Documentum Administrator - OpenLDAP Integration

rana

How can I integrate DA to authenticate against an OpenLDAP server?

OpenLDAP is not supported by Documentum, so how may I achieve this?

We are ready to implement any custom connector, if pointed to the correct tech papers.

Please help!!

regards,

Rana

Find more posts tagged with

Comments

bacham

The company I previously worked for also had an unsupported LDAP server. We wrote our own LDAP synchronisation job (dm_job in Java) to synchronise users and groups + we customised the dm_check_password program for authentication. For authentication, the right way to do it nowadays would be to implement an authentication plugin. This has to be a Windows DLL or Unix shared library depending on the Content Server platform, so you will write this usually in C/C++. This is all documented and samples are available under $DM_HOME\install\external_apps\authplugins.

Hicham

rana

Thanks for the info, Bacham.

Does the attached doc (Server Authentication, by Michael Roth) elaborate correctly?

I am still looking for a pure Java implementation.

Basically there are 3 parts to the problem:

1) Synchronization of users and roles into Documentum from LDAP

I assume we need to implement the dm_job program. The documentation explains how to do it in c++. Is there a java solution available?

2) Authentication against LDAP store

This may be achieved by customising the dm_checkpasswd program. I just wish that the customization was possible in java.

3) Single-Sign-On

Any idea on this? We have multiple applications running on a single Weblogic server domain with SSO configured. It was pretty easy since every application delegates authentication to the application container, and uses the same user principal. I have a OpenLDAP provider configured in the Weblogic security realm of the domain.

My Documentum DA, webtop and Web Publisher applications are running on a weblogic server instance running on a different machine.

regards,

Rana

bacham

Yes it does.

1) Correct, it would be a dm_job but not in C++ (unless you absolutely want to). I don't know what you are refering to when you say the documentation tells you to do it in C++. Typically, this is written in Java and running on the Java Method Server.

2) This authentication plugin has to run in the Content Server process space, so it has to be native code. Theoretically, you could write a standalone Java program as a subsitiution for the dm_check_password program but it would perform poorly (especially launchin a JVM for each connect is expensive).

3) You can configure you Webtop to use principal based authentication. Very easy.

Hicham

johan.philippe

We are also looking for a Java only integration and this is what we found out for the moment:

It is possible to 'manually create' the LDAP server entry using the EMC Documentum IAPI.
Since OpenLDAP is so similar to the supported 'Sun One/Netscape/iPlanet Directory Server' we configured it as such (setting a_application_type=netscape)
We got the standard job running, but not with satisfactory result. That's because the unique ID in OpenLDAP (uniqueid) is different from Sun One (nsuniqueid). So we end up with only a single user from the LDAP synchronisation.
We don't seem to need to customise dm_checkpasswd, since that part of the existing implementation seems compatible.
We do need to have a custom synch job.

FYI, here are the commands used to add the LDAP server:

API> create,s0,dm_ldap_config API> set,s0,last,object_name SET> ldap_development API> set,s0,last,ldap_host SET> ldap.host.name API> set,s0,last,port_number SET> 389 API> set,s0,last,bind_dn SET> cn=Manager,o=domain.com API> set,s0,last,bind_pwd SET> passwd API> set,s0,last,bind_type SET> bind_search_dn API> save,s0,last

API> set,s0,last,a_application_type SET> netscape API> save,s0,last

API> set,s0,last,map_attr[0] SET> user_name API> set,s0,last,map_val[0] SET> displayName API> set,s0,last,map_val_type[0] SET> A API> set,s0,last,map_attr_type[0] SET> dm_user API> save,s0,last

rana

Hi Bacham,

You can configure you Webtop to use principal based authentication. Very easy.

Can you elaborate on this one?

I tried running Webtop with various authentication method:

BASIC

CLIENT-CERT (after setting up cross-domain SSO)

but they did not work.

regards,

Rana

bacham

This is all documented in the WDK Developer's guide (search for "Principal Authentication"). Have a look at it.

Hicham

EJouvin

Just in case, I had to work on unsupported LDAP integration.

We achieve that wihout any JAVA code nor delegate authenticate program.

I wrote some page about LDAP and Documentum at that link: http://www.jouvinio.net/wiki/index.php/Documentum_Configuration_LDAP

Sorry, this is in French... but may help

Etienne Jouvin

www.amexio.fr

bacham2

Actually, in the meantime, I also had to configure a connexion to OpenLDAP for a Content Server 6.5 SP2 and it did work without any problems (just the authentication part; didn't try the sync job).

Just be aware that it's not supported. I would think twice before using this in production.

EJouvin

That's what I wrote in the post, the support is lost....

Anyway, configuring OpenLDAP on Content Server is not supported also

I am using it on production and it is working like a charm. I am just crossing fingers in case of.... But that's the funny part.

Creating the dm_ldap_config is not the worse part of the job... except using DA that I really do not like.. but this is my though.

Etienne Jouvin