The User Manager Interface

Very frequently, the Content Management Server (CM) needs to determine whether a particular user may access a CMS file in a particular way, or whether a user belongs to a particular user group. To resolve such issues, the Content Management Server calls appropriate external (i.e. not built-in) Tcl procedures. These procedures constitute the User Manager API. By changing the implementation of the procedures part of the API, other user managers than the built-in one can be queried to have these questions answered.

Two user managers can be connected to the Content Management Server, one for the editorial system, and one for the live system. Since implementations for the built-in user manager (the default one) as well as for LDAP and ADS have been provided, it should be sufficient to configure the implementation to be used.

This can be done by means of the userManagement system configuration entry and its editorial and live subentries. Both refer to a configuration file:

<?xml version="1.0" encoding="UTF-8"?>
<userManagement>
  <editorial fileName="um_ldap_nis.xml"/>
  <live fileName="um_none.xml"/>
  ...
</userManagement>

A configuration file such as um_ldap_nis.xml above specifies the interface module to be used:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <handler>ldap_nis</handler>
  <config>
    <-- Server settings -->
    <host>ldap.server</host>
    <!-- LDAP account with extensive read permissions for file queries
         (empty value: anonymous LDAP requests) -->
    <bindDn>cn=manager,dc=company,dc=de</bindDn>
    <bindPassword>password</bindPassword>
    <!-- The following server specifications are optional -->
    <port>389</port>
    <!--  LDAP protocol version (alternative: 2)  -->
    <protocolVersion>3</protocolVersion>
    <!--  connection type (default: not encrypted; further options: ssl, tls -->
    <secureConnection>tls</secureConnection>

    <-- Groups -->
    <groupSearchBase>ou=groups,dc=company,dc=de</groupSearchBase>
    <groupFilter>(objectclass=posixGroup)</groupFilter>
    <groupResolver>
      <name>simple</name>
      <properties>
        <dnFormat>cn=%s,ou=groups,dc=company,dc=de</dnFormat>
      </properties>
    </groupResolver>
    <!-- LDAP attributes providing the value of a usermanAPI key -->
    <groupAttributeMapping>
      <name>cn</name>
      <realName>description</name>
    </groupAttributeMapping>

    <-- The following specifications are not relevant for live user integration
        (we're dealing with the CM here which does not have live users) -->
    <-- User -->
    <userSearchBase>ou=people,dc=company,dc=de</userSearchBase>
    <userFilter>(objectclass=posixAccount)</userFilter>
    <userResolver>
      ...
    </userResolver>
    <userAttributeMapping>
      ...
    </userAttributeMapping>

    <-- Group membership -->
    <!-- From version 6.5.0: group membership attribute can be configured -->
    <groupToUserRelationAttribute>memberUid</groupToUserRelationAttribute>
    <!-- The existing relationAttribute either contains the user name (true) or his DN (false; default) -->
    <memberValueIsLogin>true</memberValueIsLogin>

    <!-- Granting global permissions. The resolver referenced by name is loaded
         from cm/serverCmds/userman/lib/ldap/resolver/perm/<name>.tcl geladen -->
    <globalPermissionResolver>
      <name>simple</name>
      <properties/>
    </globalPermissionResolver>

    <!-- Known superusers (a list of logins) -->
    <superUsers type="list">
      <login>root</login>
    </superUsers>
  </config>
</configuration>

The handler subelement references a connector Tcl script located in the instance-specific directory

/NPS/instance/instName/script/cm/serverCmds/userman/handler

or in the common directory

/NPS/share/script/cm/serverCmds/userman/handler

The task of the referenced script is to read the configuration parameters and to implement the required Tcl interface procedures. You can use the script files supplied as templates if you wish to create individual connectors. The corresponding interface is described in section The User Manager API.

The following connection variants are supplied with Fiona

  • Data source: internal user management
  • Dummy for no live user management (none)
  • Data source: ADS
  • Data source: LDAP in
    • two normal variants and
    • a simple approach

An external user manager needs to meet particular general requirements if it is to be attached to CMS Fiona. Please also note the requirements an LDAP server must meet.