique ID. The
default value is false, or null. To enable token group usage, set this property to true. Do not use token groups if you have users who are members of more than 2000 groups. Active Directory limitations prevent the full list of groups for such users from being obtained correctly from the tokenGroups attribute. |