This topic describes FileNet P8's support for integrating with Windows Active Directory Application Mode (ADAM).
One instance of ADAM can have multiple application partitions, each of which can be mapped to a Content Engine (CE) realm. Therefore one instance of ADAM can be mapped to multiple CE realms.
For each realm, you must create an application server authentication provider and a
DirectoryConfigurationADAM object, to establish a one-to-one relationship between Realm object and authentication provider, and also a one-to-one relationship between Realm object and
DirectoryConfigurationADAM object. The initial set of these objects is created during CE installation.
For each DirectoryConfiguration object, FileNet P8 extracts the realm name from the specified UserBaseDN property value by comparing it with each application partition. For example, if the
UserBaseDN for this DirectoryConfiguration object is "ou=people, o=isp ", and there are two application partitions: "o=isp" and "dc=filenet,dc=com", the realm name for this DirectoryConfiguration object is
"o=isp".
The following graphic shows CE authenticating with ADAM:
The next graphic shows the optional configuration of CE authenticating with ADAM configured for proxy login and search to Active Directory. When a user logs in using an ID found in a userProxyFull object, ADAM redirects authentication to Active Directory.
You can optionally use the Synchronizer tool, a built-in feature of ADAM, to pull user account information from Active Directory. In this scenario, ADAM user accounts are represented using the userProxyFull object, which stores the user ID while the account password remains in Active Directory. When properly configured this provides one-way data flow from Active Directory to ADAM. You could continue to provision ADAM-only accounts in ADAM, and both types of accounts could authenticate to a FileNet P8 application, following normal configuration of CE classes' Default Instance Security tabs in Enterprise Manager. The application does not need to be aware of this Active Directory interaction.
Consult your ADAM documentation for how to use the userProxyFull object. Content Engine does not support ADAM's userProxy object.
NOTE FileNet highly recommends that you configure SSL between your application server that hosts CE and your ADAM servers. This will include making changes in the application server to the authentication provider's DirectoryConfigurationADAM object that was created while running CE Setup. Consult your application server's documentation for instructions.
Support matrix
Use this support matrix as a quick lookup of supported directory features.
ADAM Features Supported By
Content Engine
One way SSL Y
Two way SSL N
Static Groups / Security Groups Y
Nested Groups Y
Dynamic Groups n/a
Universal Groups n/a
Roles N
Roles are not used by FileNet P8 services and are not part of the LDAP standard. Do not confuse this “Roles” with the ADAM “Roles”
container which is just a container of groups.
Referrals for Logon N
Referrals for Search (for User and Group retrieval)
N
Chaining N
Directory aliases N
Native Mode Active Directory n/a Mixed Mode Active Directory n/a
Support multiple realms Y - Each realm corresponds to one ADAM application partition.
P8 4.0.x support for multiple realms depends on the application server. As of the 4.0.x release, multiple realm support is available for WebLogic, JBoss, and WebSphere 6.1 (by way of federated user repositories), but not for WebSphere 6.0 or 5.1. See Configure multiple realms.
Restrict to single realm Y
By configuring just one authentication provider and one directory configuration.
Support domains across multiple forests
n/a
Logon to any W2k domain in the forest (implies 2-way trust)
n/a
Logon to NT 1 way trust domains in the forest
n/a
Configurable username for logon Y
The short or common name does not contain realm information. Short names must be unique across all of your configured application partitions and realms.
Configurable user display name Y Configurable group display name Y Configurable group name for
persisting
Y
Group names are not persisted in the CE database, even though they are persisted in stored searches and workflow definitions.
Support ADAM users (for logon and Search)
Y
Support use of userProxyFull class (for logon and Search)
Y
You can create a special user proxy object in ADAM that maps to a regular Active Directory user account. The user proxy does not have an actual password stored in the ADAM object itself. When the application performs its normal bind operation, it checks the ID locally, but checks the password against Active Directory. Content Engine requires the use of the ADAM userProxyFull class, rather than UserProxy.
Support Windows (domain & local) users (logon and Search)
N
Users in Application Partitions Y Users in Configuration and Schema partitions
N
There is a patch from Microsoft that allows ADAM users to reside in the Configuration partition. However, FileNet P8 does not support this.
Directory Configuration Properties
The following is an alphabetic list of the properties in the DirectoryConfigurationADAM class with default values. Use Enterprise Manager to view all properties and modify editable properties. See FileNet P8 domain properties (Directory config tab) for information.
Property Name Editable? Description
ClassDescription N A ClassDescription object containing the fixed description of the class from which a given object is instantiated.
DirectoryServerHost Y Specifies the name of the host that is running the directory server product.
DirectoryServerPassword Y Specifies the user password used to authenticate to a given directory server.
DirectoryServerPort Y Specifies the port number of the directory server. The value
of this property defaults to port 389 for all supported directory server types.
DirectoryServerProviderClass Y Specifies the directory server provider class name:
com.filenet.engine.security.AdamDirectoryProvider DirectoryServerType N Specifies the type of directory server: ADAM
DirectoryServerUserName Y Specifies the username for authenticating to the directory server. Example: cn=ceadmin,ou=people,o=isp
DisplayName Y
The user-readable, provider-specific name of an object.
This property is usually the designated Name property of the object's class.
GroupBaseDN Y The base DN for searching for groups in the directory server. Example: ou=people,o=isp
GroupDisplayNameAttribute Y Specifies the display name for a Group object generated by the authentication provider: cn
GroupMembershipSearchFilter Y The search filter for group membership queries:
(&(objectClass=group)(member={0})).
GroupNameAttribute Y Defines the directory server attribute to be used as the short name for a group: cn
GroupSearchFilter Y Specifies search filter for groups. Example:
(&(objectclass=group)(cn={0}))
Id N An object's globally unique ID (GUID).
IsSSLEnabled Y
Defines whether or not Secure Sockets Layer (SSL) protocol is enabled for a given DirectoryConfiguration object. The default value is false, indicating that SSL is disabled.
UserBaseDN Y The base DN for searching for users in the directory server.
Example: ou=people,o=isp
UserDisplayNameAttribute Y Specifies the display name for a User object generated by the authentication provider: cn
UserNameAttribute Y Defines the directory server attribute to be used as the short name for a user: cn
UserSearchFilter Y
Specifies search filter for users:
(&(objectClass=person)(cn={0}))
This filter find both native ADAM accounts and Active Directory accounts referenced by the userProxyFull object.