Novell eDirectory

This topic describes FileNet P8's support for integrating with Novell eDirectory directory server.

General

One instance of Novell eDirectory directory server can have multiple contexts. Because each context immediately under the ROOT DSE (tree Object) is mapped to a Content Engine realm, one eDirectory server can be mapped to multiple Content Engine realms.

For each realm, you must create an application server authentication provider and a DirectoryConfigurationNovell object, so that there is a one-to-one relationship between Realm object and authentication provider, and also a one-to-one relationship between Realm object and DirectoryConfigurationNovell object.

For example:

For each DirectoryConfigurationNovell object, FileNet P8 uses the specified UserBaseDN property value to lookup context.

NOTE  FileNet highly recommends that you configure SSL between your application server that hosts Content Engine and your Novell eDirectory servers. This will include making changes in the application server to the authentication provider's DirectoryConfigurationNovell object that was created while running Configuration Manager. Consult your application server's documentation for instructions.

Top of page

Support matrix

Use this support matrix as a quick lookup of supported directory features.

Novell eDirectory Features

Supported By Content Engine

One-way Secure Sockets Layer (SSL)

Y

Two-way SSL

N

Transport Layer Security (TLS)

N

Container types supported

Country (C), Organization (O), Organizational Unit (OU), Domain (DC)

Static Groups

Y

Nested Groups

N (eDirectory does not support nested groups; a group cannot have siblings or grand parents)

Dynamic Groups

N

Supported User type (objectClass)

Person

Supported Static Group types (objectClass)

groupOfNames

Roles

N

Follow referrals for Search (e.g. User/Group retrieval)

N

Support multiple realms

Y

Chaining

Y

Directory aliases

N

Restrict to single realm

Y - Just configure one realm in application server

Configurable user short name attribute

Y - Because the short name does not contain realm information, short names must be unique across all your configured domains and realms.

Configurable user display name attribute

Y

Configurable group display name attribute

Y

Configurable group name attribute for persisting

Y

Multiple authenticating attributes support

Y - See Configure multiple authenticating attributes for details.

Sorting

Y- Return users/groups in sorted order (ascending only)

Paging/Continuation

Y- Return users/groups page by page. Page continuation happens automatically in the back end.

Typeful and type less name display

Typeful name display only

Top of page

Directory Configuration Properties

The following is an alphabetic list of the properties in the DirectoryConfigurationNovell class. Use Enterprise Manager to view all properties and modify editable properties.

Name Editable? Description
ClassDescription N

A ClassDescription object containing the fixed description of the class from which a given object is instantiated.

DirectoryServerHost

Y

Specifies the name of the host that is running the directory server product.

DirectoryServerPassword

Y

Specifies the user password used to authenticate to a given directory server.

DirectoryServerPort

Y

Specifies the port number of the directory server. The value of this property defaults to port 389 for all supported directory server types.

DirectoryServerProviderClass

Y Specifies the directory server provider class name: com.filenet.engine.security.EDirectoryProvider
DirectoryServerType N Specifies the type of directory server: Novell
DirectoryServerUserName Y

Specifies the username for authenticating to the directory server.

DisplayName

Y

The user-readable, provider-specific name of an object. This property is usually the designated Name property of the object's class.

GroupBaseDN

Y

The base DN for searching for groups in the directory server.

GroupDisplayNameAttribute

Y

Specifies the display name for a Group object generated by the authentication provider. The default property value is dependent on the authentication provider and is specified by the provider's configuration.

GroupMembershipSearchFilter

Y

The search filter for group membership queries.

GroupNameAttribute

Y

Defines the directory server attribute to be used as the short name for a group.

GroupSearchFilter

Y

Specifies search filter for groups. Example: “(&(objectclass=group)(samAccountName={0}))”, where samAccountName will serve as the short name.

Id Property

N

An object's globally unique ID (GUID).

IsSSLEnabled

Y Defines whether or not Secure Sockets Layer (SSL) protocol is enabled for a given DirectoryConfiguration object. The default value is false, indicating that SSL is disabled.
RestrictMembershipToConfiguredRealms Y Restricts group lookups to configured realms only. A user can be in a configured realm but belong to a group in an unconfigured realm. If set to Yes, that user cannot log on because the system cannot look up all the user's group memberships. If set to No, group memberships in unconfigured realms are ignored.

UserBaseDN

Y

The base DN for searching for users in the directory server.

UserDisplayNameAttribute

Y

Specifies the display name for a User object generated by the authentication provider. The default property value is dependent on the authentication provider and is specified by the provider's configuration.

UserNameAttribute

Y

Defines the directory server attribute to be used as the short name for a user.

UserSearchFilter

Y

Specifies search filter for users. Example: “(&(objectclass=user)(samAccountName={0}))”, where samAccountName will serve as the short name.

Top of page

Realm Configuration (WebLogic)

Authentication Provider Configuration

This section shows realm configuration instructions for WebLogic. After the authentication provider is configured, you must restart WebLogic server.

When configuring WebLogic authentication providers, the LDAP attribute used for the fields "User Name Attribute" and "User from Name Filter" must be the same. The same applies to group configuration. For example:

For each Novell eDirectory directory server, check the Contexts immediately under its root DSE, in order to find out how many contexts it has. For each context, create a WebLogic authentication provider by doing the following:

Example: Assume Novell eDirectory directory server has the following two contexts.

You must create two WebLogic authentication providers.

Provider Name Tab Field Name Field Value
eng_uid General Control Flag Sufficient
Novell LDAP Host Ed-host
Port 389
Principal cn=principal1
Credential <password>
Users User Name Attribute cn
User Base DN ou=people, o=cempdev1
User From Name Filter (&(cn=%u)(objectclass=person))
Groups Group Base DN ou=groups, o=cempdev1
Group From Name Filter (&(cn=%g)(objectclass=groupOfNames))
Static Group Name Attribute cn
  Membership Static Group DNs from Member DN Filter (&(member=%M)(objectclass=groupOfNames))
MyCompany_uid General Control Flag Sufficient
Novell LDAP Host Ed-host
Port 389
Principal cn=principal2
Credential <password>
Users User Name Attribute cn
User Base DN ou=users,dc=filenet.com
User From Name Filter (&(cn=%u)(objectclass=person))
Groups Group Base DN ou=Mygroups, dc=filenet.com
Group From Name Filter (&(cn=%g)((objectclass=groupOfNames))
Static Group Name Attribute cn
  Membership Static Group DNs from Member DN Filter (&(member=%M)(objectclass=groupOfNames))

Top of page

GCD Configuration

For the example in the previous section, you need to create the following two DirectoryConfigurationNovell objects - one for each data naming context.

DirectoryConfigurationNovell object 1:

DirectoryConfigurationNovell object 2:

Configuration Result

Authentication

FileNet P8 can authenticate any user by cn under:

  • ou=people, o=cempdev1
  • ou=users,dc=filenet.com

Realm set

Two realms (i.e., all the data naming contexts):

  • o=cempdev1
  • dc=filenet.com

User/group retrieval

FileNet P8 can retrieve any user under:

  • ou=people, o= cempdev1
  • ou=users, dc=filenet.com

FileNet P8 can retrieve any group under:

  • ou=Mygroups, o= cempdev1
  • ou= groups, dc=filenet.com

Group membership

FileNet P8 can search group memberships:

  • Within a realm
  • Across realms.

Top of page

Operation

Get User or Group by Short Name

Iterate through all realms. For each realm:

  1. Connect to corresponding host.
  2. Search for the user/group by short name.
  3. If found, return.

If more than one user/group is found, Content Engine will log an error and return the first user found.

Get User or Group by DN

  1. Resolve the realm name from the DN.
  2. Connect to corresponding host.
  3. Search for the user/group by DN.

NOTE  eDirectory does not support nested groups.

Get User or Group by UPN

eDirectory provider does not support these methods.

Get User or Group by SID

Iterate through all realms. For each realm:

  1. Connect to corresponding host.
  2. Search for the user/group by SID.
  3. If found, return.

Search Users or Groups in a Given Realm

  1. Connect to the host corresponding to the specified realm.
  2. Search for the users or groups by the search criteria.

Top of page