Today, I wanted to configure Oracle Universal Content Management (UCM) 10gR3 to allow authentication via Active Directory. I am running UCM through an Apache web server. Everything is running on Windows Server 2003 R2.
Preparing Active Directory
The first step is to set up some user accounts in Active Directory. I created one called Ann Jacobs, with a username of ann.
UCM uses group membership to assign roles. We need to create a set of groups in Active Directory that match (exactly) the names of the roles in UCM. By adding the Active Directory user to the group, the role of the same name is assigned when they log on to UCM.
The UCM LDAP provider uses a prefix to filter which groups it will consider when assigning roles. There is not convenient way to create this structure in Active Directory using the standard management tools. Fortunately, Microsoft provide a utility that allows us to easily modify the LDAP structure. This utility is called ADSIEdit and is on the Windows 2003 Server install disk.
You can install it by running tools\suptools.msi. You will get a new program group on the Start Menu called Windows Support Tools. Go into this group and run the Command Shell, then type adsiedit.msc to start ADSIEdit.
This is what the ADSIEdit utility looks like when it starts up:
You can see that my LDAP Base Suffix for this Active Directory server is dc=webcenter,dc=au,dc=oracle,dc=com. We are going to create a container called cn=UCMRole that we can store our groups in. It is highlighted in the image above. To create it, you right click on the root (highlighted in blue in the image above) and select New, Object…
Select container as the type, then click on Next.
Enter UCMRole as the cn, and then click on Next and then Finish to create the object.
Now you will see your new cn=UCMRole object in the right hand pane, as shown in the earlier image.
Next, we create the groups to represent the roles in UCM.
Right click on your new container object and select New, Object… like you did earlier to create the container. Follow through the same process as before, this time choose group as the object type, set the cn to Guest, the sAMAccountName to ucmGuest, and the group type to 4. This will create a group that we can use to give users the “Guest” role in UCM. Repeat this process to create groups for each role in UCM.
When you are done, you should see something like this in ADSIEdit:
This completes the necessary set up of groups in Active Directory. Now, we can add our user Ann Jacobs to our Guest group, so that she can log on to UCM. Note that users who have no group mappings will be assigned no roles at all if they try to log on to UCM.
Back in the standard Active Directory Users and Computers management tool, navigate to Ann Jacobs and right click on her, and select Add to a group…
In the dialog box, type in Guest and click on the Check Names button.
Note that this name is very similar to one of the “out of the box” groups in Active Directory. make sure you select the correct one by checking the cn in the “In Folder” column.
Select the correct group and press OK, and the OK again. Ann is now in our group Guest.
Next, we need to configure UCM to allow authentication against Active Directory. This can be done two ways, by using the built-in Active Directory security capabilities (see the documentation) or by configuring Active Directory as an LDAP Provider, which is what we are going to do. The first method requires that UCM is running through Microsoft Internet Information Services. As I mentioned at the beginning, I am using Apache, so the second option is the one I can use.
Log on to the UCM web interface as a system administrator, sysadmin by default. Navigate to the Administration folder, and then into Providers.
Under Create a New Provider click on the Add action for the ldapuser provider type. This opens the configuration form for this new provider. You will need to fill it out as follows:
The fields are as follows, where I do not mention a field, you should accept the default value:
Provider Name. This can be any name you want to use for the provider. I called mine activeDirectory.
Provider Description. This is a description for the provider, again anything you like.
Provider Class. This tells UCM which class to use to talk to this provider. This one is important, we need to change the default value. The documentation has the wrong class name in it, intradoc.ActiveDirectoryLdapProvider. If you enter this, you will get a ClassNotFoundException in your startup log, and the provider will not start. The correct value to enter here is ldap.ActiveDirectoryLdapProvider as shown in the image.
Source Path. This is a unique name for this provider. I named mine sAMAccountName after the account name attribute in Active Directory, but you can call it whatever you like.
LDAP Server. This one should be fairly obvious, it is the host name for your Active Directory server.
LDAP Suffix. This is the suffix for your Active Directory LDAP server. You will have seen it earlier in ADSIEdit.
LDAP Port. This is the port that the Active Directory LDAP server is listening on. The default is 389.
Use Group Filtering. Turn this on. This causes UCM to map the Active Directory groups to UCM roles as we discussed earlier.
Role Prefix. This is used to tell the provider where to find the groups in Active Directory that should be mapped to UCM roles. It will only consider groups that have this prefix, plus the suffix above. You need to enter CN=UCMRole in this field. You can either type it directly into the text area, as shown, or enter it into the text box and then press the Add button.
When the mapping is performed, UCM will look for any groups that end with cn=UCMRole,dc=webcenter,dc=au,dc=oracle,dc=com, like the Guest group we created and assigned Ann to.
Account Prefix. This works similarly ot the role prefix, and tells the provider where to look in the LDAP tree for users. It also has the LDAP suffix appended to it, so you just specify the extra prefix, cn=Users.
The Attribute Map is optional, you can use it to map Active Directory attributes to UCM ones, as shown in the diagram.
LDAP Admin DN. This is the full DN for the administrative user in Active Directory. In my case this is the Administrator user on my Windows Server. So the full DN is:
LDAP Admin Password. This is the password for the administrative user.
Once you have entered all of this information, you can save your new provider. Notice that the provider list now includes your new provider, and indicates that a restart is necessary.
Restart the IDC Content Server service from the Services control panel.
Now you can navigate to the UCM login page in a new browser window. When you click on the login link, you can now log in using an Active Directory username and password.