This topic alphabetically lists the properties that apply to the DirectoryConfigurationAD class.
If the value of this property is false, the Active Directory security provider parses login user names (principal names) to determine if the name is in UPN format, meaning that it contains an @ character followed by at least one dot character (for example, jsmith@mydomain.com). If the principal name is in UPN format, it is assumed to take the form name@domain, where name is the user name and domain is the name of an Active Directory domain configured in Administration Console for Content Platform Engine. This special handling can be useful in some large Active Directory forest and domain setups, but prevents email addresses and certain UPNs from being used as the user short name.
If the value of this property is true, the Active Directory security provider does not parse the principal name, which allows email addresses and
UPNs to be used as the user short name. Setting this property to true implies that ReturnNameAsDN
is also set to true.
This property has a global effect. Therefore, it must be set the same (either all true or all false) for all Active Directory configurations defined for a Content Engine. If this property is not set the same for all configurations, the property value is implicitly false.
ClassDescription
object containing the fixed description (immutable metadata) of
the class from which this object is instantiated.
When getting back a collection of domain controllers for a given domain, use this property in an LDAP connection request to determine if a given domain controller in the domain is up and running. If a timeout exception occurs in the specified time, assume the domain controller is not running and try the next one.
The value of this property can be any one of the following:
The benefit of using multiple IP addresses for failover is that you do not need to modify a failover list when you change the host name, or when you decommission a domain controller or Tivoli Directory Server. In addition, this option is useful when the Active Directory domain contains remote domain controllers but you want to connect only to local DCs (as opposed to using the "Domain name" option below). The DC connection attempts are done in parallel. The first successful connection is the DC used.
Format the failover list in the following manner:
Hostname1:Port1 Hostname2:Port2 Hostname3:Port3 ... HostnameN:PortN
Separate the host name and port number pairs with one space character. In the following example, the first pair specifies LaurelTree as the machine name and 389 as the port number:
LaurelTree:389 OliveTree:636 FigTree:389
Content Engine makes connection attempts to directory servers based on the order of the pairs in the list. The connection attempts stop when Content Engine either successfully connects to a directory server or exhausts the list. The connection attempts resume at the beginning of the list when Content Engine loses a previously established directory server connection.
For instance, given the example list, Content Engine first attempts to connect to the directory server on the LaurelTree machine on port 389. If that attempt fails, it attempts to connect to the directory server on the OliveTree machine on port 636. If that attempt succeeds, the connection attempts stop. If, later on, Content Engine loses the connection to the directory server on OliveTree, the connection attempts start over again with LaurelTree.
Content Engine ignores this property when the value of the DirectoryServerHost property is a failover list. For information about failover lists, see the DirectoryServerHost property.
Name
property of the object's class.
For CmAuditProcessingBookmark
and AuditDefinition
objects, this property is intended to identify client applications
that process the audit log.
For CmAuditProcessingBookmark
objects, this property, in support of the audit disposition feature, identifies the client that created the object.
For AuditDefinition
objects, this property identifies a set of audit definitions for a given client or client functionality.
For CmAuditProcessingBookmark
and AuditDefinition
objects, it is recommended that you set this property.
Specify a unique value to distinguish one client application from another.
Note, however, that the server does not prevent identical display names across multiple
CmAuditProcessingBookmark
or AuditDefinition
objects. Therefore, the client application is responsible for enforcing uniqueness.
The value of this property can be any one of the following:
null
, Content Engine uses an internal
mechanism to find a GC.Failover list format
Format the failover list in the following manner:
Hostname1:Port1 Hostname2:Port2 Hostname3:Port3 ... HostnameN:PortN
Separate the host name and port number pairs with one space character. In the following example, the first pair specifies LaurelTree as the machine name and 3268 as the port number.
LaurelTree:3268 OliveTree:3269 FigTree:3268
Content Engine makes connection attempts to GCs based on the order of the pairs in the list. The connection attempts stop when Content Engine either successfully connects to a GC or exhausts the list. The connection attempts resume at the beginning of the list when Content Engine loses a previously established GC connection.
For instance, given the example list, Content Engine first attempts to connect to the GC on the LaurelTree machine on port 3268. If that attempt fails, it attempts to connect to the GC on the OliveTree machine on port 3269. If that attempt succeeds, the connection attempts stop. If, later on, Content Engine loses the connection to the GC on OliveTree, the connection attempts start over again with LaurelTree.
Content Engine ignores this property when the value of the GCHost
property is null
or is a failover list. For information about
failover lists, see the GCHost property.
The following table shows the default value of this property for each of the supported service providers. Note that you can use a lookup attribute for some providers. If you specify an attribute, make sure to include the angle brackets (<attribute>).
Provider | Search filter | Provider attribute |
---|---|---|
Active Directory | N/A | Default: null
Do not change this value. The provider uses its memberOf attribute to lookup group membership. |
ADAM or AD LDS | N/A | Default: <memberOf>
CPE 5.2.1.2-P8CPE-FP002 or later is required. |
IBM Tivoli | Default:
(|(&(objectclass=groupOfNames)(member={0}))(&(objectclass=groupOfUniqueNames)(uniqueMember={0}))) |
<ibm-allGroups>
CPE 5.2.1.2-P8CPE-FP002 or later is required. Check the IBM Tivoli documentation to determine if your version supports this attribute. |
Novell eDirectory | Default:
(&(objectClass=groupOfNames)(member={0})) |
<groupMembership>
CPE 5.2.1.2-P8CPE-FP002 or later is required. Check the Novell eDirectory documentation to determine if your version supports this attribute. |
Oracle Internet Directory (OID) | Default:
(|(&(member={0})(objectClass=groupOfNames))(&(uniqueMember={0})(objectClass=groupOfUniqueNames))) |
N/A |
Oracle Directory Server Enterprise Edition
OR Sun Directory Server Enterprise Edition OR SunOne |
Default:
(&(objectClass=groupOfUniqueNames)(uniqueMember={0})) |
N/A |
Computer Associates eTrust | Default:
(&(cn={0})(objectClass=person)) |
N/A |
samAccountName
for the Active Directory service
provider and cn
for all other supported directory service providers.
"(&(objectClass=user_defined_class)(an_attribute={0}))"
, where
user_defined_class is the object class you want (for example, user) and an_attribute
is the LDAP server-specific attribute (for example, samAccountName, cn, or uid).
The default value of this property is unique to the directory service provider, as follows:
Group.Id
property. The default property value
is dependent on the directory server type and is specified by the authentication
provider's configuration. See What are access rights?
for a list of the default SID attributes for the supported authentication providers.
For User
and Group
classes, the Id property takes the value of the
Security Identifier (SID) rather than the 128-bit GUID. The string representation of the
SID is in this example format: S-1-5-21-1559522492-2815155736-3711640725-55269
.
When Active Directory is used as the directory service for IBM FileNet P8, calls to
User.get_Id()
and Group.get_Id()
always return the current SID for the
principal, even if this user or group has only historical SIDs populating the Active
Directory server.
For a given property representation, the Id property has the following characteristics:
PropertyDescription.get_Id()
is equal to PropertyTemplate.get_Id()
, which is equal to PropertyDefinition.get_PrimaryId()
.PropertyDefinition.get_Id()
is not equal to PropertyDefinition.get_PrimaryId()
.PropertyDefinition.get_Id()
is not equal to PropertyDescription.get_Id()
.
For a newly created document object, you can override the Id property of its associated VersionSeries
object
before you save or check in the document for the first time.
true
) or disabled (false
) for
communication to the SMTP server.
A user can be in a configured realm but belong to a group in an unconfigured realm.
By default (that is, when the property value is false
), the server
automatically searches cross-realm group membership (also called cross-domain group
membership in Active Directory). If it reaches a realm that is not configured in
Administration Console, the server returns a Realm not found error and
group membership search processing stops. However, if the property value is true
when
this situation occurs, the server logs an informational message to the
server error log and the group membership search continues.
NOTE This property is not supported for the Windows Active Directory Application Mode (ADAM) directory service provider. This is because ADAM does not support cross-realm group memberships (cross-partition memberships, in ADAM terminology).
true
, the service provider returns the names in
DN format, which is consistent with other types of directory service providers.
false
. To enable cross-forest group membership searches, set this
property to true
.
samAccountName
uid
cn
cn
cn
cn
"(&(objectClass=user_defined_class)(an_attribute={0}))"
, where
user_defined_class is the object class you want (for example, user or person) and an_attribute
is the LDAP server-specific attribute (for example, samAccountName, cn, or uid).
The default value of this property is unique to the directory service provider, as follows:
User.Id
property. The default property value
is dependent on the directory server type and is specified by the authentication
provider's configuration. See What are access rights?
for a list of the default SID attributes for the supported authentication providers.