In the rdaccountsystem.xml configuration file, you can make settings for assigned LDAP directory services. The user-defined entries in rdaccountsystem.xml are applied to the imported users when the user accounts are imported. This gives you the chance to make more sophisticated settings and assignments for the imported users than you can in the Import User Accounts dialog window. For example, in the dialog window, you can only assign all imported users the same language interface or the same projects. You can use the user-defined entries in rdaccountsystem.xml to define exactly which users are to be assigned which language interface and which projects.
If you add a new LDAP directory service in Server Manager, an entry with default values is created in the rdaccountsystem.xml file, unless an entry with the same name (name of directory service) already exists. If an entry with the same name already exists, all necessary attributes that are not already available are added to it. If you delete an LDAP directory service in Server Manager, the corresponding entry in the rdaccountsystem.xml file is deleted.
The settings from the OPTIONS, PROJECTS, and GROUPS sections in the XML file are only taken into consideration when the user accounts are imported if the check box Define import settings has been cleared in the Import User Accounts dialog window. If the check box is selected, the settings in the dialog window are applied to the imported users. The entries in the ATTRIBUTES and LDAPGROUP sections are taken into account every time user accounts are imported.
All the settings in all the sections are only added to the users. This means that the next time user accounts are imported, no project assignments or group assignments can be removed.
An exception is module assignment (LEVEL section). The correct level is always set; this means that the SmartTree or SmartEdit modules are assigned to the user, or the assignment is canceled.
In the XML file, you can create one section for each directory service. This section controls the import of user accounts.
Administering Users and Groups Directory Services
0Server Manager05/2009
Example:
<CMS>
<ACS name="myaccountsystem1" >
...
</ACS>
<ACS name="myaccountsystem2" >
...
</ACS>
...
</CMS>
Additional subsections within an ACS section control a variety of functions.
ATTRIBUTES Section
In the ATTRIBUTES section, you have the option of assigning LDAP attributes to values in Management Server.
The value of name corresponds to fields in the Management Server database.
For all attributes, an LDAP attribute is specified through the value of key, which is checked or read.
Example:
<ACS name=""
<ATTRIBUTES>
<ATTRIBUTE name="" key="" />
...
</ATTRIBUTES>
</ACS>
You have the following options:
objectclass
Using this entry, you can determine which classes of objects are to be imported. key refers to the name of an LDAP attribute and check to one or more values that the LDAP node must have in order to recognize the user as a user.
Example:
<ATTRIBUTE name="objectclass" key="objectclass" check="person" />
<ATTRIBUTE name="objectclass" key="objectclass"
check="person;inetorgperson" />
uniqueidentifier
Using this entry, you can determine the unique LDAP attribute for identifying the user, other than name. An attribute such as a GUID or a personnel number is often used, as this does not change even if the user's name changes (for example, through marriage).
The content of the unique attribute specified by key is used for checking against directory services. You can use an LDAP text or a binary attribute.
Example:
<ATTRIBUTE name="uniqueidentifier" key="objectGUID" />
uid
With this entry, you determine the user's logon name.
Example:
<ATTRIBUTE name="uid" key="uid" /> (Open LDAP)
<ATTRIBUTE name="uid" key="sAMAccountName" /> (NT domain)
givenname
With this entry, you determine the user's first name.
Example:
<ATTRIBUTE name="givenname" key="givenname" />
Administering Users and Groups Directory Services
0Server Manager05/2009
sn
With this entry, you determine the user's last name.
Example:
<ATTRIBUTE name="sn" key="sn" />
With this entry, you determine the user's e-mail address.
Example:
<ATTRIBUTE name="mail" key="mail" />
description
With this entry, you determine the description of the user.
Example:
<ATTRIBUTE name="description" key="title" />
Example of an ATTRIBUTES section:
<ATTRIBUTES>
<ATTRIBUTE name="objectclass" key="objectclass" check="person" />
<ATTRIBUTE name="uniqueidentifier" key="objectGUID" />
<ATTRIBUTE name="uid" key="sAMAccountName" />
<ATTRIBUTE name="givenname" key="givenname" />
<ATTRIBUTE name="sn" key="sn" />
<ATTRIBUTE name="mail" key="mail" />
<ATTRIBUTE name="description" key="title" />
</ATTRIBUTES>
LDAPGROUP Section
The settings in this section are evaluated if you have selected the option Group in the Add Directory Service dialog window for the directory service. In this case, the Group DN is pointing to an LDAP node that contains references (DNs) to users in the attribute values. The references are resolved, and the corresponding users are imported.
Example:
<ACS name="..." >
...
<LDAPGROUP>
<ATTRIBUTE name="" key="" check="" />
...
</LDAPGROUP>
</ACS>
You have the following options:
objectclass
With this entry, you can determine which classes of objects are to be recognized as a group. key refers to the name of an LDAP attribute and check to one or more values that the LDAP node must have for the node to be recognized as a group.
Example:
<ATTRIBUTE name="objectclass" key="objectclass" check="group" />
Administering Users and Groups Directory Services
0Server Manager05/2009
member
Reference to users is read from this entry.
Example:
<ATTRIBUTE name="member" key="member" />
isads
The ADS directory service works differently when it comes to querying multivalued attributes. The values of the multivalued attribute are returned in pages (range) with a maximum of 1000 entries, for example. If a group with a member attribute has more than 1000 values, the attribute must be queried with the option range0-999, range1000-1999 etc. You can select this in the attribute "isads" and the size of the range as value. If the attribute is missing or it is 0, the option is not activated and the result set can be incomplete under ADS.
Example:
<ATTRIBUTE name="isads" value="1000" />
Example of a complete LDAPGROUP section:
<LDAPGROUP>
<ATTRIBUTE name="objectclass" key="objectclass" check="group" />
<ATTRIBUTE name="member" key="member" />
<ATTRIBUTE name="isads" value="1000" />
</LDAPGROUP>
Section for Further Options
You can specify further options for importing user accounts. These are the same as the options that you can select for each user in the Edit User Data dialog window in Server Manager (except for NOIMPORT and PREFIX). You have three choices for how to assign an option. Only one of the three choices is available for each option.
Fixed assignment
All imported users are assigned the option.
Example:
<OPTION value="" />
Reading an LDAP attribute
The LDAP attribute key is read, and the value of the attribute is assigned to the imported user. If no value can be determined from the LDAP attribute, the default value is
assigned.
Example:
<OPTION key="" default="" />
Conditional assignment
The LDAP attribute key is read. If the LDAP attribute has the value check, the imported user is assigned value. You can add multiple constraints. If none of the constraints shows a response, the default value will be assigned.
Example:
<OPTION default="" >
<CONDITION value="" key="" check="" />
...
</OPTION>
Administering Users and Groups Directory Services
0Server Manager05/2009
You have the following options:
NOIMPORT Value range:
1: User is not imported
All other values: User is imported
USERLANGUAGE
You can enter the usual abbreviation for the user's interface language (DEU, ENG, etc.).
LEVEL Value range:
1: The user becomes the administrator in all projects assigned (SmartTree and SmartEdit modules)
3: The user becomes an editor in all projects assigned (SmartEdit module) 5: The user becomes a visitor in all projects assigned
USERLIMITS
You can define which settings users are not allowed to change in their own user profile.
The settings are assigned using flag values. If several settings are to be assigned, the flag values are added. The following flag values are possible:
1 = Full name/Description 2 = E-mail address
4 = Connected to directory service 8 = Password
16 = Language of user interface/Locale 64 = Preferred text editor
128 = DirectEdit
A flag value is added bit by bit. Add up the values of the different flags to get a total flag value.
Example:
The user is not allowed to change the following items of the user's own user profile data:
E-mail address, password, and the preferred text editor.
This means that the flag values 2, 8, and 64 are used and added. The resulting flag value is 74.
SSO Value range:
1: IIS authentication is activated
All other values: IIS authentication is not activated
PREFIX
All imported users get a prefix in front of their user names, for example, prefix:
mydomain\<loginname> would give adam.meyer the new user name:
mydomain\adam.meyer Value range: any string
Examples for setting the USERLANGUAGE option:
All imported users are assigned the English language interface:
<ACS name="">
...
<USERLANGUAGE value="ENG" />
...
</ACS>
Administering Users and Groups Directory Services
0Server Manager05/2009
The language interface is determined by the LDAP attribute cmslanguage. This attribute must contain exactly the value that can be processed by Management Server, for example, DEU or ENG. If the attribute contains no value, English is assigned.
<ACS name="">
...
<USERLANGUAGE key="cmslanguage" default="ENG" />
...
</ACS>
An imported user is assigned a language interface depending on the co attribute. If none of the constraints has a value, then English is assigned:
<ACS name="">
...
<USERLANGUAGE default="ENG">
<CONDITION value="DEU" key="co" check="Germany" />
<CONDITION value="DEU" key="co" check="Germany" />
<CONDITION value="ENG" key="co" check="..." />
<CONDITION value="ENG" key="co" check="..." />
</USERLANGUAGE>
...
</ACS>
Examples for setting the LEVEL option:
All imported users are assigned the SmartEdit module:
<ACS name="">
...
<LEVEL value="3" />
...
</ACS>
The level is determined by the LDAP attribute cmslevel. This attribute must contain exactly the value that can be processed by Management Server, for example, 1, 3 or 5. If the attribute contains no value, 5 is assigned.
<ACS name="">
...
<LEVEL key="cmslevel" default="5" />
...
</ACS>
An imported user is assigned a level depending on the title attribute. If none of the constraints has a value, then Visitor is assigned:
<ACS name="">
...
<LEVEL default="5">
<CONDITION value="1" key="title" check="Administrator" />
<CONDITION value="3" key="title" check="Editor" />
<CONDITION value="5" key="title" check="Visitor" />
</LEVEL>
...
</ACS>
The other options follow the same pattern.
Administering Users and Groups Directory Services
0Server Manager05/2009
PROJECTS Section
You can assign as many projects as you want to the imported users. The project must already exist in Management Server and can be specified by name or GUID.
Example:
<ACS name="">
...
<PROJECTS>
<PROJECT name="" guid="" value="" key="" />
...
</PROJECTS>
...
</ACS>
Like in the Section for Further Options, you have three choices for making assignments, but no default values are available:
Fixed assignment
All imported users are assigned the specified project.
Example:
<PROJECT name="myproject" />
<PROJECT guid="..." />
Reading an LDAP attribute
The project name or the project GUID is read from an LDAP attribute.
Example:
<PROJECT key="myldapattribute" />
Conditional assignment
An imported user is assigned a project depending on the LDAP attribute key. If the key attribute does not have the value value, the project is not assigned.
Example:
<PROJECT name="myproject" key="myldapattribute" key="..." />
<PROJECT guid="..." key="myldapattribute" key="..." />
GROUPS Section
Any number of groups can be assigned to the imported users. Note that the groups in Management Server always relate to a project, and an assignment to a group only makes sense if you have also assigned the corresponding project to the user. The assignment is carried out in the same way that projects are assigned. The groups must already exist in Management Server and can be specified by name or GUID.
Example:
<ACS name="">
...
<GROUPS>
<GROUP name="" guid="" value="" key="" />
...
</GROUPS>
...
</ACS>
Administering Users and Groups Directory Services
0Server Manager05/2009