NOTE Microsoft has changed the name of Active Directory Application Mode (ADAM) to Active Directory Lightweight Directory Services (AD LDS). You may still find references in documentation to "ADAM".
This topic describes FileNet P8's support for integrating with Windows Active Directory Lightweight Directory Services (AD LDS).
One instance of AD LDS can have multiple application partitions, each of which can be mapped to a Content Engine (CE) realm. Therefore one instance of AD LDS can be mapped to multiple CE realms.
For each realm, you must create an application server authentication provider and a DirectoryConfigurationADAM object, to establish a one-to-one relationship between Realm object and authentication provider, and also a one-to-one relationship between Realm object and DirectoryConfigurationADAM object. The initial set of these objects is created during CE configuration.
For each DirectoryConfiguration object, FileNet P8 extracts the realm name from the specified UserBaseDN property value by comparing it with each application partition. For example, if the UserBaseDN for this DirectoryConfiguration object is "ou=people, o=isp ", and there are two application partitions: "o=isp" and "dc=filenet,dc=com", the realm name for this DirectoryConfiguration object is "o=isp".
The following graphic shows CE authenticating with AD LDS:
The next graphic shows the optional configuration of CE authenticating with AD LDS configured for proxy login and search to Active Directory. When a user logs in using an ID found in a the AD LDS object, AD LDS redirects authentication to Active Directory.
You can optionally use the Synchronizer tool, a built-in feature of AD LDS, to pull user account information from Active Directory. In this scenario, AD LDS user accounts are proxy users. P8 provides support for native and proxy users in AD LDS as follows:
When properly configured this provides one-way data flow from Active Directory to AD LDS. You could continue to provision AD LDS-only accounts in AD LDS, and both types of accounts could authenticate to a FileNet P8 application, following normal configuration of CE classes' Default Instance Security tabs in Enterprise Manager. The application does not need to be aware of this Active Directory interaction.
Consult your AD LDS documentation for how to use the userProxyFull object and the msds-bindableObject auxiliary class. See especially http://technet2.microsoft.com/windowsserver/en/library/7b6c4b5c-58be-4b4c-90e9-f464dd1a09311033.mspx?mfr=true.
NOTE It is an IBM best practice to configure SSL between your application server that hosts CE and your AD LDS servers. This will include making changes in the application server to the authentication provider's DirectoryConfigurationADAM object that was created while running Configuration Manager. Consult your application server's documentation for instructions.
Use this support matrix as a quick lookup of supported directory features.
AD LDS Features |
Supported By |
One way SSL | Y |
Two way SSL | N |
Static Groups / Security Groups | Y |
Nested Groups | Y |
Dynamic Groups | n/a |
Universal Groups | n/a |
Roles | N Roles are not used by FileNet P8 services and are not part of the LDAP standard. Do not confuse this “Roles” with the AD LDS “Roles” container which is just a container of groups. |
Referrals for Logon | N |
Referrals for Search (for User and Group retrieval) | N |
Chaining | N |
Directory aliases | N |
Native Mode Active Directory | n/a |
Mixed Mode Active Directory | n/a |
Support multiple realms | Y - Each realm corresponds to one AD LDS application partition. |
Restrict to single realm | Y By configuring just one authentication provider and one directory configuration. |
Support domains across multiple forests | n/a |
Logon to any W2k domain in the forest (implies 2-way trust) | n/a |
Logon to NT 1 way trust domains in the forest | n/a |
Configurable username for logon | Y The short or common name does not contain realm information. Short names must be unique across all of your configured application partitions and realms. |
Configurable user display name | Y |
Configurable group display name | Y |
Configurable group name for persisting | Y Group names are not persisted in the CE database, even though they are persisted in stored searches and workflow definitions. |
Support AD LDS users (for logon and Search) | Y |
Support use for logon and search of userProxyFull class and objects such as the organizationalPerson class, with a static auxiliary class of msds-bindableObject | Y |
Support Windows (domain & local) users (logon and Search) | N |
Users in Application Partitions | Y |
Users in Configuration and Schema partitions | N There is a patch from Microsoft that allows AD LDS users to reside in the Configuration partition. However, FileNet P8 does not support this. |
The following is an alphabetic list of the properties in the DirectoryConfigurationADAM class with default values. Use Enterprise Manager to view all properties and modify editable properties. See FileNet P8 domain properties (Directory config tab) for information.
Property Name | Editable? | Description |
---|---|---|
ClassDescription | N | A ClassDescription object containing the fixed description of the class from which a given object is instantiated. |
DirectoryServerHost |
Y | Specifies the name of the host that is running the directory server product. |
DirectoryServerPassword |
Y | Specifies the user password used to authenticate to a given directory server. |
DirectoryServerPort |
Y | Specifies the port number of the directory server. The value of this property defaults to port 389 for all supported directory server types. |
DirectoryServerProviderClass |
Y | Specifies the directory server provider class name: com.filenet.engine.security.AdamDirectoryProvider |
DirectoryServerType | N | Specifies the type of directory server: AD LDS |
DirectoryServerUserName | Y | Specifies the username for authenticating to the directory server. Example: cn=ceadmin,ou=people,o=isp |
DisplayName |
Y | The user-readable, provider-specific name of an object. This property is usually the designated Name property of the object's class. |
GroupBaseDN |
Y | The base DN for searching for groups in the directory server. Example: ou=people,o=isp |
GroupDisplayNameAttribute |
Y | Specifies the display name for a |
GroupMembershipSearchFilter |
Y | The search filter for group membership queries: (&(objectClass=group)(member={0})). |
GroupNameAttribute |
Y | Defines the directory server attribute to be used as the short name for a group: cn |
GroupSearchFilter |
Y | Specifies search filter for groups. Example: (&(objectclass=group)(cn={0})) |
Id |
N | An object's globally unique ID (GUID). |
IsSSLEnabled |
Y | Defines whether or not Secure Sockets Layer (SSL) protocol is enabled for a given DirectoryConfiguration object. The default value is false, indicating that SSL is disabled. |
RestrictMembershipToConfiguredRealms | Y | Restricts group lookups to configured realms only. A user can be in a configured realm but belong to a group in an unconfigured realm. If set to Yes, that user cannot log on because the system cannot look up all the user's group memberships. If set to No, group memberships in unconfigured realms are ignored. This property has no effect for ADAM because ADAM does not support cross-domain group membership. |
UserBaseDN |
Y | The base DN for searching for users in the directory server. Example: ou=people,o=isp |
UserDisplayNameAttribute |
Y | Specifies the display name for a User object generated by the authentication provider: cn |
UserNameAttribute |
Y | Defines the directory server attribute to be used as the short name for a user: cn |
UserSearchFilter |
Y | Specifies search filter for users: (&(objectClass=person)(cn={0})) This filter find both native AD LDS accounts and Active Directory accounts referenced by the userProxyFull object or objects configured with msDS-bindableObject as a static auxiliary class. |
This section shows Realm configuration instructions for WebLogic server. After the authentication providers are configured, you need to restart WebLogic server.
When configuring WebLogic authentication providers, the LDAP attributes used for fields “User Name Attribute” and “User From Name Filter” must be the same. This rule also applies to group configuration. Here is an example which uses cn:
By default, the User From Name Filter takes the form of: (&(objectclass=person)( cn =%u)). This supports both native AD LDS users and AD LDS proxy users that have the static auxiliary class msDS-bindableObject. If you have only native AD LDS users, you can safely change the User From Name Filter to: (&(objectclass=user)( cn =%u)). This rule applies for both the Java™ 2 Enterprise Edition (J2EE) application server authenticator and the GCD configurations described below.
For each AD LDS directory server, determine how many application partitions it has. Each application partition corresponds to one data naming context. For each application partition, create a WebLogic authentication provider by performing the following steps. Since WebLogic doesn't have an AD LDS Authenticator template built in, you will modify its OpenLdap Authenticator in the following examples:
Example: Assume an AD LDS server has the following two application partitions:
You would need to create two WebLogic authentication providers for this configuration.
Provider Name | Tab | Field Name | Field Value |
AD LDS1 | General | Control Flag | Sufficient |
AD LDS LDAP | Host | <AD LDS-host> | |
Port | 389 | ||
Principal | cn=ceadmin,ou=people,o=isp | ||
Credential | <password> | ||
Users | User Base Attribute | cn | |
User Base DN | ou=people,o=isp | ||
User From Name Filter | (&(objectClass=person)(cn=%u)) | ||
Groups | Group Base DN | ou=people,o=isp | |
Group From Name Filter | (&(objectClass=group)(cn=%g)) | ||
Static Group Name Attribute | cn | ||
Membership | Static Group DNs from Member DN Filter | (&(objectClass=group)(member=%M)) | |
AD LDS2 | General | Control Flag | Sufficient |
AD LDS LDAP | Host | <AD LDS-host> | |
Port | 389 | ||
Principal | cn=ceadmin,ou=users,dc=mycompany,dc=com | ||
Credential | <password> | ||
Users | User Base Attribute | cn | |
User Base DN | ou=users,dc=mycompany,dc=com | ||
User From Name Filter | (&(uid=%u)(objectclass=user)) | ||
Groups | Group Base DN | ou=users,dc=mycompany,dc=com | |
Group From Name Filter | (&(objectClass=group)(cn=%g)) | ||
Static Group Name Attribute | cn | ||
Membership | Static Group DNs from Member DN Filter | (&(objectClass=group)(member=%M)) |
For the example in the previous section, you must now create two DirectoryConfigurationAdam objects – one object for each data naming context. See Administer directory configurations for information.
DirectoryConfigurationAdam object 1:
DirectoryConfigurationAdam object 2:
Authentication |
FileNet P8 can authenticate any user by cn under:
|
Realm set | Two realms (that is, all the data naming contexts):
|
User/Group retrieval | FileNet P8 can retrieve any user under:
FileNet P8 can retrieve any group under:
|
Here are the steps for configuring the SSL connection between WebLogic server and AD LDS directory server.
At the same time, make the following changes for your DirectoryConfigurationAdam objects.
Restart your application server. Now the SSL connections between your application server and your AD LDS servers are established.
Iterate through all realms. For each realm:
If more than one user/group is found, Content Engine will log an error and return the first user found.
AD LDS provider does not support these methods.
Iterate through all realms. For each realm: