If you have been working with Documentum, then you probably already created/configured an LDAP/LDAPs Server Config Object (or several) so that your users can be globally managed in your organization. There are several compatible LDAP Servers so I will just take one (Sun One/Netscpae/iPlanet Directory Server). To create this LDAP/LDAPs Server Config Object, you probably used Documentum Administrator because it’s simple and quick to setup, however that’s not enough for automation. In this blog, I will show and explain the steps needed to configure the same but without any need for DA.
The problem with DA is that it usually does some magic and you cannot always do exactly the same without it. Here, this also applies but to a smaller extent since it is only the SSL part (LDAPs) that needs specific steps. For this, there is a KB created by EMC some years ago (migrated to OpenText): KB6321243.
Before starting, let’s setup some parameters that will be used in this blog:
[dmadmin@content-server-0 ~]$ repo="repo01" [dmadmin@content-server-0 ~]$ dm_location_name="ldap_chain" [dmadmin@content-server-0 ~]$ file_path="$DOCUMENTUM/dba/secure/ldapdb/${dm_location_name}.pem" [dmadmin@content-server-0 ~]$ ldap_server_name="Internal_LDAP" [dmadmin@content-server-0 ~]$ ldap_host="ldap.domain.com" [dmadmin@content-server-0 ~]$ ldap_ssl=1 #0 for LDAP, 1 for LDAPs [dmadmin@content-server-0 ~]$ ldap_port=636 [dmadmin@content-server-0 ~]$ location=`if ((${ldap_ssl} == 1)); then echo ${dm_location_name}; else echo "ldapcertdb_loc"; fi` [dmadmin@content-server-0 ~]$ ldap_principal="ou=APP,ou=applications,ou=intranet,dc=dbi services,dc=com" [dmadmin@content-server-0 ~]$ ldap_pwd="T3stP4ssw0rd" [dmadmin@content-server-0 ~]$ ldap_user_filter="objectclass=person" [dmadmin@content-server-0 ~]$ ldap_user_class="person" [dmadmin@content-server-0 ~]$ ldap_group_filter="objectclass=groupofuniquenames" [dmadmin@content-server-0 ~]$ ldap_group_class="groupofuniquenames"
1. Preparation steps for LDAPs
The steps in this section are only needed in case you need to configure SSL communications between your LDAP Server and Documentum. It can be done upfront without any issues. So let’s start with setting up the environment. Without the use of DA, the only way you have to import/trust SSL Certificate for the LDAPs connection is by adding an environment variable named “DM_LDAP_CERT_FILE” and setting it to “1”. This will allow Documentum to use certificate files for the trust chain instead of doing what DA is doing (the magic part) that we cannot replicate.
It is a little bit out of scope for this blog but a second variable is often needed “DM_LDAP_IGNORE_HOSTNAME_CHECK” which drives the validation of the hostname. Setting this to “1” will disable the hostname check and therefore allow you to use an LDAP Server that is behind a Proxy or a Load Balancer. This would also be needed with a LDAP (non-secure).
[dmadmin@content-server-0 ~]$ grep DM_LDAP ~/.bash_profile [dmadmin@content-server-0 ~]$ echo $DM_LDAP_CERT_FILE -- $DM_LDAP_IGNORE_HOSTNAME_CHECK -- [dmadmin@content-server-0 ~]$ [dmadmin@content-server-0 ~]$ echo "export DM_LDAP_CERT_FILE=1" >> ~/.bash_profile [dmadmin@content-server-0 ~]$ echo "export DM_LDAP_IGNORE_HOSTNAME_CHECK=1" >> ~/.bash_profile [dmadmin@content-server-0 ~]$ [dmadmin@content-server-0 ~]$ grep DM_LDAP ~/.bash_profile export DM_LDAP_CERT_FILE=1 export DM_LDAP_IGNORE_HOSTNAME_CHECK=1 [dmadmin@content-server-0 ~]$ [dmadmin@content-server-0 ~]$ source ~/.bash_profile [dmadmin@content-server-0 ~]$ echo $DM_LDAP_CERT_FILE -- $DM_LDAP_IGNORE_HOSTNAME_CHECK 1 -- 1 [dmadmin@content-server-0 ~]$
For the variables to take effect, you will need to restart the Repositories. I usually set everything up (LDAPs specific pieces + LDAP steps) and only then restart the repositories so it’s done once at the very end of the setup.
The next step is then to create/prepare the Trust Chain. In DA, you can import the Trust Chain one certificate at a time, the Root first and then the Intermediate one. While using “DM_LDAP_CERT_FILE=1” (so without DA), you can unfortunately use only one file per LDAP and therefore this file will need to contain the full Trust Chain. To do that, simply put in a file the content of both Root and Intermediate SSL Certificates one after the other. So in the end, you file should contain something like that:
[dmadmin@content-server-0 ~]$ vi ${dm_location_name}.pem [dmadmin@content-server-0 ~]$ cat ${dm_location_name}.pem -----BEGIN CERTIFICATE----- <<<content_of_root_ca>>> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <<<content_of_intermediate_ca>>> -----END CERTIFICATE----- [dmadmin@content-server-0 ~]$ [dmadmin@content-server-0 ~]$ mv ${dm_location_name}.pem ${file_path} [dmadmin@content-server-0 ~]$
Once you have the file, you can put it wherever you want with the name that you want but it absolutely needs to be a “.pem” extension. You can check this blog, which explains what happens if this isn’t the case and what needs to be done to fix it. As you can see above, I choose to put the file where DA is putting them as well.
The last step for this SSL specific part is then to create a “dm_location” Object that will reference the file that has been created so that the LDAP Server Config Object can use it and trust the target LDAP Server. Contrary to the LDAP Certificate Database Management in DA, which is global to all Repositories (so it needs to be done only one), here you will need to create the “dm_location” Object in all the Repositories that are going to use the LDAP Server. This can be done very easily via iAPI:
[dmadmin@content-server-0 ~]$ iapi ${repo} -U${USER} -Pxxx << EOF create,c,dm_location set,c,l,object_name ${dm_location_name} set,c,l,path_type file set,c,l,file_system_path ${file_path} save,c,l exit EOF OpenText Documentum iapi - Interactive API interface Copyright (c) 2018. OpenText Corporation All rights reserved. Client Library Release 16.4.0110.0058 Connecting to Server using docbase repo01 [DM_SESSION_I_SESSION_START]info: "Session 0112d6878000111b started for user dmadmin." Connected to OpenText Documentum Server running Release 16.4.0110.0167 Linux64.Oracle Session id is s0 API> ... 3a12d68780002522 API> SET> ... OK API> SET> ... OK API> SET> ... OK API> ... OK API> Bye [dmadmin@content-server-0 ~]$
The name of the “dm_location” Object doesn’t have to be the same as the name of the Trust Chain file. I’m just using the same here so it’s simpler to see the relation between both. These are the only steps that are specific to SSL communications between your LDAP Server and Documentum.
2. Global steps for LDAP
This section applies to all cases. Whether you are trying to setup an LDAP or LDAPs Server, then you will need to create the “dm_ldap_config” Object and everything else described below. As mentioned previously, I’m using one type of LDAP Server for this example (value of “dm_ldap_config.a_application_type“). If you aren’t very familiar with the settings inside the Repository, then the simplest thing to do to find out which parameters you would need (and the associated values) is simply to create one LDAP Config Object using DA. Once done, just dump it and you can re-use that same configuration in the future.
So let’s start with creating a sample LDAP Server Config Object:
[dmadmin@content-server-0 ~]$ iapi ${repo} -U${USER} -Pxxx << EOF create,c,dm_ldap_config set,c,l,object_name ${ldap_server_name} set,c,l,map_attr[0] user_name set,c,l,map_attr[1] user_login_name set,c,l,map_attr[2] user_address set,c,l,map_attr[3] group_name set,c,l,map_attr[4] client_capability set,c,l,map_attr[5] user_xprivileges set,c,l,map_attr[6] default_folder set,c,l,map_attr[7] workflow_disabled set,c,l,map_val[0] displayName set,c,l,map_val[1] uid set,c,l,map_val[2] mail set,c,l,map_val[3] cn set,c,l,map_val[4] 2 set,c,l,map_val[5] 32 set,c,l,map_val[6] /Home/${displayName} set,c,l,map_val[7] false set,c,l,map_attr_type[0] dm_user set,c,l,map_attr_type[1] dm_user set,c,l,map_attr_type[2] dm_user set,c,l,map_attr_type[3] dm_group set,c,l,map_attr_type[4] dm_user set,c,l,map_attr_type[5] dm_user set,c,l,map_attr_type[6] dm_user set,c,l,map_attr_type[7] dm_user set,c,l,map_val_type[0] A set,c,l,map_val_type[1] A set,c,l,map_val_type[2] A set,c,l,map_val_type[3] A set,c,l,map_val_type[4] V set,c,l,map_val_type[5] V set,c,l,map_val_type[6] E set,c,l,map_val_type[7] V set,c,l,ldap_host ${ldap_host} set,c,l,port_number ${ldap_port} set,c,l,person_obj_class ${ldap_user_class} set,c,l,group_obj_class ${ldap_group_class} set,c,l,per_search_base ${ldap_principal} set,c,l,grp_search_base ${ldap_principal} set,c,l,per_search_filter ${ldap_user_filter} set,c,l,grp_search_filter ${ldap_group_filter} set,c,l,bind_dn ${ldap_principal} set,c,l,user_subtype dm_user set,c,l,deactivate_user_option T set,c,l,import_mode groups set,c,l,bind_type bind_by_dn set,c,l,ssl_mode ${ldap_ssl} set,c,l,ssl_port ${ldap_port} set,c,l,certdb_location ${location} set,c,l,map_rejection[0] 2 set,c,l,map_rejection[1] 2 set,c,l,map_rejection[2] 0 set,c,l,map_rejection[3] 2 set,c,l,map_rejection[4] 0 set,c,l,map_rejection[5] 0 set,c,l,map_rejection[6] 2 set,c,l,map_rejection[7] 0 set,c,l,retry_count 3 set,c,l,retry_interval 3 set,c,l,failover_use_interval 300 set,c,l,r_is_public F set,c,l,a_application_type netscape set,c,l,a_full_text T save,c,l exit EOF OpenText Documentum iapi - Interactive API interface Copyright (c) 2018. OpenText Corporation All rights reserved. Client Library Release 16.4.0110.0058 Connecting to Server using docbase repo01 [DM_SESSION_I_SESSION_START]info: "Session 0112d68780001123 started for user dmadmin." Connected to OpenText Documentum Server running Release 16.4.0110.0167 Linux64.Oracle Session id is s0 API> ... 0812d6878000252c API> SET> ... OK ... ... ... [dmadmin@content-server-0 ~]$
Once the LDAP Server Config Object has been created, you can register it in the “dm_server_config” Objects. In our silent scripts, we have using the r_object_id of the object just created so that we are sure it is the correct value but below, for simplification, I’m using a select to retrieve the r_object_id based on the LDAP Object Name (so make sure it’s unique if you use the below):
[dmadmin@content-server-0 ~]$ iapi ${repo} -U${USER} -Pxxx << EOF ?,c,update dm_server_config object set ldap_config_id=(select r_object_id from dm_ldap_config where object_name='${ldap_server_name}') exit EOF OpenText Documentum iapi - Interactive API interface Copyright (c) 2018. OpenText Corporation All rights reserved. Client Library Release 16.4.0110.0058 Connecting to Server using docbase repo01 [DM_SESSION_I_SESSION_START]info: "Session 0112d6878000112f started for user dmadmin." Connected to OpenText Documentum Server running Release 16.4.0110.0167 Linux64.Oracle Session id is s0 API> objects_updated --------------- 1 (1 row affected) [DM_QUERY_I_NUM_UPDATE]info: "1 objects were affected by your UPDATE statement." API> Bye [dmadmin@content-server-0 ~]$
Then, it is time to encrypt the password of the LDAP Account used that is used for the “bind_dn” (${ldap_principal} above):
[dmadmin@content-server-0 ~]$ crypto_docbase=`grep ^dfc.crypto $DOCUMENTUM_SHARED/config/dfc.properties | tail -1 | sed 's,.*=[[:space:]]*,,'` [dmadmin@content-server-0 ~]$ [dmadmin@content-server-0 ~]$ iapi ${crypto_docbase} -U${USER} -Pxxx << EOF encrypttext,c,${ldap_pwd} exit EOF OpenText Documentum iapi - Interactive API interface Copyright (c) 2018. OpenText Corporation All rights reserved. Client Library Release 16.4.0110.0058 Connecting to Server using docbase gr_repo [DM_SESSION_I_SESSION_START]info: "Session 0112d68880001135 started for user dmadmin." Connected to OpenText Documentum Server running Release 16.4.0110.0167 Linux64.Oracle Session id is s0 API> ... DM_ENCR_TEXT_V2=AAAAEHQfx8vF52wIC1Lg8KoxAflW/I7ZnbHwEDJCciKx/thqFZxAvIFNtpsBl6JSGmI4XKYCCuUl/NMY7BTsCa2GeIdUebL2LYfA/nJivzuikqOt::gr_repo API> Bye [dmadmin@content-server-0 ~]$
Finally, the only thing left is to create the file “$DOCUMENTUM/dba/config/${repo}/ldap_${dm_ldap_config_id}.cnt” and put in it the content of the encrypted password (the whole line “DM_ENCR_TEXT_V2=…::gr_repo“). As mentioned previously, after a small restart of the Repository, you should then be able to run your dm_LDAPSynchronization job. You might want to configure the job with some specific properties but that’s up to you.
With all the commands above, you have already a very good basis to automate the creation/setup of your LDAP/LDAPs Server without issue. In our automation, instead of printing the result of the iAPI commands to the console, we are usually putting that in a log file. With that, we can automatically retrieve the result of the previous commands and continue the execution based on the outcome so there is no need for any human interaction. In the scope of this blog, it was much more human friendly to display it directly.
Maybe one final note: the above steps are for a Primary Content Server. In case you are trying to do the same thing on a Remote Content Server (RCS/CFS), then some steps aren’t needed. For example, you will need to put the Trust Chain to the correct location but you won’t need to create the “dm_location” or “dm_ldap_config” Objects since they are inside the Repository and therefore already present.