Configuring Directory Services

You can configure directory services, to enable the Content Manager to correctly identify any number of LDAP servers and perform the required queries, in the tridion.security section of the Content Manager configuration file, Tridion.ContentManager.config.

Procedure

  1. On the Content Manager server, go to the config\ subfolder of %TRIDION_HOME%.
  2. Open Tridion.ContentManager.config for editing.
  3. Find the tridion.security section.
  4. If this is the first Directory Service you are configuring in this file, create a subelement within tridion.security called directoryServices
  5. Within the directoryServices element, create a new subelement called add, and give it the following attributes:
    AttributeDescription of value
    nameThe name that Content Manager uses to identify a set of configuration values that represent an LDAP server and its contents. This name identifies the location of the users and forms part of the necessary information to configure a mapping between an LDAP group and a Content Manager User Group.
    ldapServersThe DNS (host) name or IP address of the LDAP server. If you wish to use LDAP over SSL, this must be a fully qualified name.
    portNumberThe port number (typically 389 for LDAP, 636 for LDAPS).
    useSSLGive this attribute the value true if you want a secure connection to the LDAP server, false otherwise. Note that this requires ldapServers to be set to a fully qualified name of the LDAP server.
    searchAccountThe DN for the LDAP administration user.
    searchAccountPasswordThe LDAP administration user password.
    userBaseDNThe base of the subtree search that should be performed.
    usernameAttributeThe attribute of a user's entry in the LDAP server that identifies the identity provided by the user when logging in (for example, on an iPlanet server, this would be uid).
    userFullNameAttributeThe attribute on the LDAP server that you want to use as a description on the Content Manager server. This is only relevant if you use group sync, however, a value must appear in this field.
    groupBaseDNThe base of the subtree search that should be performed.
    groupMemberAttributeThe multivalued attribute of the group entry in LDAP which contains the distinguished names of the users who are members of that group. For example, on iPlanet this attribute has the value uniqueMember.
    additionalAttributesUse this optional property to specify additional claim set properties of a user. This setting is for future use, possibly by add-on products. Content Manager ignores this setting for now.
    domainSeparatorThe character used by this directory service as domain separator (':' is a typical value). This character cannot be any uppercase or lowercase letter, any digit, nor a tab (\t), carriage return (\r) or newline (\n) character.
    userFilterUse this optional property to filter out non-physical 'users' such as printers or computers by settings it to a value such as (sAMAccountType=805306368)
    For example, your add element could end up looking like this:
    <directoryServices>
      <add name="MYCOMPANY" ldapServers="example.mycompany.corp" portNumber="389"
            useSSL="false" searchAccount="global\mtsuser" searchAccountPassword="EXAMPLEPASSWORD"
            userBaseDN="ou=employees,OU=Kinshasa,DC=example,DC=mycompany,DC=corp" usernameAttribute="ExampleAccountName"
            userFullNameAttribute="cn" groupBaseDN="OU=Groups,OU=Kinshasa,DC=example,DC=mycompany,DC=corp"
            groupMemberAttribute="member" additionalAttributes="(ExampleAccountType=805306368)"
            domainSeparator="\" userFilter="(ExampleAccountType=805306368)" />
        </directoryServices>
    
  6. If you want to enable group synchronization, in the same file, find the section called tridion.contentmanager.security and ensure that it has an allowAutomaticUserCreation set to the value true.
  7. Save and close Tridion.ContentManager.config.
  8. Restart IIS and COM+ to apply these new settings.