In order to connect an LDAP server to CMS Fiona, please first
configure the required connectors by specifying their configuration file in the
configuration file. Make sure that the connector configuration file is
complete and its contents is correct. Please also read the Notes on Configuring LDAP.
Then check and adapt the connector script used. It is located in the
The LDAP integration can now be tested, for example by calling the Tcl
checking their results.
If the group names of the connected servers are not returned, enable logging using the following command:
CM -single % ::usermanager::type::handler::client::activateDebugging [level]
Here is an example:
% ::usermanager::live::ldap::client::activateDebugging % ::usermanager::editorial::ldap::client::activateDebugging
Then execute the commands once more and check the logs again.
If no connection is established, please check the server names and name
resolution as well as the ports and other parameters relevant to the
network connection. If the users and groups returned or their access
permissions are not what you expected, check whether the LDAP parameters
set in the configuration file specified in the
userManagement.xml file correspond to the configuration of the
server (see also the next section).
An LDAP user login (DN = distinguished name ) can be described like in the following example:
In the CMS system configuration this is specified using
userSearchBase. Groups have the following format:
groupIdColName is the first
members of a group are defined using
uniqueMember attributes, each of them
specifying a single user-DN. This means that
uniqueMember can occur more than once. From
version 6.5.0, the attribute used for specifying the group
membership of users can be configured by means of the
groupToUserRelationAttribute entry in the LDAP
configuration file (for example
Some user and group parameters in the Content Manager correspond to
attributes or entries in LDAP which are queried instead (for example,
realName in the Content Manager is
cn in LDAP).
The value of the
users parameter is queried using
uniqueMember*. This is done in the Content Manager’s interface to the user manager.
In this interface and in the LDAP server configuration permissions and
their checking can easily be implemented (by using additional fields). In
the supplied version of the interface file no groups exists. The only user
configured is the
root user who has the state of a superuser
and is thus granted all permissions.
For the editorial system the
internal connector is used,
none for the live server.
internal causes the
internal user manager of the Content Manager to be used while
none is ignorant to user data and thus returns nothing.
none must not be specified for the editorial system.