Documente Academic
Documente Profesional
Documente Cultură
Directory
Learn how to set up the ldap-
config.xml file in the CMS
Table of Contents
Introduction...................................................................................................................3
File Details....................................................................................................................3
File Structure ................................................................................................................3
<options> ..................................................................................................................3
<schedule>................................................................................................................5
<policies> ..................................................................................................................5
user-policy................................................................................................................... 5
Additional User Policy Option.................................................................................... 7
ad-security-group-policy............................................................................................. 9
Running the LDAP Migrator ........................................................................................11
Automatic Migration.................................................................................................11
Manual Migration.....................................................................................................11
Updating the Configuration File ...............................................................................11
2
LDAP Configuration – Understanding and implementing LDAP/AD for CMS managers
INTRODUCTION
This integration is two-fold. The LDAP migration tool allows the integrator to set up and
automate:
1. Migration of users and groups from LDAP installation into the CMS
2. Real-time authentication of users brought in from the LDAP installation.
FILE DETAILS
A sample LDAP configuration file is provided with the default install. This sample file
can be found in
%INSTALL_DIR%/server/default/deploy/program.ear/ldap/ldap-config.xml
and to be recognized by the CMS, it must be placed in the base directory. This is the
same directory into which the License.dat file must also be placed.
FILE STRUCTURE
The file itself must be valid XML. The root element is <ldap-synchronization-
configuration> which itself has three sub-elements:
• <options>
• <schedule>
• <policies>
<options>
<user-requirements>
<email-required>true</email-required>
<full-name-required>true</full-name-required>
</user-requirements>
3
LDAP Configuration – Understanding and implementing LDAP/AD for CMS managers
the policies (below) described, the migration tool will pull out
individual users from the LDAP installation. Each user will have
the ability to have 1) username, 2) email address, and 3) full
name pulled from the LDAP installation. The user-requirements
element allows the integrator to specify that the email and full
name fields are not required to be drawn. The defaults for these
items are true.
<automatic-synchronization>no</automatic-synchronization>
this element specifies whether or not the LDAP tool should start
automatically on a schedule, specified below.
<orphaned-ldap-users>remove</orphaned-ldap-users>
for any users in the content management system that are not part
of the LDAP install, the system may take one of the following
actions:
• ignore – does nothing
• remove – deletes user from the system
• deactivate – leaves user intact, but that user cannot log
in.
<server>
<ldap-version>3</ldap-version>
<hostname>server</hostname>
<port>389</port>
<security>
<username>CN=Administrator, DC=hannonhill,DC=com</username>
<password>12345</password>
</security>
<auth-type>simple</auth-type>
</server>
• hostname
The TCP/IP hostname of the server on which the LDAP
installation is running.
• port
The TCP/IP port of the server on which the LDAP
installation is running. Will typically be 389.
• security
Contains username and password elements that are necessary
to bind to the server so that the migration tool is able to
query the directory.
4
LDAP Configuration – Understanding and implementing LDAP/AD for CMS managers
• auth-type
For users that are specified in a policy (below) to
actively authenticate against an LDAP installation, the
auth-type element specified what kind of authentication
should be performed.
<report>
<generate-report>yes</generate-report>
<send-to-email>info@site.com</send-to-email>
</report>
<schedule>
<repeat-every>1</repeat-every>
<repeat-time-unit>hours</repeat-time-unit>
<policies>
The policies element contains individual policy elements that are one of the following:
• user-policy
• ad-security-group-policy
user-policy
This is the most common type of policy. It is not implementation specific, and
only requires a LDAP-compliant directory. It queries a container, iterating over
that container’s child objects, determining which objects are user objects to be
imported into the CMS.
5
LDAP Configuration – Understanding and implementing LDAP/AD for CMS managers
<object-attribute-filter>
<name>objectCategory</name>
<value>
CN=Person,CN=Schema,CN=Configuration,DC=hannonhill,D
C=com</value>
</object-attribute-filter>
<username-attribute>sAMAccountName</username-attribute>
<email-attribute>mail</email-attribute>
<full-name-attribute>displayName</full-name-attribute>
These are the names of the attributes for each user that
contain the username, email, and full name of the user,
respectively.
<authenticate-against-ldap-server>
yes</authenticate-against-ldap-server>
<enable-new-users>yes</enable-new-users>
<system-groups remove-from-other-groups="yes">
<group>
<name>analysts</name>
</group>
<group>
<name>development</name>
<create-if-does-not-exist>
<role>Administrator</role>
<role>Publisher</role>
6
LDAP Configuration – Understanding and implementing LDAP/AD for CMS managers
</create-if-does-not-exist>
</group>
</system-groups>
<system-roles remove-from-other-roles="yes">
<role>Administrator</role>
<role>Publisher</role>
</system-roles>
</user-policy>
1. email address
2. full name
3. username
4. fully qualified distinguished name (FQDN)
CN=FirstName LastName,OU=Employees,DN=company,DN=com
7
LDAP Configuration – Understanding and implementing LDAP/AD for CMS managers
<user-dn>
<!-- required -->
<attribute-name>fullName</attribute-name>
If the user-dn element is not specified, the user-policy will default to the
standard method of using the distinguishedName attribute to gather the
FQDN for that particular user. If it is specified, then it will attempt to read
the value of attribute-name when migrating the user. The value of the
attribute is basis of the new FQDN for this user.
fullName=FirstName LastName
fullName=FirstName
LastName,OU=Employees,DN=company,DN=com
To enable a user policy to select user objects located inside a base container on an
LDAP installation:
<object-attribute-filter>
<name>objectclass</name>
<value>person</value>
</object-attribute-filter>
<object-attribute-filter>
<name>department</name>
<value>Marketing</value>
</object-attribute-filter>
8
LDAP Configuration – Understanding and implementing LDAP/AD for CMS managers
For the base container for this user-policy, these two object attribute filters have this
effect:
"Select all objects under the base container that have the
attribute value pairs:
objectclass=person
and
department=Marketing
"
This method is meant for less complex LDAP installations. For those requiring more
complex queries and wildcard filtering, in place of object-attribute-filter elements, one
may specify a single <freeform-filter> element:
<freeform-filter>
(&(objectclass=person)(department=Mark*))
</freeform-filter>
This would match all objects under the base container that have the attribute
objectclass=person and any department that starts with Mark (Marketing, Marker
Production, etc).
***You may not have both a freeform-filter and any object-attribute-filter element
***The '&' symbol that is used to denote a logical “AND” should be escaped as
“&”; because of the XML nature of the configuration file.
ad-security-group-policy
This is only applicable for Active Directory installs. It queries a Security Group
object in the system, and from that Security Group’s attributes determines the
DNs of the members of that Security Group. Each of those users, then, are
queried and brought into the CMS.
<group-member-attribute-id>member</group-member-attribute-id>
9
LDAP Configuration – Understanding and implementing LDAP/AD for CMS managers
<username-attribute>sAMAccountName</username-attribute>
<email-attribute>mail</email-attribute>
<full-name-attribute>displayName</full-name-attribute>
<authenticate-against-ldap-server>
yes
</authenticate-against-ldap-server>
<enable-new-users>yes</enable-new-users>
<system-groups remove-from-other-groups="yes">
<group>
<name>groupA</name>
<create-if-does-not-exist>
<role>Administrator</role>
<role>Publisher</role>
</create-if-does-not-exist>
</group>
<group>
<name>groupB</name>
<create-if-does-not-exist>
<role>Administrator</role>
<role>Publisher</role>
</create-if-does-not-exist>
</group>
<group>
<name>groupC</name>
<create-if-does-not-exist>
<role>Administrator</role>
<role>Publisher</role>
</create-if-does-not-exist>
</group>
</system-groups>
<system-roles remove-from-other-roles="yes">
<role>Administrator</role>
<role>Publisher</role>
</system-roles>
</ad-security-group-policy>
10
LDAP Configuration – Understanding and implementing LDAP/AD for CMS managers
Automatic Migration
Automatic migration must be set up through the LDAP configuration file and be followed
by a server restart to invoke the LDAP scheduler. In this configuration it is highly
recommended that the configuration specify a report to be generated and emailed to the
integrator.
Manual Migration
Once logged into the CMS as a user with an Administrator role, the LDAP migrator may
be invoked simply by navigating in the menu:
This is the recommended way to migrate users when initially setting up the tool, as errors
in the configuration file are reported directly back to the user interface.
There is no need to restart the CMS for minor changes to the configuration file.
Generally, when changing the automatic-synchronization flag it is highly recommended
to restart the CMS, but otherwise the configuration file will be re-read upon the next
invocation of the LDAP migration tool.
11