LDAP (Lightweight Directory Access Protocol) authentication support

The Lightweight Directory Access Protocol (LDAP) is an open industry standard that has evolved to share information between distributed applications on the same network, organize information in a clear and consistent manner, and prevent unauthorized modification or disclosure of private information. In recent years, LDAP has gained wide acceptance as the directory access method of the Internet, and becomes strategic within corporate intranets.

You can use LDAP to manage basic login authentication directly on the server, in other words, you no longer need to use the user security exit.

Requirements

How Content Manager OnDemand works with LDAP

The following diagram illustrates how Content Manager OnDemand works with LDAP:

When a Content Manager OnDemand client makes a login request to the Content Manager OnDemand server, if you enabled LDAP authentication in the server, the Content Manager OnDemand server makes an authentication request to the LDAP through either an anonymous or credentialed bind.

This initial call accesses the LDAP server, searches for the user's credentials and finds the user's distinguished name (DN). If the user's DN is found, the Content Manager OnDemand server makes another call to the LDAP server using that DN to confirm that the password that was given by the user is correct. If the password is correct, the LDAP server returns a mapped attribute in LDAP, which is usually the Content Manager OnDemand user ID. The Content Manager OnDemand server takes the attribute, and proceeds with its login.

Enabling LDAP authentication

To enable LDAP authentication, in the Content Manager OnDemand Administrator client, right-click your Content Manager OnDemand server, and select System Parameters. In the System Parameters window, under LDAP Authentication, select the Enable check box. Under Login Processing, select the Password Case Sensitive check box.

To disable LDAP authentication, clear the Enable check box.

You must also add information about the LDAP server and the LDAP attributes that are used for authentication to the ARS.CFG file for the instance. Then, after enabling LDAP support, you must stop and restart the Content Manager OnDemand server for the changes to take effect.

Other considerations

• OS400 security integration is not supported when you are using LDAP. When LDAP is enabled, you should disable OS400 security integration by editing the ARS.INI file. For the instance that is using LDAP, change SRVR_FLAGS_SECURITY_EXIT=1 to SRVR_FLAGS_SECURITY_EXIT=0.
• After you disable OS400 security integration, the password for the administrative user QONDADM is blank. It is recommended that you immediately change the password for QONDADM. Do not delete QONDADM from the instance.
• After you disable OS400 security integration, it is recommended that you change the system parameters of the instance to set a minimum password length. To do this, log on to the Content Manager OnDemand Administrator client, right-click the instance with LDAP enabled, select System Parameters, and then set the Minimum Password Length.
• After you disable OS400 security integration, you must specify a password when you add a user to Content Manager OnDemand.
• If you enable LDAP on an existing instance, all existing users will have a blank password. Use the Content Manager OnDemand Administrator client to set a password for each user.
• Even when you are using LDAP, you must still add your users to the Content Manager OnDemand instance. The Content Manager OnDemand user ID must match the value that is returned by the LDAP server in the field that is mapped to ARS_LDAP_MAPPED_ATTRIBUTE in your ARS.CFG file.
• If the LDAP authentication fails, Content Manager OnDemand will attempt its normal logon process by using the user ID and password that was entered. This permits users that are not in the LDAP directory to access Content Manager OnDemand.