Skip navigation FileNet logo
Glossary  |  Help Directory  
  Help for Process Task Manager
  Search  |  Index
Process Reference  
Process Task Manager
Getting started
Process Service
  Configuring Process Service
    General properties
    Email notification
    Configuring the LDAP connection for FileNet P8 Platform
    Security administration for FileNet Image Manager
    Server connections
    Database properties
  Starting and stopping Process Service
  Configuring the Process Engine
PPM (Pooled Process Manager)
Rules Engine
Component Manager
Process Simulator
Routers
Administrative tasks
   

Configuring the LDAP connection for FileNet P8 Platform (Workplace only)

Use the LDAP tab to configure the user namespace and the connection between the Process Engine and the LDAP server for the FileNet P8 Platform. You must configure the connection when initially installing Process Service, after removing or re-initializing the workflow database, and if the LDAP user information changes. You must also update the LDAP connection configuration after changing the Directory Service password of the LDAP user (LDAP Username) designated to connect to the LDAP server.

You can modify the LDAP configuration on the primary Process Engine only. The Process Service must be running in order to make changes. Once you change the LDAP connection properties, you must restart the Process Service for the changes to take effect.

CAUTION Changes to the LDAP connection should be done with caution. When making changes that will result in the deletion of a user or group account, you must make sure the deletion does not disrupt currently running workflows. Use the Out of Office and Assign/Reassign features in Process Administrator to prevent new work from being assigned to a user and to reassign all current work to a different user, respectively, before making changes that will delete a user. Do not delete the user until s/he is no longer assigned any work.

To configure LDAP

  1. Select the LDAP tab in the Process Service node. The current LDAP configuration displays.
  2. Directory Service The LDAP directory service. Valid selections are: Active Directory and Sun ONE. Once configured, you cannot change the directory service.

    Host

    Specifies the LDAP server to connect to.

    CAUTION  It may be necessary to change the host in the case where a directory service is served by multiple hosts and you need to switch to a backup host when the primary host has problems. However, changes to the host should be done with caution, as a change that results in the elimination of users who are currently assigned to existing work items will disrupt work item processing.

    Port

    Specifies the TCP port on the LDAP server to connect to. The default depends on the Communication Mode selected below.

    User and Group Base

    Specifies the distinguished name for the base from which users and groups can be found.

    TIP By setting this field to the domain level of your directory service, all users in all groups belonging to the domain have access to the Process Engine. (For Active Directory, setting a base that is above the Users group automatically makes the default Builtin groups, at least one of which contains all users, available in group lists.)

    CAUTION Changes which decrease the scope of users or change the base altogether should be made with caution, as a change that results in the elimination of users who are currently assigned to existing work items could disrupt running workflows.

    For further information, see LDAP configuration examples for Sun ONE or Active Directory.

    For FileNet P8 Platform, the User and Group Base must match the DefaultRealm specified when installing the Content Engine.

    LDAP Username

    Specifies the full distinguished name (or user name) for connecting to the LDAP server relative to the User and Group Base.

    This user must:

    • Be a member of the group specified in the Administrator Group below.
    • Belong, if LDAP has already been configured, to the Administrator Group specified previously.
    • (Sun ONE only) Have resource limits set to -1 (no limit) in the Look through limit and Size limit fields in the iPlanet Directory Server Console. See Configure iPlanet Authentication (Solaris) or Configure for Sun ONE Authentication (Windows 2000) in the Installation Guide for instructions on setting these limits.

    For further information, see LDAP configuration examples for Sun ONE or Active Directory.

    LDAP Password

    Specifies the password of the user specified by LDAP Username. A password is required for the Sun ONE directory service.

    Administrator Group

    Specifies the group in the LDAP server that provides users with administrative privileges for the Process Engine. This group is then mapped to the SysAdminG group (the default administrator group used internally by the Process Engine). The default group is PEAdministrators.

    Communication Mode

    The level of security to be used. Options are:

    • Secure (one-way SSL)
    • The LDAP port defaults to 636.

    • Not secure (clear text)
    • The LDAP port defaults to 389.

    CAUTION FileNet strongly recommends using Secure Communication by enabling SSL for the Process Engine. The option not to use it is provided primarily for development systems or other "non-live" systems, where the extra security provided by SSL isn't really needed. For more information about configuring your system for SSL, see Configuring the Process Engine for one-way SSL.

    Certificate Database The location of the certificate database to be used when establishing an SSL connection. You must enter a location if you selected the Secure communication mode above.
  3. Click Apply.