Content Server Manual / Version 2404
Table Of Contents
CoreMedia CMS ships with a com.coremedia.ldap.UserProvider
implementation for accessing
Microsoft's Active Directory Server: The
com.coremedia.ldap.ad.SimpleActiveDirectoryUserProvider
. For using it you have to
configure the following.
Note
If you are migrating from an earlier version of CoreMedia Content Cloud,
you will have noticed that the SimpleActiveDirectoryUserProvider
is new.
The ActiveDirectoryUserProvider
is still available, no action is required for existing projects,
and the following configuration steps are the same for both UserProviders.
The ActiveDirectoryUserProvider
works only with Windows Server
Active Directory, while the SimpleActiveDirectoryUserProvider
is also suitable for
Azure Domain Services. If the userPrincipalName
attribute is equivalent to the
sAMAccountName
and the distinguished name of users, the UserProviders are compatible.
While this is the case in Windows Server Active Directory with default configuration, it does not
hold for Azure Domain Services. Therefore, CoreMedia introduces the new sAMAccountName
based
SimpleActiveDirectoryUserProvider
, because the userPrincipalName
in
Azure Domain Services is not suitable for our needs.
Our recommendation is to use the
SimpleActiveDirectoryUserProvider
in new projects and to use the
ActiveDirectoryUserProvider
:
In existing projects (in order to avoid any risk).
If you definitely favor the
userPrincipleName
over thesAMAccountName
.
Tell the Content Server to use an Active Directory Server for authentication by configuring the following properties. (If you configure multiple UserProviders, take care for the grouping numbers in the property keys.)
cap.server.userproviders[0].provider-class=\ com.coremedia.ldap.ad.SimpleActiveDirectoryUserProvider
Set the environment specific Active Directory Server properties as follows:
Set your Active Directory Servers host (and port, if it deviates from the standard ports 389 or 636 for LDAPs):
cap.server.userproviders[0].ldap.host=<your-active-directory-server-host>
Set your Administrator's distinguished name and password:
cap.server.userproviders[0].java.naming.security.principal=\ CN=Administrator,CN=Users,DC=your,DC=domain cap.server.userproviders[0].java.naming.security.credentials=<password>
Define the base distinguished names where the
UserProvider
may find users and groups. You can define more than one base distinguished name by entries of increasing index forbase-distinguished-names
(see also Section 3.12.3, “LdapUserProvider”.cap.server.userproviders[0].ldap.base-distinguished-names[0]=\ CN=Users,DC=your,DC=domain
Activate the
hox.corem.login.LdapLoginModule
inproperties/corem/jaas.conf
:At the end of the file you will find a section, defining the needed login module. Activate it by commenting it out.
Set the host and port of your Active Directory Server into the corresponding attributes of the login module.
Set the domain which you chose as domain beneath which your user accounts are stored in step 2.3 above.
Note
The above description applies to Windows Server 2008 and newer.
If you use an Azure Domain Service instead, the default location of users and groups
is OU=AADDC Users
rather than CN=Users
. This affects steps 2.b and 2.c.
If you are using an Azure Domain Service or if your Windows Server Active Directory is restricted to LDAPS, proceed with the next section, "Connecting LDAP Over SSL".
Before you may use your Active Directory Accounts within your CoreMedia CMS, you have to define rules for all
the given groups your CMS user may be members of. You have to do this as user admin.
Remember that
all CoreMedia system users are not administrated within the Active Directory or any other LDAP server but only
from inside of the CoreMedia system itself. Thus, you must not choose any domain when logging into the CoreMedia
CMS as user admin
.