IBM Content Manager, Version 8.5.0.3      Supports:  IBM Content Navigator     

Importing and synchronizing LDAP users and user groups with the LDAP user import utility

You use the LDAP user import utility to set up filter criteria and a schedule to import LDAP users and user groups. The schedule that you configure with the utility also synchronizes LDAP user IDs imported to the library server database with the users and user groups in the LDAP directory server.

The import process saves LDAP user names to the library server. A user name can be the common name, user ID, account name, email address, or other attribute of the LDAP user.

The LDAP user import utility automatically imports users and user groups defined in an LDAP directory into the Content Manager EE library server database. When you are importing many users, such as importing your users for the first time, the utility is more efficient than the manual import available in the user creation function. To use the LDAP user import utility, you define a set of filters for LDAP users and user groups and you create a schedule for the import task to run.

Users are automatically imported according to the schedule set in the utility. After the utility imports the users from LDAP for the first time, the utility synchronizes LDAP user IDs in the library server database with users and groups in the LDAP directory server. The utility synchronizes user additions, user deletions, and user transfers between user groups from the LDAP directory to the library server. The synchronization affects users and groups and the user-to-group relationship only. Those attributes should not be changed in the system administration client after the import from LDAP. The synchronization does not affect other attributes of users or groups. For example, Content Manager EE attributes related to privilege sets, default access control lists (ACLs), resource managers, and collections are not affected by the synchronization. You can change those attributes after the LDAP users are imported into the library server.

The synchronization does not affect users that are created with the system administration client or by using the APIs. For best results, do not mix users imported from LDAP users and groups with non-LDAP users and groups, or the synchronization process does not work as expected.

Restriction: For each machine on which the system administration client is installed, you can define only one LDAP import schedule for the database. In addition, if a user exists in the database, you cannot import the same user name from LDAP.
Restriction:

When you import LDAP user information, the LDAP user names must not contain the percent character (%), which the library server interprets as a search wildcard. For example, the user ID "j%smith" is not interpreted as a specific user ID. Instead, it is interpreted as "j" followed by any character, followed by "smith". If a user name contains the percent character, then the system administration client does not return the correct user properties when other user IDs match the pattern.

Important: If a distinguished name (DN) for a user changes later, you must reimport the user.

To define the import schedule for importing and synchronizing LDAP users and user groups:

  1. Start the LDAP user import utility by completing the following step, as appropriate for your operating system.
    Option Description
    Windows Click Start > All Programs > IBM® Content Manager > LDAP user import scheduler
    AIX®, Solaris, Linux
    Use the following steps:
    1. Change to the IBMCMROOT/admin/common/ directory, where IBMCMROOT is the installation path for the system administration client.
    2. Ensure that the IBMCMROOT environment variable is correctly configured.
    3. Enter the following command: ./cmldapimptool81.sh
    Remember: When you start the LDAP user import utility, the LDAP Directory (source) area of the window contains LDAP server information that was provided during LDAP configuration. You cannot change the LDAP configuration from the LDAP user import utility. This information can be changed only by editing the LDAP configuration.
  2. In the LDAP object class for group field, type the name of the entry in the LDAP directory that contains groups. Use any LDAP browser tool or run the ldapsearch command to find this information in the LDAP server. The following example shows the ldapsearch command on Windows, where hostname is the host name of the directory server, bind_DN is the bind distinguished name for accessing the directory, password is the password for the bind distinguished name, base_DN is the base distinguished name for the search operation, and My_Group_Name is the name of a user group: 
    ldapsearch -h hostname -D bind_DN -w password -b base_DN -R (cn=My_Group_Name)

    For Tivoli® Directory Server, the default group name is groupOfNames and for Microsoft Active Directory, the default value is group.

  3. In the LDAP attribute for group members field, type the attribute for the group members. You can get the value for this field by using the LDAP browser or the ldapsearch command.
    Tip: Dynamic groups, nested groups, and hybrid groups are supported with Tivoli Directory Server in IBM Content Manager Version 8.4 and later. To use these functions, you must choose a proper object class for the groups or use a top-level group to include all of those types of groups. For the LDAP attribute for group members field, you must use all_members to get all users from these special group types.
    Important: Beginning with Version 8.4.2, IBM Content Manager supports nested groups for Microsoft Active Directory. To use this function, you can set the system environment variable CMADNESTEDGROUPSUPPORT=YES in the IBMCMROOT\admin\common\cmldapimpusers81.bat file or IBMCMROOT\admin\common\cmldapimpusers81.sh file that you use to import the users from the LDAP directory. You can also create the system environment variable CMADNESTEDGROUPSUPPORT and set it to a value of YES to enable this function.
  4. In the LDAP root DN and LDAP root DN password fields, type the same values that were used for LDAP configuration. The LDAP user import scheduler uses these values to access the LDAP server and retrieve the user and group information.
  5. The Database column lists the names of all IBM Content Manager databases known to the system. Select the Enable check box for each database in which you plan to import LDAP users. Clear the check box if you do not want to import LDAP users into that database.
  6. If the Admin ID field is blank, type the user ID of a user who has administrator privileges in that database. The Admin ID field is associated with the database and is needed for creating users and groups in the IBM Content Manager database. It is not used for importing users. If the ID has the privileges to create users in the database that you selected in the previous step, you can select another administration ID.
  7. If the Admin ID Password field is blank, type the password for the administrator ID.
  8. Click in the User group field for the selected database. The Group Policy window displays. Specify how user and group relationships should be imported into the database:
    • To create groups in the database that match the groups defined in the LDAP directory, click Maintain the LDAP group names. This action uses information specified in the LDAP object class for groups and LDAP attribute for group members fields to import LDAP data and correctly associate users with their respective groups.
    • To create a single group for all users, click Place all users in one group and then type the group name. In this case, the utility does not use the LDAP group name in the LDAP server.
    • To import users without associating those users to a group, click No Group (Only import users).
    • To import users and associate the group name to a filter, click Associate filters to group names. You might use this feature when importing several groups and you want to change, or keep, the group name and associate that group name with a different privilege set. With this option, you can put any set of users, defined by a filter, in a group that you name. Then you can assign any valid privilege set to those users.
      Important: The LDAP user import scheduler imports users and groups and synchronizes the user-group relationships. When you specify a group name, do not use a group name that is already used for non-LDAP users in the IBM Content Manager database. Also, do not add a non-LDAP user to a group that contains LDAP users.
  9. Click in the Start time field, and type the time of day for the utility to run. You must type the time by using the 24-hour clock, such as 09:30, 13:15, or 22:00. On the scheduled date and time, the utility updates the IBM Content Manager database with current information from the LDAP directory.
  10. Click in the Day of week field, select one or more days for the utility to run, and then click OK. On the scheduled date and time, the utility updates the IBM Content Manager database with current information from the LDAP directory.
  11. Click in the User filter field to define criteria to control which users get imported. The Filter(s) window displays. Specify the following values and then click OK. This field allows you to import specific users rather than all of the users that are defined in the LDAP directory.
    Restriction: All the users and user groups that are selected for import in this step must be under the base distinguished name of the LDAP configuration. This value is the value that was supplied in the Base DN field during the LDAP configuration step.
    1. Select the type of filter that you want to use to define users. Select User filter to create a filter with user attributes or select Group filter to create a filter with group attributes. You can use more than one filter to define users, but you cannot mix user and group filters in the same filter definition.
      Tip: For most content management systems, the type of import that you want to complete is an import of one or more LDAP user groups. Using the Group filter field instead of the User filter field can simplify the creation of filters for a user group import.
    2. In the Enter filter for users field, type the attributes to filter the users or groups. You can use the ldapsearch command or another LDAP search tool to validate this filter information.
      Tip: Use the following examples and review the topic about filtering users for LDAP import if you need guidance on how to set up filters.
      The following example shows a user filter for all users whose names start with the letters "j" or "k":
      (&(objectclass=person)(|(cn=j*)(cn=k*)))
      The following example shows a group filter for all users in group1 and group2:
      (&(objectclass=group)(|(cn=group1)(cn=group2)))
    3. To associate a group with the users, type a group name in the Name field.
      Restriction: This field is enabled only if you selected Associate filters to group names in the Group Policy window.
    4. To associate a privilege set with the users defined by the filter, type a privilege set name in the Privilege Set field. Ensure that the privilege set that you change to is already defined in the IBM Content Manager database. All of the users that are defined by this filter are imported with the privilege set that is defined here. The default privilege set assigned to imported users is CLIENTUSERREADONLY.
    5. Click Add filter to add this filter to the filter list and define another filter.
    6. Click OK to save the values you specified and close the window, or Cancel to clear all the values you specified.
  12. Click Save to save the values you specified and schedule the import utility to run.

After you set up the import schedule with the LDAP user import utility and save it, the import task is placed in the operating system as a scheduled task. Each time that the import schedule is saved or updated by using the LDAP user import utility, the previously saved import task is deleted from the list of scheduled tasks and is replaced with the new import task.

The import task runs at the time that is configured by the schedule. However, if you must start the import task manually with the data defined in the import schedule, you can run a batch or shell script to start the task. Use the following commands to run the import task manually, where IBMCMROOT is the installation path for the system administration client, database_name is the library server database name, and server_type is the server type, with a value of ICM for Content Manager EE..
  • Windows: IBMCMROOT\admin\common\cmldapimpusers81.bat database_name server_type
  • AIX, Linux, Solaris: IBMCMROOT/admin/common/cmldapimpusers81.sh database_name server_type
The following example is a command for an AIX, Linux, or Solaris system, where the library server database name is ICMNLSDB and the server type is ICM:
IBMCMROOT/admin/common/cmldapimpusers81.sh ICMNLSDB ICM

When you save the import schedule, the configuration data saves to the IBMCMROOT/cmgmt/cmbschinfo.ini file. This file is used for debugging purposes if needed. Do not edit this file.

Parent topic: Integrating LDAP with Content Manager EE
Previous topic: Installing the properties file on the resource manager
Next topic: Installing the user exit for LDAP authentication
Related concepts:
Filtering users
LDAP user import utility usage notes
Identify the LDAP Directory Source
Related tasks:
Defining the LDAP configuration
Manually importing user IDs from an LDAP directory server

Last updated: June 2015
mua10043.htm

© Copyright IBM Corporation 2015.