In order to connect an LDAP server to CMS Fiona, please first
configure the required connectors by specifying their configuration file in the
userManagement.xml
configuration file. Make sure that the connector configuration file is
complete and its contents is correct. Please also read the Notes on Configuring LDAP.
Then check and adapt the connector script used. It is located in the
share/script/cm/serverCmds/userman/handler/
directory.
The LDAP integration can now be tested, for example by calling the Tcl
commands listGroups
and listSecondaryGroups
and
checking their results.
If the group names of the connected servers are not returned, enable logging using the following command:
CM -single % ::usermanager::type::handler::client::activateDebugging [level]
Here is an example:
% ::usermanager::live::ldap::client::activateDebugging % ::usermanager::editorial::ldap::client::activateDebugging
Then execute the commands once more and check the logs again.
If no connection is established, please check the server names and name
resolution as well as the ports and other parameters relevant to the
network connection. If the users and groups returned or their access
permissions are not what you expected, check whether the LDAP parameters
set in the configuration file specified in the
userManagement.xml
file correspond to the configuration of the
server (see also the next section).
An LDAP user login (DN = distinguished name ) can be described like in the following example:
uid="larry",ou=people,o=company.com
In the CMS system configuration this is specified using uid
for userIdColName
and ou=people,o=company.com
for
userSearchBase
. Groups have the following format:
cn="admins",cn=groups,o=company.com
Thus, groupIdColName
is the first
occurrence of cn
, and
groupSearchBase
is groups
. The
members of a group are defined using
uniqueMember
attributes, each of them
specifying a single user-DN. This means that
uniqueMember
can occur more than once. From
version 6.5.0, the attribute used for specifying the group
membership of users can be configured by means of the
groupToUserRelationAttribute
entry in the LDAP
configuration file (for example
um_ldap.xml
).
Some user and group parameters in the Content Manager correspond to
attributes or entries in LDAP which are queried instead (for example,
realName
in the Content Manager is cn
in LDAP).
The value of the users
parameter is queried using
uniqueMember*
. This is done in the Content Manager’s interface to the user manager.
In this interface and in the LDAP server configuration permissions and
their checking can easily be implemented (by using additional fields). In
the supplied version of the interface file no groups exists. The only user
configured is the root
user who has the state of a superuser
and is thus granted all permissions.
For the editorial system the internal
connector is used,
none
for the live server. internal
causes the
internal user manager of the Content Manager to be used while
none
is ignorant to user data and thus returns nothing.
none
must not be specified for the editorial system.