This topic describes FileNet P8's support for integrating with Novell eDirectory directory server.
One instance of Novell eDirectory directory server can have multiple contexts. Because each context immediately under the ROOT DSE (tree Object) is mapped to a Content Engine realm, one eDirectory server can be mapped to multiple Content Engine realms.
For each realm, you must create an application server authentication provider and a DirectoryConfigurationNovell object, so that there is a one-to-one relationship between Realm object and authentication provider, and also a one-to-one relationship between Realm object and DirectoryConfigurationNovell object.
For example:
For each DirectoryConfigurationNovell object, FileNet P8 uses the specified UserBaseDN property value to lookup context.
NOTE IBM highly recommends that you configure SSL between your application server that hosts Content Engine and your Novell eDirectory servers. This will include making changes in the application server to the authentication provider's DirectoryConfigurationNovell object that was created while running Configuration Manager. Consult your application server's documentation for instructions.
Use this support matrix as a quick lookup of supported directory features.
Novell eDirectory Features |
Supported By Content Engine |
One-way Secure Sockets Layer (SSL) |
Y |
Two-way SSL |
N |
Transport Layer Security (TLS) |
N |
Container types supported | Country (C), Organization (O), Organizational Unit (OU), Domain (DC) |
Static Groups |
Y |
Nested Groups |
N (eDirectory does not support nested groups; a group cannot have siblings or grand parents) |
Dynamic Groups |
N |
Supported User type (objectClass) |
Person |
Supported Static Group types (objectClass) |
groupOfNames |
Roles |
N |
Follow referrals for Search (for example, User and Group retrieval) |
N |
Support multiple realms |
Y |
Chaining |
Y |
Directory aliases |
N |
Restrict to single realm |
Y - Just configure one realm in application server |
Configurable user short name attribute |
Y - Because the short name does not contain realm information, short names must be unique across all your configured domains and realms. |
Configurable user display name attribute |
Y |
Configurable group display name attribute |
Y |
Configurable group name attribute for persisting |
Y |
Multiple authenticating attributes support |
Y - See Configure multiple authenticating attributes for details. |
Sorting |
Y- Return users and groups in sorted order (ascending only) |
Paging/Continuation |
Y- Return users and groups page by page. Page continuation happens automatically in the back end. |
Server side sorting | Y (Required) - Server Side Sorting (SSS) must be enabled. This is because Process Engine and other P8 components call on Content Engine to perform searches using a sorted paging mechanism. Without SSS, you will experience errors such as in Workplace when retrieving a document, when trying to open Process Designer via Workplace, or when starting a Connection Point on Application Engine. Note that SSS is normally enabled by default but is sometimes disabled due to concerns with performance. |
Typeful and type less name display |
Typeful name display only |
The following is an alphabetic list of the properties in the DirectoryConfigurationNovell class. Use Enterprise Manager to view all properties and modify editable properties.
Name | Editable? | Description |
---|---|---|
ClassDescription | N | A ClassDescription object containing the fixed description of the class from which a given object is instantiated. |
DirectoryServerHost |
Y | Specifies the name of the host that is running the directory server product. |
DirectoryServerPassword |
Y | Specifies the user password used to authenticate to a given directory server. |
DirectoryServerPort |
Y | Specifies the port number of the directory server. The value of this property defaults to port 389 for all supported directory server types. |
DirectoryServerProviderClass |
Y | Specifies the directory server provider class name: com.filenet.engine.security.EDirectoryProvider |
DirectoryServerType | N | Specifies the type of directory server: Novell |
DirectoryServerUserName | Y | Specifies the user name for authenticating to the directory server. |
DisplayName |
Y | The user-readable, provider-specific name of an object. This property is usually the designated Name property of the object's class. |
GroupBaseDN |
Y | The base DN for searching for groups in the directory server. |
GroupDisplayNameAttribute |
Y | Specifies the display name for a |
GroupMembershipSearchFilter |
Y | The search filter for group membership queries. |
GroupNameAttribute |
Y | Defines the directory server attribute to be used as the short name for a group. |
GroupSearchFilter |
Y | Specifies search filter for groups. Example: "(&(objectclass=group)(samAccountName={0}))", where samAccountName will serve as the short name. |
Id Property |
N | An object's globally unique ID (GUID). |
IsSSLEnabled |
Y | Defines whether or not Secure Sockets Layer (SSL) protocol is enabled for a given DirectoryConfiguration object. The default value is false, indicating that SSL is disabled. |
RestrictMembershipToConfiguredRealms | Y | Restricts group lookups to configured realms only. A user can be in a configured realm but belong to a group in an unconfigured realm. If set to Yes, that user cannot log in because the system cannot look up all the user's group memberships. If set to No, group memberships in unconfigured realms are ignored. |
UserBaseDN |
Y | The base DN for searching for users in the directory server. |
UserDisplayNameAttribute |
Y | Specifies the display name for a User object generated by the authentication provider. The default property value is dependent on the authentication provider and is specified by the provider's configuration. |
UserNameAttribute |
Y | Defines the directory server attribute to be used as the short name for a user. |
UserSearchFilter |
Y | Specifies search filter for users. Example: "(&(objectclass=user)(samAccountName={0}))", where samAccountName will serve as the short name. |
This section shows realm configuration instructions for WebLogic. After the authentication provider is configured, you must restart WebLogic server.
When configuring WebLogic authentication providers, the LDAP attribute used for the fields "User Name Attribute" and "User from Name Filter" must be the same. The same applies to group configuration. For example:
For each Novell eDirectory directory server, check the Contexts immediately under its root DSE, in order to find out how many contexts it has. For each context, create a WebLogic authentication provider by doing the following steps:
Example: Assume Novell eDirectory directory server has the following two contexts.
You must create two WebLogic authentication providers.
Provider Name | Tab | Field Name | Field Value |
eng_uid | General | Control Flag | Sufficient |
Novell LDAP | Host | Ed-host | |
Port | 389 | ||
Principal | cn=principal1 | ||
Credential | <password> | ||
Users | User Name Attribute | cn | |
User Base DN | ou=people, o=cempdev1 | ||
User From Name Filter | (&(cn=%u)(objectclass=person)) | ||
Groups | Group Base DN | ou=groups, o=cempdev1 | |
Group From Name Filter | (&(cn=%g)(objectclass=groupOfNames)) | ||
Static Group Name Attribute | cn | ||
Membership | Static Group DNs from Member DN Filter | (&(member=%M)(objectclass=groupOfNames)) | |
MyCompany_uid | General | Control Flag | Sufficient |
Novell LDAP | Host | Ed-host | |
Port | 389 | ||
Principal | cn=principal2 | ||
Credential | <password> | ||
Users | User Name Attribute | cn | |
User Base DN | ou=users,dc=filenet.com | ||
User From Name Filter | (&(cn=%u)(objectclass=person)) | ||
Groups | Group Base DN | ou=Mygroups, dc=filenet.com | |
Group From Name Filter | (&(cn=%g)((objectclass=groupOfNames)) | ||
Static Group Name Attribute | cn | ||
Membership | Static Group DNs from Member DN Filter | (&(member=%M)(objectclass=groupOfNames)) |
For the example in the previous section, you need to create the following two DirectoryConfigurationNovell objects - one for each data naming context.
DirectoryConfigurationNovell object 1:
DirectoryConfigurationNovell object 2:
Authentication |
FileNet P8 can authenticate any user by cn under:
|
Realm set |
Two realms (i.e., all the data naming contexts):
|
User and group retrieval |
FileNet P8 can retrieve any user under:
FileNet P8 can retrieve any group under:
|
Group membership |
FileNet P8 can search group memberships:
|
Iterate through all realms. For each realm:
If more than one user or group is found, Content Engine will log an error and return the first user found.
NOTE eDirectory does not support nested groups.
eDirectory provider does not support these methods.
Iterate through all realms. For each realm: