Configuring the LDAP connection for FileNet P8 Platform
(Workplace
only)
Use the LDAP tab to configure the user
namespace and the connection between the Process Engine
and the LDAP server for the FileNet P8 Platform.
You must configure the connection when initially installing Process Service,
after removing or re-initializing the workflow database, and if the LDAP
user information changes. You must also update the LDAP connection configuration
after changing the Directory Service password of the LDAP user (LDAP
Username) designated to connect to the LDAP server.
You can modify the LDAP configuration on the primary Process Engine
only. The Process Service
must be running in order to make changes. Once you change the LDAP connection
properties, you must restart the Process Service
for the changes to take effect.
CAUTION Changes
to the LDAP connection should be done with caution. When making changes
that will result in the deletion of a user or group account, you must
make sure the deletion does not disrupt currently running workflows. Use
the Out of Office and Assign/Reassign features in Process Administrator
to prevent new work from being assigned to a user and to reassign all
current work to a different user, respectively, before making changes
that will delete a user. Do not delete the user until s/he is no longer
assigned any work.
To configure LDAP
Select the LDAP tab in the Process Service
node. The current LDAP configuration displays.
Directory Service
The LDAP directory service. Valid selections are: Active Directory
and Sun ONE. Once configured, you cannot change the directory service.
Host
Specifies the LDAP server to connect to.
CAUTION
It may be necessary to change the host in the case where a directory
service is served by multiple hosts and you need to switch to
a backup host when the primary host has problems. However, changes
to the host should be done with caution, as a change that results
in the elimination of users who are currently assigned to existing
work items will disrupt work item processing.
Port
Specifies the TCP port on the LDAP server to connect to. The
default depends on the Communication
Mode selected below.
User and Group Base
Specifies the distinguished name for the base from which users
and groups can be found.
TIP By
setting this field to the domain level of your directory service,
all users in all groups belonging to the domain have access to
the Process Engine.
(For Active Directory, setting a base that is above the Users
group automatically makes the default Builtin groups, at least
one of which contains all users, available in group lists.)
CAUTION Changes
which decrease the scope of users or change the base altogether
should be made with caution, as a change that results in the elimination
of users who are currently assigned to existing work items could
disrupt running workflows.
For FileNet P8 Platform,
the User and Group Base must
match the DefaultRealm specified
when installing the Content Engine.
LDAP Username
Specifies the full distinguished name (or user name) for connecting
to the LDAP server relative to the User
and Group Base.
This user must:
Be a member of the group specified in the Administrator
Group below.
Belong, if LDAP has already been configured, to the Administrator
Group specified previously.
(Sun ONE only) Have resource limits set to -1 (no limit) in
the Look through limit and
Size limit fields in the iPlanet
Directory Server Console. See Configure iPlanet Authentication
(Solaris) or Configure for Sun ONE Authentication (Windows 2000)
in the Installation
Guide for instructions on setting these limits.
Specifies the password of the user specified by LDAP
Username. A password is required for the Sun ONE directory
service.
Administrator Group
Specifies the group in the LDAP server that provides users with
administrative privileges for the Process Engine.
This group is then mapped to the SysAdminG
group (the default administrator group used internally by the
Process Engine).
The default group is PEAdministrators.
Communication Mode
The level of security to be used. Options are:
Secure (one-way SSL)
The LDAP port defaults to 636.
Not secure (clear text)
The LDAP port defaults to 389.
CAUTION FileNet
strongly recommends using Secure Communication by enabling SSL
for the Process Engine.
The option not to use it is provided primarily for development
systems or other "non-live" systems, where the extra
security provided by SSL isn't really needed. For more information
about configuring your system for SSL, see Configuring
the Process Engine
for one-way SSL.
Certificate Database
The location of the certificate database to be used when establishing
an SSL connection. You must enter a location if you selected the
Secure communication mode above.