LDAP
LDAP
LDAP is the acronym for Lightweight Directory Access Protocol, a TCP/IP-based protocol for communication between a client (in this case, Content Server) and a directory server. Documentum supports several directory servers (refer to the Content Server Release Notes for a complete list). If you use a directory server, you have the following options:
• Authenticate against the directory server directly, using a secure or a non-secure connection
• Authenticate using an LDAP-enabled dm_check_password program
To authenticate an LDAP user, Content Server can perform the checking itself or invoke an external password checking program called dm_check_password. You can use the external password checking program provided by Documentum or create a custom program. If Content Server performs the checking, you can config the LDAP server to use a secure connection with Content Server. (You cannot use a secure LDAP connection if you are using an external password checking program.) If a secure connection is in use, when Content Server connects to the directory server for the first time, the directory server identifies itself by returning its certificate to Content Server. Content Server verifies the certificate against a certificate database. This is called SSL server authentication. Documentum implements secure LDAP connections using Netscape/iPlanet CSDK.
To authenticate an LDAP user, Content Server can perform the checking itself or invoke an external password checking program called dm_check_password. You can use the external password checking program provided by Documentum or create a custom program. If Content Server performs the checking, you can config the LDAP server to use a secure connection with Content Server. (You cannot use a secure LDAP connection if you are using an external password checking program.) If a secure connection is in use, when Content Server connects to the directory server for the first time, the directory server identifies itself by returning its certificate to Content Server. Content Server verifies the certificate against a certificate database. This is called SSL server authentication. Documentum implements secure LDAP connections using Netscape/iPlanet CSDK.
To use an LDAP directory server with a repository:
1. Install the LDAP directory server and add the user and group entries.
Refer to the documentation from the directory server’s vendor for instructions on installation and adding entries. Documentum does not support dynamic LDAP groups.
2. Define the LDAP set-up values for the repository.
Use the LDAP configuration facilities in Documentum Administrator to define the LDAP set-up values. (Refer to the Documentum Administrator online help for instructions on using the user interface.)
3. To use external password checking:
Note: This option is not supported if you are using a secure connection.
a. If the program will run on a UNIX platform, use the procedure in Building and Installing an LDAP-enabled Password Checking Program (UNIX only), build and install an LDAP-enabled dm_check_password program.
b. Set the use_ext_auth_prog attribute in the LDAP config object.
c. Set user_validation_location in the server config object to the name of the location object pointing to the location of the dm_check_password program
4. To use a secure connection:
Note: This option is not supported if you are using external password checking.
a. Configure the LDAP set-up values for a secure connection.
b. Download the certutil utility and the issuing Certificate Authorities all the way up to the self-signed root certificate.
c. Install the certificate database and Certificate Authorities.
d. Enable secure connections using SSL Server Authentication in the LDAP directory server.
Refer to the documentation accompanying the directory server for instruction on enabling secure connections for the server. You must enable the SSL server authentication option.
5. Activate the dm_LDAPSynchronization job in the repository after ensuring that the default schedule meets your needs.
The default schedule for the synchronization job is once a day at 4 a.m.
Benefits:
Using an LDAP server provides a single place where you can make additions and changes to users and groups. The changes from the directory server are automatically propagated (using a job) to all the repositories using the directory server. Additionally, you can map user object attributes to LDAP attributes or constant values. When the user is imported into the repository or updated from the directory server, the mapped attributes are set to the values of the LDAP attributes or the constant. The mappings are defined when you define the LDAP setup values. You can also change them later, adding additional mapped attributes, changing their mapping, or deleting mappings
.
Note: Content Server requires three attributes to be defined for a users: user_name, user_login_name, and user_address. When you define an LDAP configuration object in Documentum Administrator, default mapped values are provided for these attributes. You can change the defaults or define values for the attributes for each LDAP user, but you must provide some value or mapping for these attributes. Users cannot be saved to the repository without values for these three attributes. Using an LDAP directory server to manage users and groups in the Documentum system ensures that:
• The users and groups defined in the directory server are in each repository using the directory server
• The values of the mapped attributes for the users are the same in each participating repository
Note: Documentum does not support the use of dynamic groups on an LDAP server.
Constraint:
The Changepassword API method is not supported for users managed through an LDAP directory server.
