LDAP (Lightweight Directory Access Protocol) supports the management of user IDs and passwords at an enterprise level instead of management of this data on individual systems. You can use LDAP with Content Manager EE and with Content Manager for z/OS®, but the steps required for configuration are different for each product edition.
LDAP is an open protocol that uses TCP/IP to provide access to directories that support an X.500 model and that does not incur the resource requirements of the more complex X.500 Directory Access Protocol (DAP). For example, LDAP can be used to locate people, organizations, and other resources in an Internet or intranet directory.
LDAP manages groups, user IDs, and passwords on an enterprise level, rather than on a system-by-system basis. Most likely, you already have a directory of user IDs created for your business. Many of these user IDs share access privileges to information. Instead of creating or importing one user ID at a time, you can import user IDs from the existing directory and assign access privileges to several user IDs at one time. IBM® Content Manager uses LDAP by importing users and groups to the library server while still using LDAP to authenticate the users. The use of LDAP with IBM Content Manager can reduce the user maintenance workload for the IBM Content Manager administrator, particularly in a content management system with many users.
During the process to integrate LDAP with IBM Content Manager, user name information is imported from the LDAP directory to the library server where it is stored as an entity reference. The password is not imported and is still stored in the LDAP server. After LDAP integration is complete, a user can log on to a IBM Content Manager client and the user credentials are authenticated with the LDAP server.
You can complete LDAP integration either during installation or after installation. However, the integration steps include tasks that must be performed for the system administration client, library server, and resource manager. In addition, the integration might involve people with expertise in different areas of the entire content management system, including the IBM Content Manager installer, the IBM Content Manager system administrator, the LDAP administrator, and others. For these reasons, integrating LDAP after IBM Content Manager installation is recommended.
During LDAP integration, you import LDAP users. After the import, you can use the system administration client to modify user attributes according to the requirements of your content management system. You can import user IDs by using an automatic or manual method.
The automatic method of importing users is by using the LDAP user import utility. The utility is a convenient way to import many LDAP groups and users into a IBM Content Manager database for the first time. In addition, the LDAP user import utility contains capability to schedule periodic updates of user ID information from the LDAP directory to the library server. This update helps to ensure that users added to or deleted from the LDAP directory are also added to or deleted from the system database.
The manual method of importing users from LDAP is available from the system administration client for IBM Content Manager. This method is the most convenient way to import an individual user or a few users after the initial setup of your LDAP users with the automatic method. The manual method is also used to test your connection to LDAP.
When LDAP is integrated with IBM Content Manager, the user password resides on the LDAP server. When a user logs on to IBM Content Manager, the user ID and password are authenticated and the specific privileges of the user ID are checked by the user profile in the corresponding database. During logon, the library server automatically connects to the LDAP server to authenticate the user. If for any reason the LDAP server is not able to verify the password of the user, the authentication fails.
For information about planning for LDAP, see Planning and Installing Content Manager Enterprise Edition.
