close

Filter

loading table of contents...

Content Server Manual / Version 2207

Table Of Contents

3.12.6 Common Customizations

The Active Directory LDAP schema has some redundancy. User names can be derived from various attributes, like sAMAccountName, userPrincipalName or mail. User domains can be derived from userPrincipalName or from the distinguished name. In a default Active Directory setup all that data is consistent, but in principle it may be ambiguous. In the latter case, you must decide which attributes are appropriate to reflect your users in CoreMedia Content Cloud.

CoreMedia Content Cloud provides two UserProviders for Active Directory to start over with:

  • The SimpleActiveDirectoryUserProvider derives users' names from the sAMAccountName and domains from the DC components of the distinguished names. This is suitable for most Active Directory setups, Windows Server as well as Azure Domain Services. If you have no particular requirements with regards to user names and domains, you should start over with the SimpleActiveDirectoryUserProvider.

  • The ActiveDirectoryUserProvider derives both, users' names and domains, from the userPrincipalName attribute, whose value has the format "name@domain".

Simple User Name Attributes

The user name attribute determines which UserProvider you should extend in order to implement your customizations. If you use sAMAccountName (which is recommended), you can simply start over with the SimpleActiveDirectoryUserProvider. If you want to use another attribute that contains exactly the user's name, for example givenName, you can also use the SimpleActiveDirectoryUserProvider and configure the attribute name:

cap.server.userproviders[0].ldap.user.filter=(&(objectClass=user)(givenName=*))
cap.server.userproviders[0].ldap.user.name-attribute=givenName

The UserProviders fetch only the LDAP attributes they need. If you use additional attributes, like givenName, you must configure them as cap.server.userproviders[0].ldap.user.attributes.

cap.server.userproviders[0].ldap.user.attributes[0]=givenName
Combined Name@Domain Attributes

If you prefer the userPrincipalName, you should start with the ActiveDirectoryUserProvider, which supports the attribute format "name@domain". The domain from the attribute may differ from the domain of the distinguished name. In order to resolve this ambiguity, you must specify the UserProvider's domains explicitly to override the automatic computation from the configured base distinguished names:

cap.server.userproviders[0].ldap.domains[0]=example.org
cap.server.userproviders[0].ldap.domains[1]=other.domain.org
...

Include all user domains that may occur in userPrincipalName attributes, and all groups' domains. The latter still correspond to the distinguished names and must thus be consistent with the base distinguished names.

For another attribute of the same format (like mail) configure the attribute name:

cap.server.userproviders[0].ldap.user.filter=(&(objectClass=user)(mail=*))
cap.server.userproviders[0].ldap.user.name-attribute=mail
cap.server.userproviders[0].ldap.user.domain-attribute=mail
cap.server.userproviders[0].ldap.user.attributes[0]=mail

Search Results

Table Of Contents
warning

Your Internet Explorer is no longer supported.

Please use Mozilla Firefox, Google Chrome, or Microsoft Edge.