Add a custom SPI

For information about creating a custom SPI, see “Developing SPIs for AEM forms” in Programming with AEM forms. To make a newly deployed custom SPI available for association with the domain, restart the server.

  1. In administration console, click Settings > User Management > Domain Management.
  2. Click New Enterprise Domain or select an existing enterprise domain.
  3. Click Add Directory.
  4. Type a name in the Profile Name box, select Custom SPI Provider, and then click Next.
  5. Select a custom user provider from the list and click Next.
  6. Select a custom group provider from the list and click Finish.

Edit a directory

You can edit the details of a directory that you previously configured.

  1. In administration console, click Settings > User Management > Domain Management.
  2. Click the appropriate domain in the list and, on the page that appears, select the appropriate directory from the list.
  3. Configure the directory, user, and group settings as required. (See Directory settings.)
  4. Click OK.

Delete a directory

When you synchronize your domains after deleting a directory, all users and groups in that directory are marked obsolete in the database. They will not be returned in any search from Administration Console.

NOTE
Enterprise domains require at least one authentication provider and directory provider.
  1. In administration console, click Settings > User Management > Domain Management.
  2. Click the appropriate domain in the list.
  3. Select the check box for the appropriate directory and click Delete.
  4. Click OK on the confirmation page that appears and click OK again.

Directory settings

When you add a directory to a domain, specify the following directory settings.

Server: (Mandatory) Fully qualified domain name (FQDN) of the directory server. For example, for a computer called x on the adobe.com network, the FQDN is x.adobe.com. An IP address can be used in place of the FQDN server name.

Port: (Mandatory) The port that the directory server uses. Typically 389, or 636 if the Secure Sockets Layer (SSL) protocol is used for sending authentication information over the network.

SSL: (Mandatory) Specifies whether the directory server uses SSL when sending data over the network. The default is No. When set to Yes, the corresponding LDAP server certificate must be trusted by the Java™ runtime environment (JRE) of the application server.

Binding (Mandatory) Specifies how to access the directory.

Anonymous: No user name or password is required. An anonymous user may be able to fetch only a limited amount of data. This option may be useful for initial testing.

User: Authentication is required. In the Name box, specify the name of the user record that can access the directory. It is best to enter the full distinguished name (DN) of the user account, such as cn=Jane Doe, ou=user, dc=can, dc=com. In the Password box, specify the associated password. These settings are required when you select User as the Binding option.

Name: Name that can be used to connect to the LDAP database when anonymous access is not enabled. For Active Directory 2003, specify [domain name]\[userid]. For Sun™ One, eDirectory or IBM Tivoli Directory Server, specify the fully qualified name of the user, such as uid=lcuser,ou=it,o=company.com.

Password: Password that corresponds with the name you specified to connect to the LDAP database when anonymous access is not enabled.

Populate Page With: When selected, populates attributes on the User and Group settings pages with corresponding default LDAP values.

Retrieve Base DNs: Retrieves the base DNs and displays them in the drop-down list. This setting is useful when you have multiple base DNs and need to select a value.

Enable referral: This setting is applicable when your organization uses multiple Active Directory domains organized in a hierarchical structure and you have specified directory settings for only the parent domain. In this situation, when you select this option, User Management can access user and group details from the child domains.

NOTE
Click Test to verify that a connection can be made to the LDAP server. To determine the root cause of any failures, review the exception in the Application Server log file.

User settings

Unique Identifier: (Mandatory) A unique and constant attribute used to identify users. Use a non-DN attribute as the unique identifier because a user’s DN may change if they move to another part of the organization. This setting depends on the directory server. The value is objectGUID for Active Directory 2003, nsuniqueID for Sun™ One, and guid for eDirectory.

NOTE
Ensure that you enter an attribute that is guaranteed to be unique in your organization. Entering an incorrect value can cause serious system problems.

Base DN: Set as the starting point for synchronizing users and groups from the LDAP hierarchy. It is best to specify a base DN at the lowest level of the hierarchy that encompasses all users and groups that need to be synchronized for services.

If you selected the Enable referral option in the Directory settings, set the Base DN option to the dc part of the DN. For the referral to work, the search span must include both parent and child domains.

NOTE
Do not include the user’s DN in this setting. To synchronize a particular user, use the Search Filter setting.

Although Base DN is a mandatory setting in administration console, some directory servers such as IBM Domino Enterprise Server may require an empty BaseDN. To specify an empty Base DN, export the config.xml file, edit the setting in the config.xml file, and then reimport it. (See Importing and exporting the configuration file.)

Search Filter: (Mandatory) The search filter to use to find the record that is associated with the user. You can perform a one-level search or a sub-level search. (See Search Filter Syntax or RFC 2254.) Additional information for the Microsoft AD schema, see Active Directory Schema.

Description: Schema attribute for the description of the user

Full Name: (Mandatory) Schema attribute for the full name of the user

Login ID: (Mandatory) Schema attribute for the user’s login ID

Last Name: (Mandatory) Schema attribute for the user’s last name

Given Name: (Mandatory) Schema attribute for the user’s first name

Initials: Schema attribute for the user’s initials

Business Calendar: Enables you to map a business calendar to a user, based on the value for this setting (the business calendar key). Business calendars define business and non-business days. AEM forms can use business calendars when calculating future dates and times for events such as reminders, deadlines, and escalations. The way you assign business calendar keys to users depends on whether you are using an enterprise, local, or hybrid domain. (See Configuring Business Calendars.)

If you are using an enterprise domain, you can map the Business Calendar setting to a field in the LDAP directory. For example, if each user record in your directory contains a country field, and you want to assign business calendars based on the country where the user is located, specify the country field name as the value for the Business Calendar setting. You can then map the business calendar keys (the values defined for the country field in the LDAP directory) to business calendars in forms workflow.

The amount of space used to display the name of the business calendar key in the forms workflow pages is limited. Limit the name of the business calendar key to fewer than 53 characters to avoid having it truncated on those pages.

Modify Timestamp: To enable delta directory synchronization, set this value to modify TimeStamp. (See Enable delta directory synchronization.)

Organization: Schema attribute for the name of the organization to which the user belongs.

Primary Email: Schema attribute for the primary email address of the user.

Secondary Email: Schema attribute for the secondary email address of the user.

Telephone: Schema attribute for the user’s telephone number.

Postal Address: Schema attribute for the user’s mailing address.

Locale: Schema attribute that contains the ISO locale information. The value is a two-letter language code or a language and country code.

Time Zone: Schema attribute that contains the time zone where the user is located. The value is a string such as City/Country.

Enable Virtual List View (VLV) Control: An LDAP control that enables AEM forms to retrieve data in batches from the directory server. If you are using Sun One as your LDAP directory and the directory contains many users, enabling VLV creates an index that User Management can use when searching users. This feature is useful when using a normal user account that can synchronize only a limited amount of data. You can also enable VLV for groups. If you select Enable Virtual List View (VLV) Control, specify a name in the Sort Field box.

NOTE
To enable VLV, configure Sun One. See Configure User Management to use Virtual List View (VLV).

Sort Field: If you selected Enable Virtual List View (VLV) Control, specify the attribute name used to sort the index. This attribute name (such as uid) is the one you specified when you created an index for VLV on the directory server.

Group settings

Unique Identifier: (Mandatory) A unique and constant attribute used to identify groups. Use a non-DN attribute as the unique identifier. This setting depends on the directory server. The value is objectGUID for Active Directory 2003, nsuniqueID for Sun One, and guid for eDirectory.

NOTE
Ensure that you enter an attribute that is guaranteed to be unique in your organization. Entering an incorrect value can cause serious system problems.

Base DN: (Mandatory) Base distinguished name of the directory.

Although Base DN is a mandatory setting in administration console, some directory servers such as IBM Domino Enterprise Server require an empty BaseDN. To specify an empty Base DN, export the config.xml file, edit the setting in the config.xml file, and then reimport it. (See Importing and exporting the configuration file.)

Search Filter: (Mandatory) The search filter to use to find the record that is associated with the group. You can perform a one-level search or a sub-level search.

Description: Schema attribute for the description of the group

Full Name: (Mandatory) Schema attribute for the full name of the group

Member DN: (Mandatory) Schema attribute for the distinguished name of members within a group

Member Unique Identifier: Unique identifier for a user or group that is a member of the selected group. This value depends on the directory server. The value is objectSID for AD2003, nsuniqueID for Sun One, and guid for eDirectory.

If Member DN is specified with a non-DN attribute, User Management uses Member Unique Identifier to query LDAP to collect the user’s DN as it corresponds to a unique identifier value.

If DN is specified as a unique identifier, you do not need to configure Member Unique Identifier.

Organization: Schema attribute for the name of the organization to which the group belongs

Primary Email: Schema attribute for the primary email address of the group

Secondary Email: Schema attribute for the secondary email address of the group

Modify Timestamp: To enable delta directory synchronization, set this value to modify TimeStamp. (See Enable delta directory synchronization.)

Enable Virtual List View (VLV) Control: An LDAP control that enables AEM forms to retrieve data in batches from the directory server. If you are using Sun One as your LDAP directory and the directory contains many groups, enabling VLV creates an index that User Management can use when searching groups. This feature is useful when using a normal user account that can synchronize only a limited amount of data. You can also enable VLV for users. If you select Enable Virtual List View (VLV) Control, specify a Sort Field Name.

NOTE
To enable VLV, configure Sun One. See Configure User Management to use Virtual List View (VLV).

Sort Field Name: If you selected Enable Virtual List View (VLV) Control, specify the attribute name used to sort the index. This attribute name is the one you specified when you created an index for VLV on the directory server.

NOTE
Click Test to verify that the user and group settings are collected based on the base DN and search criteria.

If users and groups are returned, the results show the values that are assigned to each field as per the attribute set.

NOTE
User Management does not support duplicate user IDs within a domain; only one user with the user ID is synchronized.

Configure User Management to use Virtual List View (VLV)

Directory synchronization is an important requirement for User Management. The users and groups are synchronized from an enterprise directory to the AEM forms database for assigning roles and permissions. The number of users varies from 100 to 100000+ depending on the requirements, and it poses an engineering challenge to synchronize data efficiently.

The LDAP protocol provides a mechanism to query large data sets in a paginated way by using request controls. When using Microsoft Active Directory, LDAP to AEM forms database synchronization uses PagedResultsControl for retrieving data in batches of a particular size. The Sun ONE Directory Server does not support this control. To complete a paginated query against the Sun ONE Directory Server, use the Virtual List View (VLV) control. This control involves both directory server-side configuration and client-side implementation.

NOTE
This section describes using the VLV control for the Sun ONE Directory Server. However, you can use this control for any directory server that supports VLV control.
  1. When configuring the directory, select Enable Virtual List View (VLV) Control on both the User Settings page and the Group Settings page. When you select the check box, you must also specify a sort name in the Sort Field box. The default value is uid. (See Adding directories or custom SPIs or Edit a directory.)
  2. Use Sun ONE administration console or a command-line script to create the LDAP VLV entries for users and groups. If you use a command-line script, you can use the sample users and groups LDIF files. (See Configuring the Sun ONE Directory Server for VLV.)
  3. Stop the server and create the required index. (See Create the Directory Server Index for VLV.)