Documentation Center

Configuring LDAP integration for Content Manager

To use LDAP with Content Manager, configure the Content Manager Web sites and Web applications to authenticate against the LDAP server. Note that you can optimize the performance of this basic LDAP setup.

Procedure

  1. On your Content Manager server machine, click the Server Manager button in the taskbar.
    The Server Manager window opens.
  2. Do one of the following:
    • On a Windows 2008 R2 machine, select Roles > Web Server (IIS) > Internet Information Services (IIS) Manager.
    • On a Windows 2012 machine, select Tools > Internet Information Services (IIS) Manager.
  3. In the IIS tree, open the node representing this machine, and select Sites, then select the SDL Tridion Web site.
  4. Double-click the Authentication icon on the right and change the settings that appear as follows:
    • Select the Anonymous Authentication row and click Enable in the Actions area on the right.
    • Select each of the other rows in turn and for each row, click Disable in the Actions area on the right. (If necessary, you could choose to keep Digest Authentication and Forms Authentication enabled.)
  5. Close Server Manager.
  6. Open %TRIDION_HOME%\web\web.config for editing. The file contains comments indicating what to do to configure the site for LDAP integration. Do the following:
    1. In the system.webServer/modules section, uncomment the following line:
      <add name="LdapAuthenticationHttpModule" type="Tridion.Security.Web.LdapAuthenticationHttpModule, 
      Tridion.Security, Version=7.1.0.52, Culture=neutral, PublicKeyToken=ddfc895746e5ee6b" />				  
    2. Uncomment the behaviors section under system.serviceModel.
    3. Save and close this web.config file.
  7. Open %TRIDION_HOME%\web\WebUI\WebRoot\web.config for editing and do the following:
    1. In the system.serviceModel/bindings/webHttpBinding section, find the binding section with its name attribute set to Tridion.Web.UI.ContentManager.WebServices.WebHttpBindingConfig and set the clientCredentialType attribute of the transport element to the value None rather than the default value Windows.
    2. In the system.serviceModel/behaviors/serviceBehaviors section, find the behavior section with its name attribute set to Tridion.Web.UI.ContentManager.WebServices.DeveloperBehavior. In this section, find a commented-out section named serviceAuthorization and remove the comment delimiters:
      <serviceAuthorization principalPermissionMode="Custom">
      	<authorizationPolicies>
      		<add policyType="Tridion.Web.ServiceModel.HttpIdentityPolicy, Tridion.Web.ServiceModel"/>
      		<add policyType="Tridion.Web.ServiceModel.HttpPrincipalPolicy, Tridion.Web.ServiceModel"/>
      	</authorizationPolicies>
      </serviceAuthorization>
    3. Save and close web.config file.
  8. Open %TRIDION_HOME%\webservices\web.config for editing, which contains comments indicating what to do to configure the Core Service for LDAP integration, and do the following:
    1. In the <system.serviceModel> section, confirm the presence of a serviceHostingEnvironment element with an aspNetCompatibilityEnabled attribute set to true.
    2. In the system.serviceModel/bindings/basicHttpBinding section, find the two binding sections, one with its name attribute set to CoreService_basicHttpBinding and another one with its name attribute set to StreamDownload_basicHttpBinding. In each section, set the clientCredentialType attribute of the transport element to the value None rather than the default value Windows.
    3. In the system.serviceModel/bindings/wsHttpBinding section, in the binding section with its name attribute set to CoreService_wsHttpBinding, set the mode attribute of the child element security to the value TransportWithMessageCredential, not Message. Inside this security element, set the clientCredentialType attribute of the message element to the value UserName, not Windows.
    4. Locate the behaviors/serviceBehaviors section, and inside the behavior element with its name attribute set to Tridion.ContentManager.ServiceHost.IISHost.CoreServiceBehavior, uncomment the following element:
      <serviceCredentials type="Tridion.Security.IdentityModel.LdapSecurityTokenCredentials, Tridion.Security, 
      	Version=7.1.0.52, Culture=neutral, PublicKeyToken=ddfc895746e5ee6b">
      	<userNameAuthentication customUserNamePasswordValidatorType="Tridion.Security.IdentityModel.LdapUserNamePasswordValidator, 
      		Tridion.Security, Version=7.1.0.52, Culture=neutral, PublicKeyToken=ddfc895746e5ee6b" userNamePasswordValidationMode="Custom" />
      </serviceCredentials>
    5. Save and close this web.config file.
  9. Restart IIS.

Results

You have configured LDAP integration in IIS.