This topic describes FileNet P8's support for integrating with IBM Tivoli Directory Server.
One instance of IBM Tivoli Directory Server can have multiple data naming contexts. Because each data naming context is mapped to a Content Engine realm, one IBM Tivoli Directory Server can be mapped to multiple Content Engine realms.
For each realm, you need to create an application server authentication provider and a DirectoryConfigurationIBM object, so that there is a one-to-one relationship between Realm object and authentication provider, and also a one-to-one relationship between Realm object and DirectoryConfigurationIBM object.
For each authentication provider, FileNet P8 extracts the realm name from the specified User Base DN value by comparing it with each data naming context. For example, if this authentication provider's user base DN is “ou=people,o=isp”, and if there are two data naming contexts: “o=isp” and “dc=filenet,dc=com”, then you know the realm name for this authentication provider is “o=isp”.
NOTE FileNet highly recommends that you configure SSL between your application server that hosts Content Engine and your Active Directory servers. This will include making changes in the application server to the authentication provider's DirectoryConfigurationIBM object that was created while running Configuration Manager. Consult your application server's documentation for instructions.
Use this support matrix as a quick lookup of supported directory features.
IBM Tivoli Directory Server Features |
Supported By Content Engine |
One-way Secure Sockets Layer (SSL) |
Y |
Two-way SSL |
N |
Transport Layer Security (TLS) |
N |
Static Groups |
Y |
Dynamic Groups |
N |
Nested Groups |
Y |
Supported User type (objectClass) |
inetOrgPerson |
Supported Static Group types (objectClass) |
groupOfUniqueNames, groupOfNames |
Roles |
N |
Follow referrals for Search (e.g. User/Group retrieval) |
N |
Support multiple realms |
Y |
Chaining |
Y |
Directory aliases |
N |
Restrict to single realm |
Y - Just configure one realm in application server |
Configurable user short name attribute |
Y - Because the short name does not contain realm information, short names must be unique across all your configured domains and realms. |
Configurable group short name attribute |
Y |
Configurable user display name attribute |
Y |
Configurable group display name attribute |
Y |
Multiple authenticating attributes support |
Y- See Configure multiple authenticating attributes. |
Sorting |
Y- Return users/groups in sorted order: either ascending or descending order. |
Paging/Continuation |
Y- Return users/groups page by page. Page continuation happens automatically in the back end. |
The following is an alphabetic list of the properties in the DirectoryConfigurationIBM class. Use Enterprise Manager to view all properties and modify editable properties.
Property Name | Editable? | Description |
---|---|---|
ClassDescription | N | A ClassDescription object containing the fixed description of the class from which a given object is instantiated. |
DirectoryServerHost |
Y | Specifies the name of the host that is running the directory server product. |
DirectoryServerPassword |
Y | Specifies the user password used to authenticate to a given directory server. |
DirectoryServerPort |
Y | Specifies the port number of the directory server. The value of this property defaults to port 389 for all supported directory server types. |
DirectoryServerProviderClass |
Y | Specifies the directory server provider class name: com.filenet.engine.security.IBMTivoliProvider |
DirectoryServerType | N | Specifies the type of directory server: IBM |
DirectoryServerUserName | Y | Specifies the username for authenticating to the directory server. |
DisplayName |
Y | The user-readable, provider-specific name of an object. This property is usually the designated Name property of the object's class. |
GroupBaseDN |
Y | The base DN for searching for groups in the directory server. |
GroupDisplayNameAttribute |
Y | Specifies the display name for a |
GroupMembershipSearchFilter |
Y | The search filter for group membership queries. |
GroupNameAttribute |
Y | Defines the directory server attribute to be used as the short name for a group. |
GroupSearchFilter |
Y | Specifies search filter for groups. Example: (&(objectclass=group)(samAccountName={0})), where samAccountName will serve as the short name. |
Id |
N | An object's globally unique ID (GUID). |
IsSSLEnabled |
Y | Defines whether or not Secure Sockets Layer (SSL) protocol is enabled for a given DirectoryConfiguration object. The default value is false, indicating that SSL is disabled. |
RestrictMembershipToConfiguredRealms | Y | Restricts group lookups to configured realms only. A user can be in a configured realm but belong to a group in an unconfigured realm. If set to Yes, that user cannot log on because the system cannot look up all the user's group memberships. If set to No, group memberships in unconfigured realms are ignored. |
UserBaseDN |
Y | The base DN for searching for users in the directory server. |
UserDisplayNameAttribute |
Y | Specifies the display name for a User object generated by the authentication provider. The default property value is dependent on the authentication provider and is specified by the provider's configuration. |
UserNameAttribute |
Y | Defines the directory server attribute to be used as the short name for a user. |
UserSearchFilter |
Y | Specifies search filter for users. Example: (&(objectclass=user)(samAccountName={0})), where samAccountName will serve as the short name. |
This section shows Realm configuration instructions for WebLogic. After the authentication providers are configured, you must restart WebLogic server.
When configuring WebLogic authentication providers, the LDAP attribute used for the fields "User Name Attribute" and "User From Name Filter" must be the same. The same applies to group configuration. Here is an example which uses samAccountName:
For each IBM Tivoli Directory Server, check the attribute namingContexts in its root. Then find out how many data naming contexts it has. For each data naming context, create a WebLogic authentication provider by doing the following:
Assume an IBM Tivoli Directory Server has the following two data naming contexts:
You need to create two WebLogic authentication providers for it.
Provider Name | Tab | Field Name | Field Value |
isp_cn | General | Control Flag | Sufficient |
Open LDAP | Host | MyHost1 | |
Port | 389 | ||
Principal | cn=root | ||
Credential | <password> | ||
Users | User Name Attribute | cn | |
User Base DN | ou=people,o=isp | ||
User From Name Filter | (&(objectClass=person)(cn=%u)) | ||
Groups | Group Base DN | ou=groups,o=isp | |
Group From Name Filter | (&(cn=%g)(|(objectClass=groupOfNames)(objectClass= groupOfUniqueNames))) |
||
Static Group Name Attribute | cn | ||
Membership | Static Group DNs from Member DN Filter | (|(&(objectclass=groupOfNames)(member=%M))(&(objectclass= groupOfUniqueNames)(uniqueMember=%M))) |
|
MyCompany_cn | General | Control Flag | Sufficient |
Open LDAP | Host | MyHost1 | |
Port | 389 | ||
Principal | cn=root | ||
Credential | <password> | ||
Users | User Name Attribute | cn | |
User Base DN | ou=users,dc=mycompany,dc=com | ||
User From Name Filter | (&(objectClass=person)(cn=%u)) | ||
Groups | Group Base DN | ou=users,dc=mycompany,dc=com | |
Group From Name Filter | (&(cn=%g)(|(objectClass=groupOfNames)(objectClass= groupOfUniqueNames))) |
||
Static Group Name Attribute | cn | ||
Membership | Static Group DNs from Member DN Filter | (|(&(objectclass=groupOfNames)(member=%M))(&(objectclass= groupOfUniqueNames)(uniqueMember=%M))) |
For the example in the previous section, you must create the following two DirectoryConfigurationIBM objects - one for each data naming context.
DirectoryConfigurationIBM object 1:
DirectoryConfigurationIBM object 2:
Authentication |
FileNet P8 can authenticate any user by uid under:
|
Realm set |
Two realms (i.e., all the data naming contexts):
|
User/group retrieval |
FileNet P8 can retrieve any user or group under:
FileNet P8 can retrieve any group under:
|
Group membership |
FileNet P8 can search group memberships:
|
Iterate through all realms. For each realm:
If more than one user/group is found, Content Engine will log an error and return the first user found.
IBM Tivoli provider does not support these methods.
Iterate through all realms. For each realm: