This topic describes FileNet P8's support for integrating with Sun Java System Directory Server.
One instance of Sun Java™ System Directory Server can have multiple data naming contexts. Because each Sun data naming context is mapped to a Content Engine realm, one Sun Java System Directory Server can be mapped to multiple Content Engine realms.
For each realm, you need to create an application server authentication provider and a DirectoryConfigurationSunOne object, so that there is a one-to-one relationship between Realm object and authentication provider, and also a one-to-one relationship between Realm object and DirectoryConfigurationSunOne object.
For each DirectoryConfiguration object, FileNet P8 extracts the realm name from the specified UserBaseDN property value by comparing it with each data naming context. For example, if the UserBaseDN for this DirectoryConfiguration object is "ou=people, o=isp ", and there are two data naming contexts: "o=isp" and "dc=filenet,dc=com", then you know the realm name for this DirectoryConfiguration object is "o=isp".
NOTE FileNet highly recommends that you configure SSL between your application server that hosts Content Engine and your Sun Java System Directory Server. This will include making changes in the application server to the authentication provider's DirectoryConfigurationSunOne object that was created while running Configuration Manager. Consult your application server's documentation for instructions.
Use this support matrix as a quick lookup of supported directory features.
SunONE Features |
Supported By Content Engine |
One-way SSL |
Y |
Two-way SSL |
N |
Transport Layer Security (TLS) |
N |
Static Groups |
Y |
Nested Groups |
Y |
Dynamic Groups |
N |
Universal Groups |
N |
Supported User type (objectClass) |
inetOrgPerson |
Supported Static Group types (objectClass) |
groupOfUniqueNames |
Follow referrals for Search (e.g. User/Group retrieval) |
N |
Support multiple realms |
Y |
Chaining |
Y |
Roles |
N |
Directory aliases |
N |
Restrict to single realm |
Y - Just configure one realm in application server |
Configurable user short name attribute |
Y - Because the short name does not contain realm information, short names must be unique across all your configured domains and realms. |
Configurable group short name attribute |
Y |
Configurable user display name attribute |
Y |
Configurable group display name attribute |
Y |
Multiple authenticating attributes support |
Y- Can authenticate against the same SunONE server with multiple attributes, such as uid or distinguishedName. See Configure multiple authenticating attributes. |
Sorting |
Y- Return users/groups in sorted order: either ascending or descending order. |
Paging/Continuation |
Y- Return users/groups page by page. Page continuation happens automatically in the back end. |
The following is an alphabetic list of the properties in the DirectoryConfigurationSunOne class. Use Enterprise Manager to view all properties and modify editable properties.
Property Name | Editable? | Description |
---|---|---|
ClassDescription | N | A ClassDescription object containing the fixed description of the class from which a given object is instantiated. |
DirectoryServerHost |
Y | Specifies the name of the host that is running the directory server product. |
DirectoryServerPassword |
Y | Specifies the user password used to authenticate to a given directory server. |
DirectoryServerPort |
Y | Specifies the port number of the directory server. The value of this property defaults to port 389 for all supported directory server types. |
DirectoryServerProviderClass |
Y | Specifies the directory server provider class name: com.filenet.engine.security.SunOneProvider |
DirectoryServerType | N | Specifies the type of directory server: SunOne |
DirectoryServerUserName | Y | Specifies the username for authenticating to the directory server. Example: "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot@quot;" |
DisplayName |
Y | The user-readable, provider-specific name of an object. This property is usually the designated Name property of the object's class. |
GroupBaseDN |
Y | The base DN for searching for groups in the directory server. |
GroupDisplayNameAttribute |
Y | Specifies the display name for a |
GroupMembershipSearchFilter |
Y | The search filter for group membership queries. |
GroupNameAttribute |
Y | Defines the directory server attribute to be used as the short name for a group. |
GroupSearchFilter |
Y | Specifies search filter for groups. Example: (&(objectclass=group)(samAccountName={0})), where samAccountName will serve as the short name. |
Id |
N | An object's globally unique ID (GUID). |
IsSSLEnabled |
Y | Defines whether or not Secure Sockets Layer (SSL) protocol is enabled for a given DirectoryConfiguration object. The default value is false, indicating that SSL is disabled. |
RestrictMembershipToConfiguredRealms | Y | Restricts group lookups to configured realms only. A user can be in a configured realm but belong to a group in an unconfigured realm. If set to Yes, that user cannot log on because the system cannot look up all the user's group memberships. If set to No, group memberships in unconfigured realms are ignored. |
UserBaseDN |
Y | The base DN for searching for users in the directory server. |
UserDisplayNameAttribute |
Y | Specifies the display name for a User object generated by the authentication provider. The default property value is dependent on the authentication provider and is specified by the provider's configuration. |
UserNameAttribute |
Y | Defines the directory server attribute to be used as the short name for a user. |
UserSearchFilter |
Y | Specifies search filter for users. Example: (&(objectclass=user)(samAccountName={0})), where samAccountName will serve as the short name. |
This section provides realm configuration instructions for WebLogic. After the authentication providers are configured, you must restart WebLogic.
Content Engine can create at most two authentication providers for each Sun Java System Directory Server data naming context (that is, a realm). These two providers are used to authenticate by short name and distinguished name. Content Engine cannot create an authentication provider for UPN since Sun does not have an LDAP attribute to hold the user name in UPN format.
In the following configuration example, short name is mapped to uid:
DefaultAuthenticator
DefaultIdentityAsserter
SunOne_By_uid (short name)
SunOne_By_entrydn (DN)
When configuring WebLogic authentication providers, the LDAP attribute used for the fields "User Name Attribute" and "User From Name Filter" must be the same. The same applies to group configuration. Here is an example which uses uid:
For each Sun Java System Directory Server, check the attribute namingContexts in its rootDSE. Then find out how many data naming contexts it has. For each data naming context, create a WebLogic authentication provider by doing the following:
Example: Assume a Sun Java System Directory Server has the following two data naming contexts:
You must create two WebLogic authentication providers for it.
Provider Name | Tab | Field Name | Field Value |
isp_uid | General | Control Flag | Sufficient |
iPlanet LDAP | Host | sunOne-host | |
Port | 389 | ||
Principal | uid=admin,ou=administrators,ou= topologymanagement,o=netscaperoot |
||
Credential | <password> | ||
Users | User Name Attribute | Uid | |
User Base DN | ou=people,o=isp | ||
User From Name Filter | (&(objectClass=person)(uid=%u)) | ||
Groups | Group Base DN | ou=groups,o=isp | |
Group From Name Filter | (&(objectClass=groupOfUniqueNames)(cn=%g)) | ||
Static Group Name Attribute | cn | ||
Membership | Static Group DNs from Member DN Filter | (&(objectClass=groupOfUniqueNames)(uniqueMember=%M)) | |
MyCompany_uid | General | Control Flag | Sufficient |
iPlanet LDAP | Host | sunOne-host | |
Port | 389 | ||
Principal | uid=admin,ou=administrators,ou= topologymanagement,o=netscaperoot |
||
Credential | <password> | ||
Users | User Name Attribute | uid | |
User Base DN | Ou=users,dc=mycompany,dc=com | ||
User From Name Filter | (&(uid=%u)(objectclass=person)) | ||
Groups | Group Base DN | Ou=users,dc=mycompany,dc=com | |
Group From Name Filter | (&(objectClass=groupOfUniqueNames)(cn=%g)) | ||
Static Group Name Attribute | cn | ||
Membership | Static Group DNs from Member DN Filter | (&(objectClass=groupOfUniqueNames)(uniqueMember=%M)) |
For the example in the previous section, you must create the following two DirectoryConfigurationSunOne objects - one for each data naming context.
DirectoryConfigurationSunOne object 1:
DirectoryConfigurationSunOne object 2:
Authentication |
FileNet P8 can authenticate any user by uid under:
|
Realm set |
Two realms (i.e., all the data naming contexts):
|
User/group retrieval |
FileNet P8 can retrieve any user under:
FileNet P8 can retrieve any group under:
|
Group membership |
FileNet P8 can search group memberships within a realm. Note that Sun ONE does not support group membership across naming contexts in static groups. |
Iterate through all realms. For each realm:
If more than one user/group is found, Content Engine will log an error and return the first user found.
SunOne provider does not support these methods.
Iterate through all realms. For each realm: