Sun Java System Directory Server

This topic describes FileNet P8's support for integrating with Sun Java System Directory Server.

General

One instance of Sun Java™ System Directory Server can have multiple data naming contexts. Because each Sun data naming context is mapped to a Content Engine realm, one Sun Java System Directory Server can be mapped to multiple Content Engine realms.

For each realm, you need to create an application server authentication provider and a DirectoryConfigurationSunOne object, so that there is a one-to-one relationship between Realm object and authentication provider, and also a one-to-one relationship between Realm object and DirectoryConfigurationSunOne object.

For each DirectoryConfiguration object, FileNet P8 extracts the realm name from the specified UserBaseDN property value by comparing it with each data naming context. For example, if the UserBaseDN for this DirectoryConfiguration object is "ou=people, o=isp ", and there are two data naming contexts: "o=isp" and "dc=filenet,dc=com", then you know the realm name for this DirectoryConfiguration object is "o=isp".

NOTE  FileNet highly recommends that you configure SSL between your application server that hosts Content Engine and your Sun Java System Directory Server. This will include making changes in the application server to the authentication provider's DirectoryConfigurationSunOne object that was created while running Configuration Manager. Consult your application server's documentation for instructions.

Support matrix

Use this support matrix as a quick lookup of supported directory features.

Sun Java System Directory Server Features

Supported By Content Engine

One-way SSL

Y

Two-way SSL

N

Transport Layer Security (TLS)

N

Static Groups

Y

Nested Groups

Y

Dynamic Groups

N

Universal Groups

N

Supported User type (objectClass)

inetOrgPerson

Supported Static Group types (objectClass)

groupOfUniqueNames

Follow referrals for Search (for example, User and Group retrieval)

N
NOTE  Earlier releases of FileNet P8 were able to follow referrals, but this is not supported in the present release due to problems with how SunOne performs sorting. Use SunOne's server chaining instead of referrals.

Support multiple realms

Y

Chaining

Y

Roles

N

Directory aliases

N

Restrict to single realm

Y - Just configure one realm in application server

Configurable user short name attribute

Y - Because the short name does not contain realm information, short names must be unique across all your configured domains and realms.

Configurable group short name attribute

Y

Configurable user display name attribute

Y

Configurable group display name attribute

Y

Multiple authenticating attributes support

Y- Can authenticate against the same SunONE server with multiple attributes, such as uid or distinguishedName. See Configure multiple authenticating attributes.

Sorting

Y- Return users and groups in sorted order: either ascending or descending order.

Paging/Continuation

Y- Return users and groups page by page. Page continuation happens automatically in the back end.

Server side sorting Y (Required) - Server Side Sorting (SSS) must be enabled. This is because Process Engine and other P8 components call on Content Engine to perform searches using a sorted paging mechanism. Without SSS, you will experience errors such as in Workplace when retrieving a document, when trying to open Process Designer via Workplace, or when starting a Connection Point on Application Engine. Note that SSS is normally enabled by default but is sometimes disabled due to concerns with performance.

Top of page

Directory Configuration Properties

The following is an alphabetic list of the properties in the DirectoryConfigurationSunOne class. Use Enterprise Manager to view all properties and modify editable properties.

Property Name Editable? Description
ClassDescription N

A ClassDescription object containing the fixed description of the class from which a given object is instantiated.

DirectoryServerHost

Y

Specifies the name of the host that is running the directory server product.

DirectoryServerPassword

Y

Specifies the user password used to authenticate to a given directory server.

DirectoryServerPort

Y

Specifies the port number of the directory server. The value of this property defaults to port 389 for all supported directory server types.

DirectoryServerProviderClass

Y Specifies the directory server provider class name: com.filenet.engine.security.SunOneProvider
DirectoryServerType N Specifies the type of directory server: SunOne
DirectoryServerUserName Y

Specifies the user name for authenticating to the directory server. Example: "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

DisplayName

Y

The user-readable, provider-specific name of an object. This property is usually the designated Name property of the object's class.

GroupBaseDN

Y

The base DN for searching for groups in the directory server.

GroupDisplayNameAttribute

Y

Specifies the display name for a Group object generated by the authentication provider. The default property value is dependent on the authentication provider and is specified by the provider's configuration.

GroupMembershipSearchFilter

Y

The search filter for group membership queries.

GroupNameAttribute

Y

Defines the directory server attribute to be used as the short name for a group.

GroupSearchFilter

Y

Specifies search filter for groups. Example: "(&(objectclass=group)(samAccountName={0}))", where samAccountName will serve as the short name.

Id

N

An object's globally unique ID (GUID).

IsSSLEnabled

Y Defines whether or not Secure Sockets Layer (SSL) protocol is enabled for a given DirectoryConfiguration object. The default value is false, indicating that SSL is disabled.
RestrictMembershipToConfiguredRealms Y Restricts group lookups to configured realms only. A user can be in a configured realm but belong to a group in an unconfigured realm. If set to Yes, that user cannot log in because the system cannot look up all the user's group memberships. If set to No, group memberships in unconfigured realms are ignored.

UserBaseDN

Y

The base DN for searching for users in the directory server.

UserDisplayNameAttribute

Y

Specifies the display name for a User object generated by the authentication provider. The default property value is dependent on the authentication provider and is specified by the provider's configuration.

UserNameAttribute

Y

Defines the directory server attribute to be used as the short name for a user.

UserSearchFilter

Y

Specifies search filter for users. Example: "(&(objectclass=user)(samAccountName={0}))", where samAccountName will serve as the short name.

Top of page

Realm Configuration (WebLogic)

Authentication Provider Configuration, using WebLogic

This section provides realm configuration instructions for WebLogic. After the authentication providers are configured, you must restart WebLogic.

Content Engine can create at most two authentication providers for each Sun Java System Directory Server data naming context (that is, a realm). These two providers are used to authenticate by short name and distinguished name. Content Engine cannot create an authentication provider for UPN since Sun does not have an LDAP attribute to hold the user name in UPN format.

In the following configuration example, short name is mapped to uid:

DefaultAuthenticator
DefaultIdentityAsserter
SunOne_By_uid (short name)
SunOne_By_entrydn (DN)

When configuring WebLogic authentication providers, the LDAP attribute used for the fields "User Name Attribute" and "User From Name Filter" must be the same. The same applies to group configuration. Here is an example which uses uid:

For each Sun Java System Directory Server, check the attribute namingContexts in its rootDSE. Then find out how many data naming contexts it has. For each data naming context, create a WebLogic authentication provider by doing the following steps:

Example: Assume a Sun Java System Directory Server has the following two data naming contexts:

You must create two WebLogic authentication providers for it.

Provider Name Tab Field Name Field Value
isp_uid General Control Flag Sufficient
iPlanet LDAP Host sunOne-host
Port 389
Principal uid=admin,ou=administrators,ou=
topologymanagement,o=netscaperoot
Credential <password>
Users User Name Attribute Uid
User Base DN ou=people,o=isp
User From Name Filter (&(objectClass=person)(uid=%u))
Groups Group Base DN ou=groups,o=isp
Group From Name Filter (&(objectClass=groupOfUniqueNames)(cn=%g))
Static Group Name Attribute cn
Membership Static Group DNs from Member DN Filter (&(objectClass=groupOfUniqueNames)(uniqueMember=%M))
MyCompany_uid General Control Flag Sufficient
iPlanet LDAP Host sunOne-host
Port 389
Principal uid=admin,ou=administrators,ou=
topologymanagement,o=netscaperoot
Credential <password>
Users User Name Attribute uid
User Base DN Ou=users,dc=mycompany,dc=com
User From Name Filter (&(uid=%u)(objectclass=person))
Groups Group Base DN Ou=users,dc=mycompany,dc=com
Group From Name Filter (&(objectClass=groupOfUniqueNames)(cn=%g))
Static Group Name Attribute cn
Membership Static Group DNs from Member DN Filter (&(objectClass=groupOfUniqueNames)(uniqueMember=%M))

Top of page

GCD Configuration

For the example in the previous section, you must create the following two DirectoryConfigurationSunOne objects - one for each data naming context.

DirectoryConfigurationSunOne object 1:

DirectoryConfigurationSunOne object 2:

Configuration Result

Authentication

FileNet P8 can authenticate any user by uid under:

  • ou=people,o=isp
  • ou=users,dc=mycompany,dc=com

Realm set

Two realms (i.e., all the data naming contexts):

  • o=isp
  • dc=mycompany,dc=com

User and group retrieval

FileNet P8 can retrieve any user under:

  • ou=people,o=isp
  • ou=users,dc=mycompany,dc=com

FileNet P8 can retrieve any group under:

  • ou=groups,o=isp
  • ou=users,dc=mycompany,dc=com

Group membership

FileNet P8 can search group memberships within a realm. Note that Sun ONE does not support group membership across naming contexts in static groups.

Top of page

Operation

Get User or Group by Short Name

Iterate through all realms. For each realm:

  1. Connect to corresponding host.
  2. Search for the user or group by short name.
  3. If found, return.

If more than one user or group is found, Content Engine will log an error and return the first user found.

Get User or Group by DN

  1. Resolve the realm name from the DN.
  2. Connect to corresponding host.
  3. Search for the user or group by DN.

Get User or Group by UPN

SunOne provider does not support these methods.

Get User or Group by SID

Iterate through all realms. For each realm:

  1. Connect to corresponding host.
  2. Search for the user or group by SID.
  3. If found, return.

Search Users or Groups in a Given Realm

  1. Connect to the host corresponding to the specified realm.
  2. Search for the users or groups by the search criteria.

Top of page