Content Server Manual / Version 2307
Table Of Contents
The Active Directory LDAP schema has some redundancy. User names can be derived from various attributes,
like sAMAccountName
, userPrincipalName
or mail
. User domains can be derived
from userPrincipalName
or from the distinguished name. In a default Active Directory
setup all that data is consistent, but in principle it may be ambiguous. In the latter case, you must decide which
attributes are appropriate to reflect your users in CoreMedia Content Cloud.
CoreMedia Content Cloud provides two UserProviders for Active Directory to start over with:
The
SimpleActiveDirectoryUserProvider
derives users' names from thesAMAccountName
and domains from theDC
components of the distinguished names. This is suitable for most Active Directory setups, Windows Server as well as Azure Domain Services. If you have no particular requirements with regards to user names and domains, you should start over with theSimpleActiveDirectoryUserProvider
.The
ActiveDirectoryUserProvider
derives both, users' names and domains, from theuserPrincipalName
attribute, whose value has the format "name@domain".
Simple User Name Attributes
The user name attribute determines which UserProvider you should extend in order to implement your
customizations. If you use sAMAccountName
(which is recommended), you can simply start over with
the SimpleActiveDirectoryUserProvider
. If you want to use another attribute that contains
exactly the user's name, for example givenName
, you can also use the
SimpleActiveDirectoryUserProvider
and configure the attribute name:
cap.server.userproviders[0].ldap.user.filter=(&(objectClass=user)(givenName=*)) cap.server.userproviders[0].ldap.user.name-attribute=givenName
The UserProviders fetch only the LDAP attributes they need. If you use additional attributes,
like givenName
, you must
configure them as cap.server.userproviders[0].ldap.user.attributes
.
cap.server.userproviders[0].ldap.user.attributes[0]=givenName
Combined Name@Domain Attributes
If you prefer the userPrincipalName
, you should start with the
ActiveDirectoryUserProvider
, which supports the attribute format "name@domain".
The domain from the attribute may differ from the domain of the distinguished name. In order
to resolve this ambiguity, you must specify the
UserProvider's domains explicitly to override the automatic computation from the configured
base distinguished names:
cap.server.userproviders[0].ldap.domains[0]=example.org cap.server.userproviders[0].ldap.domains[1]=other.domain.org ...
Include all user domains that may occur in userPrincipalName
attributes, and all
groups' domains. The latter still correspond to the distinguished names and must thus be consistent
with the base distinguished names.
For another attribute of the same format (like mail
) configure the attribute name:
cap.server.userproviders[0].ldap.user.filter=(&(objectClass=user)(mail=*)) cap.server.userproviders[0].ldap.user.name-attribute=mail cap.server.userproviders[0].ldap.user.domain-attribute=mail cap.server.userproviders[0].ldap.user.attributes[0]=mail