Integrating Contribute Publishing Services with LDAP

User Directory Settings

The default user directory for CPS is file based. File-based user directories are good for testing purposes or with a finite group of users. To begin the LDAP integration, you must manually change to LDAP/Active Directory. Log onto the CPS Administrator (typically https://localhost:8900/contribute/admin/server.cfm) and access the User Directory screen (click the User Directory link under Service Settings in the left navigation section). Change the directory type to LDAP/Active Directory and click OK on the changing directory type warning message. The display changes to a four-tab interface: Settings, User Search, Group Search, and Test.

Use the Settings tab to configure connection and bind information for your LDAP server. The URL field provides the LDAP connection. The proper syntax for this field is:

ldap://<servername or IP address>:<port number>

For example, to connect to my LDAP server I would enter ldap://ldap.macromedia.com:389. This provides a non-secure LDAP connection. To configure a secure LDAP connection, see Configuring Contribute Publishing Services to use LDAPS (TechNote 54f01608).

LDAP servers require an authenticated connection before they will allow queries (searches). This authenticated connection is called a bind. Most LDAPs allow an anonymous bind─where no username or password is submitted; however, others restrict searches to its members and require an authenticated username and password. If your LDAP requires authenticated access for read-only searches, enter a bind DN and bind password in the Access username and password fields (respectively) on the Settings tab. The syntax for the bind DN depends on the LDAP server itself—some will take <domain name>\<username> (macromedia\ssargent), or cn=username (cn=ssargent), or a simple username (ssargent). Your LDAP administrator should provide this information.

The syntax for the bind DN is also important for the Authentication method. The authentication method determines how users enter their username when Contribute challenges them for authentication. If you choose LDAP bind (default), then you must configure the Prefix and Suffix fields. The bind syntax for this method is: prefix + <username> + suffix. Using my DN (uid=sarge,ou=Employees,dc=macromedia,dc=com) as an example, the prefix is the part of the bind DN before the username value (uid=), and the suffix is the remainder of the DN (,ou=Employees,dc=macromedia,dc=com). It is important to include the comma (,) in the suffix or the authentication will fail.

You should only use the default LDAP bind if you have a simple DIT—meaning all of your users are stored in one node. Choose LDAP bind (auto-find user DN) if you have users in multiple branches. This method uses the provided username and performs a query to retrieve the authenticating user’s DN; it then uses the retrieved DN (and provided password) to perform the bind. This provides greater flexibility but may increase response time.

The Password in directory authentication method simply requires a username for the bind DN. CPS uses filtering to perform the authentication. Typically used with Active Directory, the Windows domain authentication type uses the user’s Windows domain login ID for the bind in the format: <domain name>/<username>. The user must provide their correct Windows domain login ID and password for a successful bind.

Figure 2. Choosing the authentication method on the CPS 1.1 Settings tab

The final fields on the Settings tab, which I skipped, are the Max search results and Connection timeout. The Max search results is the number of results to display for the test search on the Test tab. The Connection timeout is the maximum number of seconds to wait for a search result. The default value is zero (0)—or no timeout.

Now that the connection is configured, I will turn to setting up the filters for our searches.

Page 3 of 5

Previous Page

Next Page