IBM Tivoli Directory Server

This topic describes FileNet P8's support for integrating with IBM Tivoli Directory Server.

General

One instance of IBM Tivoli Directory Server can have multiple data naming contexts. Because each data naming context is mapped to a Content Engine realm, one IBM Tivoli Directory Server can be mapped to multiple Content Engine realms.

For each realm, you need to create an application server authentication provider and a DirectoryConfigurationIBM object, so that there is a one-to-one relationship between Realm object and authentication provider, and also a one-to-one relationship between Realm object and DirectoryConfigurationIBM object.

For each authentication provider, FileNet P8 extracts the realm name from the specified User Base DN value by comparing it with each data naming context. For example, if this authentication provider's user base DN is “ou=people,o=isp”, and if there are two data naming contexts: “o=isp” and “dc=filenet,dc=com”, then you know the realm name for this authentication provider is “o=isp”.

NOTE  FileNet highly recommends that you configure SSL between your application server that hosts Content Engine and your Active Directory servers. This will include making changes in the application server to the authentication provider's DirectoryConfigurationIBM object that was created while running Configuration Manager. Consult your application server's documentation for instructions.

Support matrix

Use this support matrix as a quick lookup of supported directory features.

IBM Tivoli Directory Server Features

Supported By Content Engine

One-way Secure Sockets Layer (SSL)

Y

Two-way SSL

N

Transport Layer Security (TLS)

N

Static Groups

Y

Dynamic Groups

N

Nested Groups

Y

Supported User type (objectClass)

inetOrgPerson

Supported Static Group types (objectClass)

groupOfUniqueNames, groupOfNames

Roles

N

Follow referrals for Search (e.g. User/Group retrieval)

N

Support multiple realms

Y

Chaining

Y

Directory aliases

N

Restrict to single realm

Y - Just configure one realm in application server

Configurable user short name attribute

Y - Because the short name does not contain realm information, short names must be unique across all your configured domains and realms.

Configurable group short name attribute

Y

Configurable user display name attribute

Y

Configurable group display name attribute

Y

Multiple authenticating attributes support

Y- See Configure multiple authenticating attributes.

Sorting

Y- Return users/groups in sorted order: either ascending or descending order.

Paging/Continuation

Y- Return users/groups page by page. Page continuation happens automatically in the back end.

Top of page

Directory Configuration Properties

The following is an alphabetic list of the properties in the DirectoryConfigurationIBM class. Use Enterprise Manager to view all properties and modify editable properties.

Property Name Editable? Description
ClassDescription N

A ClassDescription object containing the fixed description of the class from which a given object is instantiated.

DirectoryServerHost

Y

Specifies the name of the host that is running the directory server product.

DirectoryServerPassword

Y

Specifies the user password used to authenticate to a given directory server.

DirectoryServerPort

Y

Specifies the port number of the directory server. The value of this property defaults to port 389 for all supported directory server types.

DirectoryServerProviderClass

Y Specifies the directory server provider class name: com.filenet.engine.security.IBMTivoliProvider
DirectoryServerType N Specifies the type of directory server: IBM
DirectoryServerUserName Y

Specifies the username for authenticating to the directory server.

DisplayName

Y

The user-readable, provider-specific name of an object. This property is usually the designated Name property of the object's class.

GroupBaseDN

Y

The base DN for searching for groups in the directory server.

GroupDisplayNameAttribute

Y

Specifies the display name for a Group object generated by the authentication provider. The default property value is dependent on the authentication provider and is specified by the provider's configuration.

GroupMembershipSearchFilter

Y

The search filter for group membership queries.

GroupNameAttribute

Y

Defines the directory server attribute to be used as the short name for a group.

GroupSearchFilter

Y

Specifies search filter for groups. Example: “(&(objectclass=group)(samAccountName={0}))”, where samAccountName will serve as the short name.

Id

N

An object's globally unique ID (GUID).

IsSSLEnabled

Y Defines whether or not Secure Sockets Layer (SSL) protocol is enabled for a given DirectoryConfiguration object. The default value is false, indicating that SSL is disabled.
RestrictMembershipToConfiguredRealms Y Restricts group lookups to configured realms only. A user can be in a configured realm but belong to a group in an unconfigured realm. If set to Yes, that user cannot log on because the system cannot look up all the user's group memberships. If set to No, group memberships in unconfigured realms are ignored.

UserBaseDN

Y

The base DN for searching for users in the directory server.

UserDisplayNameAttribute

Y

Specifies the display name for a User object generated by the authentication provider. The default property value is dependent on the authentication provider and is specified by the provider's configuration.

UserNameAttribute

Y

Defines the directory server attribute to be used as the short name for a user.

UserSearchFilter

Y

Specifies search filter for users. Example: “(&(objectclass=user)(samAccountName={0}))”, where samAccountName will serve as the short name.

Top of page

Realm Configuration (WebLogic)

This section shows Realm configuration instructions for WebLogic. After the authentication providers are configured, you must restart WebLogic server.

When configuring WebLogic authentication providers, the LDAP attribute used for the fields "User Name Attribute" and "User From Name Filter" must be the same. The same applies to group configuration. Here is an example which uses samAccountName:

For each IBM Tivoli Directory Server, check the attribute namingContexts in its root. Then find out how many data naming contexts it has. For each data naming context, create a WebLogic authentication provider by doing the following:

Authentication Provider Configuration, using WebLogic

Assume an IBM Tivoli Directory Server has the following two data naming contexts:

You need to create two WebLogic authentication providers for it.

Provider Name Tab Field Name Field Value
isp_cn General Control Flag Sufficient
Open LDAP Host MyHost1
Port 389
Principal cn=root
Credential <password>
Users User Name Attribute cn
User Base DN ou=people,o=isp
User From Name Filter (&(objectClass=person)(cn=%u))
Groups Group Base DN ou=groups,o=isp
Group From Name Filter (&(cn=%g)(|(objectClass=groupOfNames)(objectClass=
groupOfUniqueNames)))
Static Group Name Attribute cn
Membership Static Group DNs from Member DN Filter (|(&(objectclass=groupOfNames)(member=%M))(&(objectclass=
groupOfUniqueNames)(uniqueMember=%M)))
MyCompany_cn General Control Flag Sufficient
Open LDAP Host MyHost1
Port 389
Principal cn=root
Credential <password>
Users User Name Attribute cn
User Base DN ou=users,dc=mycompany,dc=com
User From Name Filter (&(objectClass=person)(cn=%u))
Groups Group Base DN ou=users,dc=mycompany,dc=com
Group From Name Filter (&(cn=%g)(|(objectClass=groupOfNames)(objectClass=
groupOfUniqueNames)))
Static Group Name Attribute cn
Membership Static Group DNs from Member DN Filter (|(&(objectclass=groupOfNames)(member=%M))(&(objectclass=
groupOfUniqueNames)(uniqueMember=%M)))

Top of page

GCD Configuration

For the example in the previous section, you must create the following two DirectoryConfigurationIBM objects - one for each data naming context.

DirectoryConfigurationIBM object 1:

DirectoryConfigurationIBM object 2:

Configuration Result

Authentication

FileNet P8 can authenticate any user by uid under:

  • ou=people,o=isp
  • ou=users,dc=mycompany,dc=com

Realm set

Two realms (i.e., all the data naming contexts):

  • o=isp
  • dc=mycompany,dc=com

User/group retrieval

FileNet P8 can retrieve any user or group under:

  • ou=people,o=isp
  • ou=users,dc=mycompany,dc=com

FileNet P8 can retrieve any group under:

  • ou=groups,o=isp
  • ou=users,dc=mycompany,dc=com

Group membership

FileNet P8 can search group memberships:

  • Within a realm
  • Across realms.

Top of page

Operation

Get User or Group by Short Name

Iterate through all realms. For each realm:

  1. Connect to corresponding host.
  2. Search for the user/group by short name.
  3. If found, return.

If more than one user/group is found, Content Engine will log an error and return the first user found.

Get User or Group by DN

  1. Resolve the realm name from the DN.
  2. Connect to corresponding host.
  3. Search for the user/group by DN.

Get User or Group by UPN

IBM Tivoli provider does not support these methods.

Get User or Group by SID

Iterate through all realms. For each realm:

  1. Connect to corresponding host.
  2. Search for the user/group by SID.
  3. If found, return.

Search Users or Groups in a Given Realm

  1. Connect to the host corresponding to the specified realm.
  2. Search for the users or groups by the search criteria.

Top of page