Configuring Directory Services
To enable the Content Manager server to correctly identify any number of LDAP servers and perform the required queries, configure the Directory Services settings in the Tridion.ContentManager.config file.
Procedure
- On the Content Manager server, go to the config\ subfolder of %TRIDION_HOME%.
- Open Tridion.ContentManager.config for editing.
- Find the
tridion.securitysection. - If this is the first Directory Service you are configuring in this file, create a subelement within
tridion.securitycalleddirectoryServices - Within the
directoryServiceselement, create a new subelement calledadd, and give it the following attributes:Attribute Description of value nameThe name that Content Manager uses to identify a set of configuration values that represent an LDAP server and its contents. This name identifies the location of the users and forms part of the necessary information to configure a mapping between an LDAP group and a Content Manager User Group. ldapServersThe DNS (host) name or IP address of the LDAP server. If you wish to use LDAP over SSL, this must be a fully qualified name. portNumberThe port number (typically 389 for LDAP, 636 for LDAPS). useSSLGive this attribute the value trueif you want a secure connection to the LDAP server,falseotherwise. Note that this requiresldapServersto be set to a fully qualified name of the LDAP server.searchAccountThe DN for the LDAP administration user. searchAccountPasswordThe LDAP administration user password. userBaseDNThe base of the subtree search that should be performed. usernameAttributeThe attribute of a user's entry in the LDAP server that identifies the identity provided by the user when logging in (for example, on an iPlanet server, this would be uid). userFullNameAttributeThe attribute on the LDAP server that you want to use as a description on the Content Manager server. This is only relevant if you use group sync, however, a value must appear in this field. groupBaseDNThe base of the subtree search that should be performed. groupMemberAttributeThe multivalued attribute of the group entry in LDAP which contains the distinguished names of the users who are members of that group. For example, on iPlanet this attribute has the value uniqueMember.additionalAttributesUse this optional property to specify additional claim set properties of a user. This setting is for future use, possibly by add-on products. Content Manager ignores this setting for now. domainSeparatorThe character used by this directory service as domain separator (':' is a typical value). This character cannot be any uppercase or lowercase letter, any digit, nor a tab ( \t), carriage return (\r) or newline (\n) character.userFilterUse this optional property to filter out non-physical 'users' such as printers or computers by settings it to a value such as (sAMAccountType=805306368)For example, youraddelement could end up looking like this:<directoryServices> <add name="MYCOMPANY" ldapServers="example.mycompany.corp" portNumber="389" useSSL="false" searchAccount="global\mtsuser" searchAccountPassword="EXAMPLEPASSWORD" userBaseDN="ou=employees,OU=Kinshasa,DC=example,DC=mycompany,DC=corp" usernameAttribute="ExampleAccountName" userFullNameAttribute="cn" groupBaseDN="OU=Groups,OU=Kinshasa,DC=example,DC=mycompany,DC=corp" groupMemberAttribute="member" additionalAttributes="(ExampleAccountType=805306368)" domainSeparator="\" userFilter="(ExampleAccountType=805306368)" /> </directoryServices> - Optional: To enable the deprecated Group Synchronization option for Content Manager user groups, configure the
allowAutomaticUserCreationsetting.Note: This parameter applies only if you are configuring the Content Manager user interface (Classic) for LDAP using the deprecated, direct configuration method. If you configuring the user interface for LDAP using Access Management, group synchronization is defined through a group mapping process that does not use this setting.- Find the section called
tridion.contentmanager.security. - Locate the
allowAutomaticUserCreationparameter. If the parameter is not present, add it. - Set the value
true.
- Find the section called
- Save and close Tridion.ContentManager.config.
- Restart IIS and COM+ to apply these new settings.
Related concepts