If you plan to use IBM® Content Navigator to connect to IBM FileNet® P8 repositories, work with your administrator to gather the information that you need to connect to your Content Engine or Content Platform Engine LDAP server. The IBM Content Navigator Configuration and Deployment Tool requires that you enter values prepared in advance. The worksheet is a useful place to put these values.
Print this worksheet and enter values as you prepare your installation.
The IBM Content Navigator Configuration and Deployment Tool does not include every option that you can set when configuring your LDAP server connection. Work with your LDAP server administrator to determine whether there are any settings that you must configure that are not included in theIBM Content Navigator Configuration and Deployment Tool. If your LDAP server connection includes additional settings, you must manually update your LDAP server connection on your web application server after you run the task to configure the connection to your LDAP server.
Use the following table if you have a federated LDAP server and you are deploying IBM Content Navigator on WebSphere Application Server.
| Parameter | Description | Value |
|---|---|---|
| Directory service provider | Your directory service (LDAP) provider. The IBM Content
Navigator Configuration and Deployment Tool
supports the following directory service providers:
|
|
| LDAP repository type | Your LDAP repository type. The IBM Content
Navigator Configuration and Deployment
Tool. supports the following LDAP repository types:
|
Federated repositories |
| Directory service server host name | The short name, long name, or the IP address of the directory server host in a format that can be resolved from your web application server. | |
| Directory service server port number | The port number that is configured on the directory server host for communicating with the directory service. The default port is 389. If you use SSL to communicate with the directory service, the default port is 636. | |
| Directory service bind user name | The fully qualified distinguished name of the LDAP bind user. The application server uses this user account to bind to the LDAP repository to authenticate user credentials. This account name must be a unique user across all realms. | |
| Directory service bind user password | The password of the specified user. | |
| Base entry distinguished name (Repository) | The LDAP distinguished name (DN) of the base entry in the
repository. The base entry indicates the starting point for searches in the
LDAP directory server. This entry and its descendants are mapped to the subtree that is identified by this unique base name entry field. For example, a user with a DN of cn=John Doe,ou=Rochester,o=IBM,c=us, specify the LDAP base entry as any of the following options: ou=Rochester, o=IBM, or c=us. In most cases, this LDAP DN is the same as the distinguished name for the realm base entry. If this field is left blank, the subtree defaults to the root of the LDAP repository. Consult your LDAP administrator to determine whether your LDAP repository provides support to search from the root or create users and groups under the root without defining a suffix beforehand. |
|
| Login properties | The attribute that determines the type of information
that a user enters to log on to the LDAP repository. The attribute can be
any property on the LDAP user account, such as a serial ID, email address,
or user name. The default attribute is:
|
|
| Federated repository virtual realm name | The name of the WebSphere Application Server Federated Repositories virtual realm. The name is case-sensitive. The default name is WIMFileBasedRealm. | |
| Repository identifier | The unique identifier of the repository. This identifier uniquely identifies the repository within the cell. | |
| Base entry distinguished name (Realm) | The LDAP distinguished name (DN) that uniquely identifies
the repository in the realm. This base entry must uniquely identify the
external repository in the realm. If multiple repositories are included in the realm, use this field to define an additional distinguished name (DN) that uniquely identifies this set of entries within the realm. For example, repositories LDAP1 and LDAP2 might both use o=ibm,c=us as the base entry in the repository. Use the DN in this field to uniquely identify this set of entries in the realm. For example, o=ibm,c=us for LDAP1 and o=ibm2,c=us for LDAP2. The specified DN in this field maps to the LDAP DN of the base entry within the repository. |
|
| Administrative console user name | The appserver_console_user account is an LDAP account
that has WebSphere Application
Server administrative
privileges so that it can log in to the WebSphere Application
Server administrative console. For Federated repositories, you can enter the user account that is defined as your appserver_admin. If you specify a user other than your appserver_admin, the user account must be unique across all of the federated realms, including the WebSphere Application Server local file-based repository. |
|
| Set as current active user registry | You can set the LDAP repository as the active user
registry. When you select this option, the LDAP information that you provide
is used to configure the active user registry. Specify whether this option applies to your environment. |
|
| LDAP configuration script | The fully qualified path of the LDAP configuration
script, configureWSLDAPFederated.tcl.
It is recommended that you use the default value. |
|
| Temporary directory | The fully qualified path to a
temporary directory that the IBM Content
Navigator Configuration
and Deployment Tool can use to run the task. You must have read and
write access for the directory. The default directory is the \configure\tmp subdirectory of the IBM Content Navigator installation directory. It is recommended that you use the default value. |
|
| SSL enabled | If SSL security is enabled on your web application
server, you can enable and configure SSL communication between your LDAP
server and the web application server. Specify whether this option applies to your environment. |
Use the following table if you have a stand-alone LDAP server and you are deploying IBM Content Navigator on WebSphere Application Server.
| Parameter | Description | Value |
|---|---|---|
| Directory service provider | Your directory service (LDAP) provider. The IBM Content
Navigator Configuration and Deployment Tool
supports the following directory service providers:
|
|
| LDAP repository type | Your LDAP repository type. The IBM Content
Navigator Configuration and Deployment Tool
supports the following LDAP repository types:
|
Stand-alone LDAP registry |
| Directory service server host name | The short name, long name, or the IP address of the directory server host in a format that can be resolved from your web application server. | |
| Directory service server port number | The port number that is configured on the directory server host for communicating with the directory service. The default port is 389. If you use SSL to communicate with the directory service, the default port is 636. | |
| Directory service bind user name | The fully qualified distinguished name of the LDAP bind user. The application server uses this user account to bind to the LDAP repository to authenticate user credentials. This account name must be a unique user across all realms. | |
| Directory service bind user password | The password of the specified user. | |
| Base distinguished name | The LDAP distinguished name (DN) of the base entry in the
repository. The base entry indicates the starting point for searches in the
LDAP directory server. The base distinguished name and the user filter define the search criteria that are used to determine the set of eligible users. Tip: You can limit the set of eligible users by
specifying a directory subtree as the base distinguished name, for
example ou=FileNetUsers,DC=FNCE,
DC=Region1,DC=filenet,DC=com.
|
|
| User filter | The filter that is used by the bind user when searching
for users in the LDAP repository. The base distinguished name and the
user filter define the search criteria that are used to determine the set
of eligible users, for example:
The attribute that you enter for this property must match the attribute that you enter for the User ID map property |
|
| Group filter | The filter that is used by the bind user when searching
for groups in the LDAP repository. The base distinguished name and the
group filter define the search criteria that are used to determine the
set of eligible groups, for example:
The attribute that you enter for this property must match the attribute that you enter for the Group ID map property |
|
| User ID map | The attribute that determines the type of information
that a user enters to log on to the LDAP server. The attribute can be any
property on the LDAP user account, such as a serial ID, email address, or
user name. The default attribute is:
|
|
| Group ID map | The attribute in the LDAP server entry that identifies
the group. The default attribute is:
|
|
| Administrative console user name | The appserver_console_user account is an LDAP account
that has WebSphere Application
Server administrative
privileges so that it can log in to the WebSphere Application
Server administrative console. For Stand-alone LDAP registries, enter the credentials of a valid LDAP user account. When you run the task to connect to the LDAP server, this user is given WebSphere Application Server privileges. Alternatively, you can enter an LDAP account that already has administrative privileges. |
|
| Overwrite existing stand-along LDAP repository | You can overwrite any existing stand-alone LDAP
repository entries. For example, you might want to overwrite LDAP repository
entries if you want to modify the existing LDAP configuration to update the
current configuration. Specify whether this option applies to your environment. Tip: If you have an existing LDAP
configuration on your web application server or if you ran this task in
the IBM Content
Navigator Configuration and
Deployment Tool, you probably need to select this option.
|
|
| Set as current active user registry | You can set the LDAP repository as the active user
registry. When you select this option, the LDAP information that you provide
is used to configure the active user registry. Specify whether this option applies to your environment. |
|
| LDAP configuration script | The fully qualified path of the LDAP configuration
script, configureWSLDAP.tcl.
It is recommended that you use the default value. |
|
| Temporary directory | The fully qualified path to a
temporary directory that the IBM Content
Navigator Configuration
and Deployment Tool can use to run the task. You must have read and
write access for the directory. The default directory is the \configure\tmp subdirectory of the IBM Content Navigator installation directory. It is recommended that you use the default value. |
|
| SSL enabled | If SSL security is enabled on your web application
server, you can enable and configure SSL communication between your LDAP
server and the web application server. Specify whether this option applies to your environment. |
Use the following table if you are deploying IBM Content Navigator on Oracle WebLogic Server.
| Parameter | Description | Value |
|---|---|---|
| Directory service provider | Your directory service (LDAP) provider. The IBM Content
Navigator Configuration and Deployment Tool
supports the following directory service providers:
|
|
| Directory service display name | The name used to identify the authenticator or directory
service in a multi-realm environment. This name must be unique. See your web
application server documentation for more information. The default name
is:
|
|
| Directory service server host name | The short name, long name, or the IP address of the directory server host in a format that can be resolved from your web application server. | |
| Directory service server port number | The port number that is configured on the directory server host for communicating with the directory service. The default port is 389. If you use SSL to communicate with the directory service, the default port is 636. | |
| Directory service bind user name | The fully qualified distinguished name of the LDAP bind user. The application server uses this user account to bind to the LDAP repository to authenticate user credentials. This account name must be a unique user across all realms. | |
| Directory service bind user password | The password of the specified user. | |
| User base distingiushed name | The fully qualified distinguished name that is used as
the starting point for searches in the LDAP directory server. The user base distinguished name and the user filter define the search criteria that are used to determine the set of eligible users. Tip: You can limit the set of eligible users by specifying a directory
subtree as the user base distinguished name, for example
ou=FileNetUsers,DC=FNCE,DC=Region1,DC=filenet,DC=com.
|
|
| Group base distingiushed name | The fully qualified distinguished name that is used as
the starting point for searches for groups in the LDAP directory
server. The group base distinguished name and the group filter define the search criteria that are used to determine the set of eligible groups. Tip: You can limit the set of eligible groups by
specifying a directory subtree as the group base distinguished name, for
example cn=users,dc=mydomain.
|
|
| User from name filter | The filter that is used by the bind user when searching
for users in the LDAP repository. The user base distinguished name and
the user filter define the search criteria that are used to determine the
set of eligible users, for example:
The attribute that you enter for this property must match the attribute that you enter for the User name attribute property |
|
| Group from name filter | The filter that is used by the bind user when searching
for groups in the LDAP repository. The group base distinguished name and
the group filter define the search criteria that are used to determine
the set of eligible groups, for example:
The attribute that you enter for this property must match the attribute that you enter for the Static group name attribute property |
|
| User name attribute | The attribute that determines the type of information
that a user enters to log on to the LDAP repository. The attribute can be
any property on the LDAP user account, such as a serial ID, email address,
or user name. The default attribute is:
|
|
| Static group name attribute | The attribute that identifies the group. For example:
|
|
| LDAP configuration script | The fully qualified path of the LDAP configuration
script, configureWLLDAP.py.
It is recommended that you use the default value. |
|
| Temporary directory | The fully qualified path to a
temporary directory that the IBM Content
Navigator Configuration
and Deployment Tool can use to run the task. You must have read and
write access for the directory. The default directory is the \configure\tmp subdirectory of the IBM Content Navigator installation directory. It is recommended that you use the default value. |
|
| SSL enabled | If SSL security is enabled on your web application
server, you can enable and configure SSL communication between your LDAP
server and the web application server. Specify whether this option applies to your environment. |