Directory service providers
This section describes FileNet
P8 directory service provider integration and configuration.
Introduction
The topics in this Security Guide section discuss Content Engine security data retrieval from
directory servers for the purpose of authorizing users and groups. They also address how to configure
authentication, since both authentication and authorization rely on directory
service repository and logically cover the same set of security data. Authentication is covered in the topics located under Authentication.
Content Engine does not implement its own authentication module. Instead,
it leverages the Java™ 2 Enterprise Edition (J2EE) application server's
authentication mechanism. Before clients can log in to a Content Engine server,
the application server's authentication providers have to be configured to
point to specified directory servers.
Content Engine's security objects, such as realms, groups and users, are stored
in directory servers. Content Engine retrieves those objects through a "Directory
Service Provider" layer. There are different provider implementations for different
types of directory servers. Content Engine implements providers
for the following directory servers:
- Microsoft Active Directory
- Microsoft Active Directory Application Mode (ADAM)
- Sun ONE directory server
- Novell eDirectory server
- IBM Tivoli directory server
A Directory Server is divided into "partitions", each of which is
called a naming context (or sometimes "namespace"). There are different types
of naming contexts, such as the configuration naming context that holds configuration information, and data naming context
which contains all directory data. Each data naming context is defined as a
Content Engine realm. Each realm contains groups and users.
Terminology and basic concepts
- Distinguished Name
- A name that uniquely defines a directory entry within an LDAP server and locates it within the directory tree. A typical distinguished name might be: CN=StephenHawking,CN=Users,DC=Filenet,DC=Com. This distinguished name identifies the “Stephen Hawking” user object in the Filenet.com domain.
- User Principal Name
- A user principal name (UPN) is a friendly name that
is short and easy to remember. The user principal
name consists of a shorthand name that represents the user and usually the
DNS name of the domain where the user object resides, or any other designated
name.
- The user principal name format consists of the user name, the "at" sign
(@), and a user principal name suffix. For example, the user James Smith, who
has a user account in the reskit.com domain, might have the user principal
name JSmith@reskit.com. The user principal name is independent of the distinguished
name of the user object, so a user object can be moved or renamed without affecting
the user principal name.
- Among the types of directory servers that Content Engine supports, only Active Directory
has a UPN attribute. The attribute name is userPrincipalName.
- Short Name
- Short name is a property in
both Content Engine User and Group classes:
- User.ShortName
- Group.ShortName
- Both user short name and group short name must be unique across all configured directory servers. Unlike DN (distinguished name) and UPN (user principal name), the value of
short name does not contain realm information.
- User short name is normally mapped to a user login ID in the LDAP repository (samAccountName attribute in AD, uid attribute in SunOne, cn in both IBM and
Novell). Group short name is normally mapped to the samAccountName attribute in
AD and cn attribute in other types of LDAP servers.
- User short name is also persisted to a Content Engine object store as a property such
as Document.Creator. Both User.ShortName and Group.ShortName are configurable through the Content Engine API and Enterprise Manager .
- Realm
- In this document the term realm describes a base object for searching
the directory. When the FileNet P8 services interact with a directory service,
most operations are done in the context of a realm. Process Engine APIs
use the term security domain to be consistent with the IS domain concept. This section describes how FileNet P8 defines a realm
for each type of supported directory server.
- FileNet P8 domain
- When you install and configure Content Engine, you will create a new FileNet P8 domain
which provides the security context for authenticating applications. In
order to avoid possible confusion between the FileNet P8 domain and Windows
domains, these terms are usually spelled out completely. For more information, see Concepts:
FileNet P8 Domain.
- Authentication Provider
- All interaction with the directory server that has been configured during installation
as the FileNet P8 authentication provider is read-only and is initiated only
from Process Engine and Content Engine servers.
- Login
- FileNet P8 lets you configure a login supporting a number of different parameters.
Because authentication and login attributes are persisted in databases,
workflow definitions, and stored searches you cannot
change the attribute at a later
time, including during upgrade. See the sections describing
logging on in
the topic that describes your directory server.
- Find
- Documentation refers frequently to "finding" users
and groups. This refers to the activities of Enterprise Manager's Select
Users and Groups dialog box, which Enterprise Manager uses to search
for accounts to add to the ACL of an object, and also to similar controls
used in Workplace, Workplace XT, and Process Task Manager. On the Content Engine API level, "finding" refers
to the FindUsers and FindGroups methods.
- SSL
- Customers should configure SSL to avoid passing credentials in clear text between
the FileNet P8 servers and the directory server. See the IBM FileNet P8 Platform Installation and Upgrade Guide for information about configuring Content Engine SSL.
- Group support
- FileNet P8 supports groups that can include any number of users and other nested groups.
Also, it honors any account states and restrictions (such as whether disabled
and login hours) defined by the directory server.
Configuration Overview
Directory configuration for Content Engine is conducted in the following two
areas: authentication and authorization. Content Engine does not support
different types of directory servers in the same Content Engine domain.
Directory Configuration for Authentication
Directory configuration for authentication, including configuring login formats,
occurs in the application server's authentication providers.
Content Engine server does not implement its own authentication module. Instead,
it leverages a J2EE application server's authentication mechanism. Before clients
can log in to a Content Engine server, the application server's authentication
providers must be configured to point to specified directory servers.
In WebLogic 8.1 application server, for example, Content Engine can support three types of
authentication providers:
- Authentication provider by Distinguished Name (DN): This
provider authenticates a user by its DN. In this provider, set your "User
Name Attribute" to your LDAP DN attribute. You can set your "Static Group Name
Attribute" to another LDAP attribute.
- Authentication provider by User Principal Name (UPN): This
provider authenticates a user by its UPN. In this provider, set your "User
Name Attribute" to your LDAP UPN attribute. You can set your "Static Group
Name Attribute" to another LDAP attribute. UPN takes the format of LoginID@yourDomain.com.
Note that among the four types of directory server Content Engine supports,
only Active Directory has the UPN attribute. So only Active Directory servers
support this type of authentication provider.
- Authentication provider by Short Name: In this provider,
set your "User Name
Attribute" to your short name attribute. You can set your "Static Group
Name Attribute" to another short name attribute.
With WebLogic, you can create more than one authentication provider for each LDAP server.
Here is a configuration
example for an Active Directory domain named "paperwork2", for WebLogic.
In this case, there are two short name providers - samAccountName and
cn.
DefaultAuthenticator
DefaultIdentityAsserter
Paperwork2_By_samAccountName
Paperwork2_By_cn
Paperwork2_By_UserPrincipalName
Paperwork2_By_DistinguishedName
NOTE DefaultAuthenticator
should always be first in the list.
When configuring WebLogic authentication providers, the LDAP attributes used
for fields "User Name Attribute" and "User From Name Filter" need
to be the same. This rule also applies to group configuration. Here is an example
that uses samAccountName:
- User Name Attribute: samAccountName
- User From Name Filter: (&(objectClass=user)( samAccountName =%u))
If the CN attribute is unique across all Active Directory servers accessed
by Content Engine, you can also use it as the short name, but note that CN is normally
in the format of <first name + last name> for user objects. Here is an example showing the difference between
samAccountName and CN:
- CN: Stephen Hawking
- samAccountName: shawking
Directory Configuration for Authorization
A GCD administrator can log in to Enterprise Manager
and configure the direct connection between Content Engine and the directory
service. See Create
a Directory Configuration wizard for information about how to run this wizard.
Third-party developers
can also directly call the Content Engine APIs to automatically configure it.