• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


    Company

  • Categories

  • Archive

  • Integrate UCM (ECM/Content Server) with Microsoft Active Directory as LDAP Provider

    Posted by "" in "AD, UCM" on 2010-06-01

    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

    Content server is key component of Oracle Enterprise Content Management (ECM) or Universal Content Management (UCM). More on UCM’s architecture here

    If you are new to Security in UCM then check Groups and Accounts here

    In this post I’ll show you how to configure UCM with Active Directory as LDAP Provider for external security (Note* This integration process i.e. Active Directory as LDAP Provider is different from direct AD integration

    .

    Things good to know for UCM integration with External Security

    1. Content Server provides following security options
    a) Internal Security – This is default configuration where you set up users, assign roles and accounts using  the User Admin Applications.

    b) External Security- You can configure Content Server with external LDAP servers (MS-AD, OID, iPlanet…) so user login, password and permissions are derived from one of external user base

    i) Active Directory : User information is stored in Active Directory
    ii) LDAP: User information is stored in LDAP compliant directory server (OID, iPlanet, IBM Tivoli DS..)
    iii) Active Directory with LDAP : User information is stored in Active Directory but Content Server access user information (sitting in Active Directory) using LDAP provider (This integration is covered in this post)

    .
    2. First time an external user (user sitting in external source) logs in, they are added to database.

    3. Files required for UCM integration with Active Directory with LDAP Provider (section iii in external security section above) are available in $CONTENT_SERVER_INSTALL_DIR/ custom/ActiveDirectoryLDAPComponent

    4. In Content Server, you can combine authentication methods i.e. allow some users to login to using their Microsoft Domain identity while others using LDAP Provider. You could also configure multiple LDAP Providers for authentication.

    Integration of UCM with Microsoft Active Directory LDAP Provider

    1. Create an LDAP Provider for Active Directory (Change Provider class to ldap.ActiveDirectoryLdapProvider)
    1.1 Login to content server as sysadmin   http://server:port/idc  (sysadmin/idc)
    1.2 Click Administration -> Provider
    1.3 Click on “Add” under “ldapuser
    .

    .

    .

    In above case Active Directory is
    – Running on machine win01.onlineappsdba.co.uk on port 389
    – Users are stored in ou=UK,ou=myUsers,dc=onlineappsdba, dc=co,dc=uk
    Change Provider Class to ldap.ActiveDirectoryLdapProvider
    .

    .
    Domain Controller for Active Directory is onlineappsdba and administrator is super user

    .

    .

    1.4Restrat Content Server
    1.5 Verify connection status forldap provider configured above

    .

    1.6Login to Content Server with user in Active Directory (You should now be able to login with AD user in IDC)

    1.7 Check table db_admin.users (db_admin is schema name for Content Server)
    DUSERAUTHTYPE column should be set to external

    .

     

    .

    References

    24 Responses to “Integrate UCM (ECM/Content Server) with Microsoft Active Directory as LDAP Provider”

    1. billycripe says:

      Great article.
      Is this for the 10g UCM or the soon to be announced 11g? 11g has a different security model than 10g because of the new WLS layer.

      Either way, you should also check out our Advanced User Security Mapping tool which provides the kind of integration you outlined here with a web based admin UI and the ability to connect and map to AD, LDAP, OID etc.

      http://bit.ly/9Y9oGF

      let me know what you think!

    2. Atul Kumar says:

      @ billycripe,
      Thanks a lot for AUSM link (though I need to check demo)

      This is for 10g UCM , I am waiting on 11g UCM (I think its releasing in next 2 weeks).

    3. ashok says:

      Dear Atul

      We need to integrate EBS 12.1.1 with UCM. We have no roadmap to do this except standard oracle document which is not very comprehensive. Can you guide us or share docs/case studies?

      Ashok

    4. Prachi Mishra says:

      Hi

      I was configuring LDAP provider for Active Directory.

      I am getting the following error :

      Unable to load provider class for activeDirectory. Unable to instantiate java class code for ‘ldap.ActiveDirectoryLdapProvider’ at location ‘ldap.ActiveDirectoryLdapProvider’.

    5. Muhammed says:

      Hi,

      how can we configure ldap in ucm 11g using providers in weblogic.

    6. Muhammed says:

      Hi Atul,

      i have configured the novell provider in weblogic server and i can see the list of users and groups from eDirectory in users and groups.But when i try to login with any user from eDirectory then it fails.What could be the cause of it.Do i need to map group from eDirectory to some role(s) in weblogic to make it work.Please guide me in this regard how to make this integration work.

    7. Atul Kumar says:

      What application you are using and as what role ?

      Yes, you would need user to group/role mapping for any application URL (update application name and version i.e. 10g or 11g)

    8. Muhammed says:

      Hi Atul,

      The application is universal content management -content server 11g and when i see the role for this application in admin console then it shows none roles.

      Next scenario,lets say i have two groups in eDirectory IT,Finance and have some users that have different permissions for these groups.Now,do i have to map these groups to some roles in weblogic and also in content server.

    9. Charles says:

      Hi Atul,

      I would like to connect the ldap server using secure port 636. What are all the prerequisites for this?
      Do we have to install the same secure cert in both ldap server and ucm server? Please let me know.

    10. Atul Kumar says:

      @ Charles,
      Is this UCM 10g or 11g ?

      I am assuming ldap is configured with one way ssl (and not two way ssl) which means ldap server will show certificate where as clients (ucm in this case) are not required to show certificates.

      Depending on UCM 10g or 11g you provide ldap ssl port and tell UCM that this is ldaps (ssl) port.

    11. Charles says:

      Thanks for yor reply Atul.
      I am using UCM 10g.

      I have gone through the following article about installing secure cert in Domain controllers
      http://support.microsoft.com/?kbid=321051

      To establish the trusted connection to a DC, we need to export the cert from DC and install it in the UCM and configure the provider to use port 636. Am i correct?

    12. Atul Kumar says:

      @ Charles, AD by default runs on non-ssl 389 and ssl 636 port.

      First use 389 and that should work.

      If that works then change create another provider with port 636 and see if that works (I don’t think any cert required at UCM side as AD by default is not configured in two way ssl .

    13. john says:

      Hi Atul,

      I want to integrate UCM,SES and ActiveDirectory together.
      Can you give me a hint how do this ?

      Now I have a problem, because when I add new security provider into Weblogic server (ECM) I got error in SES when I run crawler.
      Error:
      Thread-2 EQP-60303: Exiting saxthread due to errors
      Thread-2 EQP-80330: Unrecognized QName :Envelope oracle.search.sdk.crawler.PluginException oracle.search.plugin.rss.SAXThread:checkNamespace:200 oracle.search.plugin.rss.SAXThread:startElement:218 oracle.xml.parser.v2.NonValidatingParser:parseElement:1296 oracle.xml.parser.v2.NonValidatingParser:parseRootElement:340 oracle.xml.parser.v2.NonValidatingParser:parseDocument:307 oracle.xml.parser.v2.XMLParser:parse:212 oracle.xml.jaxp.JXSAXParser:parse:292 oracle.search.plugin.rss.SAXThread:run:159 java.lang.Thread:run:595

      Thanks …

    14. Atul Kumar says:

      @ john,
      What is version of UCM and SES ?

      Do you have an option to put OID (Oracle Internet Directory – LDAP server from Oracle) between UCM/SES and AD ?

    15. john says:

      Sorry, I forgot it …
      UCM – 11.1.1.5.0
      SES – 11.1.2.0.0

      Active Directory – Microsoft Windows Server 2003
      On SES – Identity management Setup: Active Directory
      – Source: Oracle Content Server
      on ECM – component: SESCrawlerExport
      – WebLogic – Security Realms – Security Provider – to Active directory

      With this configuration I got error (see above).

      Thanks, John

    16. kek says:

      we have followed all the step shown above, but we get the following error:

      Connection State: N/A
      Connection Error: Unable to load provider class for AD_LDAP. Unable to instantiate java class code for ‘ldap.ActiveDirectoryLdapUserProvider’ at location ‘ldap.ActiveDirectoryLdapUserProvider’.
      Last Activity Date: None

    17. Selvam says:

      Hi Atul,

      You have mentioned the below statement in your article.
      “This integration process i.e. Active Directory as LDAP Provider is different from direct AD integration”

      I think in my application it is done through direct AD integration. But I don’t know how they have done it. Is there any article or documentation how to configure directly.

      Please help.

      Thanks,
      Selvam S.

    18. Atul Kumar says:

      @Selvam,

      Did you look at link mentioned under Reference section in above post ?

    19. Ramesh says:

      Hi Atul,

      Can we integrate UCM 11 G with AD in similar way as you have mentioned here. We don’t need to create a weblogic provider. We can just create a Content Server LDAP provider that should be OK right?

      Regards,
      Ramesh

    20. Atul Kumar says:

      @ Ramesh,
      I don’t think that will be supported/certified solution.

      You should create authentication provider in WebLogic for AD . That is quite simple solution

      Step to add provider is http://download.oracle.com/docs/cd/E21764_01/doc.1111/e15483/idm_integration.htm#BABCHCED

      Change from OID to AD (ignore OAM10g/11g steps)

    21. Abdul Haleem says:

      Hi Atul

      I’m getting below error while starting UCM after changing the configuration as per above document.

      Please help me to sort out this issue

      <general exception
      intradoc.data.DataException: !csProviderClassLoadError,RCA_AD
      at intradoc.provider.Provider.createClass(Provider.java:126)
      at intradoc.provider.Provider.init(Provider.java:68)
      at intradoc.server.IdcSystemLoader.loadProviders(IdcSystemLoader.java:2369)

    Leave a Reply



  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.
  • CONTACTS

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP