Integrating an LDAP Server

In order to connect an LDAP server to CMS Fiona, please first configure the required connectors by specifying their configuration file in the userManagement.xml configuration file. Make sure that the connector configuration file is complete and its contents is correct. Please also read the Notes on Configuring LDAP.

Then check and adapt the connector script used. It is located in the share/script/cm/serverCmds/userman/handler/ directory.

The LDAP integration can now be tested, for example by calling the Tcl commands listGroups and listSecondaryGroups and checking their results.

If the group names of the connected servers are not returned, enable logging using the following command:

CM -single
% ::usermanager::type::handler::client::activateDebugging [level]

Here is an example:

% ::usermanager::live::ldap::client::activateDebugging
% ::usermanager::editorial::ldap::client::activateDebugging

Then execute the commands once more and check the logs again.

If no connection is established, please check the server names and name resolution as well as the ports and other parameters relevant to the network connection. If the users and groups returned or their access permissions are not what you expected, check whether the LDAP parameters set in the configuration file specified in the userManagement.xml file correspond to the configuration of the server (see also the next section).

Notes on Configuring LDAP

An LDAP user login (DN = distinguished name ) can be described like in the following example:

uid="larry",ou=people,o=company.com

In the CMS system configuration this is specified using uid for userIdColName and ou=people,o=company.com for userSearchBase. Groups have the following format:

cn="admins",cn=groups,o=company.com

Thus, groupIdColName is the first occurrence of cn, and groupSearchBase is groups. The members of a group are defined using uniqueMember attributes, each of them specifying a single user-DN. This means that uniqueMember can occur more than once. From version 6.5.0, the attribute used for specifying the group membership of users can be configured by means of the groupToUserRelationAttribute entry in the LDAP configuration file (for example um_ldap.xml).

Some user and group parameters in the Content Manager correspond to attributes or entries in LDAP which are queried instead (for example, realName in the Content Manager is cn in LDAP). The value of the users parameter is queried using uniqueMember*. This is done in the Content Manager’s interface to the user manager. In this interface and in the LDAP server configuration permissions and their checking can easily be implemented (by using additional fields). In the supplied version of the interface file no groups exists. The only user configured is the root user who has the state of a superuser and is thus granted all permissions.

For the editorial system the internal connector is used, none for the live server. internal causes the internal user manager of the Content Manager to be used while none is ignorant to user data and thus returns nothing. none must not be specified for the editorial system.