Setting up and managing domains

• When you are using a database provider other than DB2, the domain ID can contain up to 50 bytes. If you are using single-byte ASCII characters, the limit is 50 characters. If the domain identifier contains multibyte characters, this limit is reduced. For example, if you create a domain whose identifier contains 3-byte characters, the limit is 16 characters. In addition, you cannot create domains that contain 4-byte characters. If you create a domain ID that exceeds this limit, AEM forms will be in an unstable state. To recover from this unstable state, see the " Remove a domain that contains extended or multi-byte characters " on this page.

• The number of enterprise domains and local domains that can be created within AEM forms depends on the length of each of the domain IDs. When you add an enterprise or hybrid domain, User Management updates the configInstance string in the AuthProviders node of the AEM forms configuration file (config.xml). The configInstance string contains a colon-separated list of the absolute paths of all domains that are associated with the authorization provider. This string has a size limit of 8192 characters. When that limit is reached, you cannot create additional domains.

When using DB2 for your AEM forms database, the maximum permitted length of the domain ID depends on the type of characters used:

• 100 single-byte (ASCII) (for example, characters used in English, French, or German languages)

• 50 double-byte (for example, characters used in Chinese, Japanese, or Korean languages)

• 25 four-byte (for example, characters used in Traditional Chinese language)

When using MySQL as your AEM forms database, the following limitations apply:

• Use only single-byte (ASCII) characters for the domain ID and domain name. If you use extended ASCII characters, AEM forms will be in an unstable state and may throw an exception if you attempt to delete the domain. To recover from this unstable state, see the " Remove a domain that contains extended or multi-byte characters " topic on this page.

• You cannot create two domains that have the same name but differ in case. For example, attempting to create a domain named Adobe when a domain named adobe already exists results in an error.

• User Management cannot differentiate between two domain names that differ only in the use of extended characters. For example, if you create a domain named abcde and a domain named âbcdè , they are considered the same.

1. Export the configuration file, as described in Importing and exporting the configuration file .

2. Open the configuration file and under the Domains node, locate the node whose name attribute matches the name of the domain created with extended or multi-byte characters. Delete the entire node related to that domain.

3. In your database, search for the domain in the edcprincipaldomainentity table:

   • Select * from edcprincipaldomainentity.

   • Find the domain name that contains extended or multi-byte characters and set its status to OBSOLETE.

4. Import the updated configuration file, as described in Importing and exporting the configuration file .

If you are configuring authentication for an enterprise or hybrid domain and select LDAP authentication, you can choose to use the LDAP server specified in your directory configuration, or you can choose a different LDAP server to use for authentication. If you choose a different server, your users must exist on both LDAP servers.

To use the LDAP server specified in your directory configuration, select LDAP as the authentication provider and click OK.

To use a different LDAP server to perform authentication, select LDAP as the authentication provider, and select the Custom LDAP Authentication check box. The following configuration settings are displayed.

Server:

(Mandatory) Fully qualified domain name (FQDN) of the directory server. For example, for a computer called x on the corp.example.com network, the FQDN is x.corp.example.com . An IP address can be used in place of the FQDN server name.

Port:

(Mandatory) The port the directory server uses. Typically 389, or 636 if the Secure Sockets Layer (SSL) protocol is used for sending authentication information over the network.

SSL:

(Mandatory) Specifies whether the directory server uses SSL when sending data over the network. The default is No. When set to Yes, the corresponding LDAP server certificate must be trusted by the Java™ runtime environment (JRE) of the application server.

Binding

(Mandatory) Specifies how to access the directory.

Anonymous:

No user name or password is required.

User:

Authentication is required. In the Name box, specify the name of the user record that can access the directory. It is best to enter the full distinguished name (DN) of the user account, such as cn=Jane Doe, ou=user, dc=can, dc=com . In the Password box, specify the associated password. These settings are required when you select User as the Binding option.

Retrieve Base DNs:

(Not mandatory) Retrieves the base DNs and displays them in the drop-down list. This setting is useful when you have multiple base DNs and need to select a value.

Base DN:

(Mandatory) Used as the starting point for synchronizing users and groups from the LDAP hierarchy. It is best to specify a base DN at the lowest level of the hierarchy that encompasses all users and groups that need to be synchronized for services. Do not include the user’s DN in this setting. To synchronize a particular user, use the Search Filter setting.

Populate page with:

(Not mandatory) When selected, populates attributes on the User and Group settings pages with corresponding default LDAP values.

Search Filter:

(Mandatory) The search filter to use to find the record that is associated with the user. (See Search Filter Syntax .)

If you are configuring authentication for an enterprise or hybrid domain and select Kerberos authentication, the following settings are available.

DNS IP:

The DNS IP address of the server where AEM forms is running. On Windows, you can determine this IP address by running ipconfig /all at the command line.

KDC Host:

Fully qualified host name or IP address of the Active Directory server that is used for authentication.

Service User:

If you are using Active Directory 2003, this value is the mapping created for the service principal in the form HTTP/<server name>. If you are using Active Directory 2008, this value is the login ID of the service principal. For example, assume that the service principal is named um spnego , the user ID is spnegodemo , and the mapping is HTTP/example.corp.yourcompany.com . With Active Directory 2003, you set Service User to HTTP/example.corp.yourcompany.com . With Active Directory 2008, you set Service User to spnegodemo . (See Enable SSO using SPNEGO .)

Service Realm:

Domain name for Active Directory

Service Password:

Service user’s password

Enable SPNEGO:

Enables the use of SPNEGO for single sign-on (SSO). (See Enable SSO using SPNEGO .)

If you are configuring authentication for an enterprise or hybrid domain and select SAML authentication, the following settings are available. For information about additional SAML settings, see Configure SAML service provider settings .

Please select a SAML Identity Provider Metadata file to import:

Click Browse to select a SAML identity provider metadata file generated from your IDP and then click Import. Details from IDP are displayed.

Title:

Alias to the URL denoted by the EntityID. The title is also displayed on the login page for enterprise and local users.

Identity Provider Supports Client Basic Authentication:

Client Basic Authentication is used when the IDP uses a SAML Artifact Resolution profile. In this profile, User Management connects back to a web service running at the IDP to retrieve the actual SAML assertion. The IDP may require authentication. If the IDP does require authentication, select this option and specify a user name and password in the boxes provided.

Custom Properties:

Enables you to specify additional properties. The additional properties are name=value pairs separated by new lines.

The following custom properties are required if artifact binding is used.

• Add the following custom property to specify a username that represents the AEM forms Service Provider, which will be used to authenticate to the IDP Artifact Resolution service.

  saml.idp.resolve.username=<username>

• Add the following custom property to specify the password for the user specified in saml.idp.resolve.username .

  saml.idp.resolve.password=<password>

• Add the following custom property to allow the service provider to ignore the certificate validation while establishing the connection with the Artifact Resolution service over SSL.

  saml.idp.resolve.ignorecert=true

If you are configuring authentication for an enterprise or hybrid domain and select Custom authentication, select the name of the custom authentication provider.

1. Write a service container that implements the IdentityCreator and AssignmentProvider interfaces. (See Programming with AEM forms .)

2. Deploy the service container to the forms server.

3. In administration console, click Settings > User Management > Domain Management.

   Select an existing domain or click New Enterprise Domain.

4. To create a domain, click New Enterprise Domain or New Hybrid Domain. To edit an existing domain, click the name of the domain.

5. Select Enable Just In Time Provisioning.

   Note: If the Enable Just In Time Provisioning checkbox is missing, click Home > Settings > User Management> Configuration > Advanced System Attributes and then click Reload.

6. Add authentication providers. While adding authentication providers, on the New Authentication screen, select a registered Identity Creator and Assignment Provider. (See Configuring authentication providers .)

7. Save the domain.

1. In administration console, click Settings > User Management > Domain Management.

2. Click New Enterprise Domain or select an existing enterprise domain.

3. Click Add Directory.

4. In the Profile Name box, type a name to distinguish this directory and then click Next.

5. Configure the directory server settings. (See Directory settings .)

6. To verify that a connection can be made to the LDAP server, click Test. If the test fails, review the exception in the Application Server log file to determine the root cause of the failure. Click Close and then click Next.

7. Select User Settings and configure the settings as required. (See Directory settings .)

8. To verify that the base DN and other configured attributes collect the correct batch of users, click Test. LDAP attempts to retrieve the first 200 records by using the provided settings (such as the base DN, search filter, and all attributes).

   If users are returned, the results show the values that are assigned to each field as per the attribute set. If the test fails because of a non-existent server name, incorrect authorization information, or incorrect attributes, the following error message appears: "The search criteria specified did not return any result". To determine the root cause of the failure, review the exception in the Application Server log file. Click Close and then click Next.

9. Select Group Settings and configure the settings as required. (See Directory settings .)

10. To verify that the base DN and other configured attributes collect the correct batch of groups, click Test. If groups are returned, the results show the values that are assigned to each field as per the attribute set. Click Close.

For information about creating a custom SPI, see "Developing SPIs for AEM forms" in Programming with AEM forms . To make a newly deployed custom SPI available for association with the domain, restart the server.

1. In administration console, click Settings > User Management > Domain Management.

2. Click New Enterprise Domain or select an existing enterprise domain.

3. Click Add Directory.

4. Type a name in the Profile Name box, select Custom SPI Provider, and then click Next.

5. Select a custom user provider from the list and click Next.

6. Select a custom group provider from the list and click Finish.

Unique Identifier:

(Mandatory) A unique and constant attribute used to identify users. Use a non-DN attribute as the unique identifier because a user’s DN may change if they move to another part of the organization. This setting depends on the directory server. The value is objectGUID for Active Directory 2003, nsuniqueID for Sun™ One, and guid for eDirectory.

Important: Ensure that you enter an attribute that is guaranteed to be unique in your organization. Entering an incorrect value can cause serious system problems.

Base DN:

Set as the starting point for synchronizing users and groups from the LDAP hierarchy. It is best to specify a base DN at the lowest level of the hierarchy that encompasses all users and groups that need to be synchronized for services.

If you selected the Enable referral option in the Directory settings, set the Base DN option to the dc part of the DN. For the referral to work, the search span must include both parent and child domains.

Note: Do not include the user’s DN in this setting. To synchronize a particular user, use the Search Filter setting.

Although Base DN is a mandatory setting in administration console, some directory servers such as IBM Domino Enterprise Server may require an empty BaseDN. To specify an empty Base DN, export the config.xml file, edit the setting in the config.xml file, and then reimport it. (See Importing and exporting the configuration file .)

Search Filter:

(Mandatory) The search filter to use to find the record that is associated with the user. You can perform a one-level search or a sub-level search. (See Search Filter Syntax or RFC 2254.) Additional information for the Microsoft AD schema, see Active Directory Schema .

Description:

Schema attribute for the description of the user

Full Name:

(Mandatory) Schema attribute for the full name of the user

Login ID:

(Mandatory) Schema attribute for the user’s login ID

Last Name:

(Mandatory) Schema attribute for the user’s last name

Given Name:

(Mandatory) Schema attribute for the user’s first name

Initials:

Schema attribute for the user’s initials

Business Calendar:

Enables you to map a business calendar to a user, based on the value for this setting (the business calendar key ). Business calendars define business and non-business days. AEM forms can use business calendars when calculating future dates and times for events such as reminders, deadlines, and escalations. The way you assign business calendar keys to users depends on whether you are using an enterprise, local, or hybrid domain. (See Configuring Business Calendars .)

If you are using an enterprise domain, you can map the Business Calendar setting to a field in the LDAP directory. For example, if each user record in your directory contains a country field, and you want to assign business calendars based on the country where the user is located, specify the country field name as the value for the Business Calendar setting. You can then map the business calendar keys (the values defined for the country field in the LDAP directory) to business calendars in forms workflow.

The amount of space used to display the name of the business calendar key in the forms workflow pages is limited. Limit the name of the business calendar key to less than 53 characters to avoid having it truncated on those pages.

Modify Timestamp:

To enable delta directory synchronization, set this value to modify TimeStamp . (See Enable delta directory synchronization .)

Organization:

Schema attribute for the name of the organization to which the user belongs.

Primary Email:

Schema attribute for the primary email address of the user.

Secondary Email:

Schema attribute for the secondary email address of the user.

Telephone:

Schema attribute for the user’s telephone number.

Postal Address:

Schema attribute for the user’s mailing address.

Locale:

Schema attribute that contains the ISO locale information. The value is a two-letter language code or a language and country code.

Time Zone:

Schema attribute that contains the time zone where the user is located. The value is a string such as City/Country .

Enable Virtual List View (VLV) Control:

An LDAP control that enables AEM forms to retrieve data in batches from the directory server. If you are using Sun One as your LDAP directory and the directory contains many users, enabling VLV creates an index that User Management can use when searching users. This feature is useful when using a normal user account that can synchronize only a limited amount of data. You can also enable VLV for groups. If you select Enable Virtual List View (VLV) Control, specify a name in the Sort Field box.

Note: To enable VLV, configure Sun One. (See Configure User Management to use Virtual List View (VLV) .)

Sort Field:

If you selected Enable Virtual List View (VLV) Control, specify the attribute name used to sort the index. This attribute name (such as uid) is the one you specified when you created an index for VLV on the directory server.

Unique Identifier:

(Mandatory) A unique and constant attribute used to identify groups. Use a non-DN attribute as the unique identifier. This setting depends on the directory server. The value is objectGUID for Active Directory 2003, nsuniqueID for Sun One, and guid for eDirectory.

Important: Ensure that you enter an attribute that is guaranteed to be unique in your organization. Entering an incorrect value can cause serious system problems.

Base DN:

(Mandatory) Base distinguished name of the directory.

Although Base DN is a mandatory setting in administration console, some directory servers such as IBM Domino Enterprise Server require an empty BaseDN. To specify an empty Base DN, export the config.xml file, edit the setting in the config.xml file, and then reimport it. (See Importing and exporting the configuration file .)

Search Filter:

(Mandatory) The search filter to use to find the record that is associated with the group. You can perform a one-level search or a sub-level search.

Description:

Schema attribute for the description of the group

Full Name:

(Mandatory) Schema attribute for the full name of the group

Member DN:

(Mandatory) Schema attribute for the distinguished name of members within a group

Member Unique Identifier:

Unique identifier for a user or group that is a member of the selected group. This value depends on the directory server. The value is objectSID for AD2003, nsuniqueID for Sun One, and guid for eDirectory.

If Member DN is specified with a non-DN attribute, User Management uses Member Unique Identifier to query LDAP to collect the user’s DN as it corresponds to a unique identifier value.

If DN is specified as a unique identifier, you do not need to configure Member Unique Identifier.

Organization:

Schema attribute for the name of the organization to which the group belongs

Primary Email:

Schema attribute for the primary email address of the group

Secondary Email:

Schema attribute for the secondary email address of the group

Modify Timestamp:

To enable delta directory synchronization, set this value to modify TimeStamp . (See Enable delta directory synchronization .)

Enable Virtual List View (VLV) Control:

An LDAP control that enables AEM forms to retrieve data in batches from the directory server. If you are using Sun One as your LDAP directory and the directory contains many groups, enabling VLV creates an index that User Management can use when searching groups. This feature is useful when using a normal user account that can synchronize only a limited amount of data. You can also enable VLV for users. If you select Enable Virtual List View (VLV) Control, specify a Sort Field Name.

Note: To enable VLV, configure Sun One. (See Configure User Management to use Virtual List View (VLV) .)

Sort Field Name:

If you selected Enable Virtual List View (VLV) Control, specify the attribute name used to sort the index. This attribute name is the one you specified when you created an index for VLV on the directory server.

Note: Click Test to verify that the user and group settings are collected based on the base DN and search criteria. If users and groups are returned, the results show the values that are assigned to each field as per the attribute set.

Note: User Management does not support duplicate user IDs within a domain; only one user with the user ID is synchronized.

Creating a VLV requires a pair of entries that include the vlvSearch and vlvIndex object classes. The vlvSearch entry includes a search base and the vlvFilter attribute, which specifies the object class that contains the attributes you intend to sort. The vlvIndex object class includes the vlvSort attribute, which specifies one or more attributes to sort and the order to sort them in. (A minus sign (-) denotes reverse alphabetical order). Using VLV with AEM forms requires separate entries for users and groups.

Here is a sample script LDIF for VLV entry for users:

dn: cn=lcuser,cn=userRoot,cn=ldbm database,cn=plugins,cn=config 
objectclass: top 
objectclass: vlvSearch 
cn: lcuser 
vlvBase: dc=corp,dc=adobe,dc=com 
vlvScope: 2 
vlvFilter: (&(objectclass=inetOrgPerson)) 
aci: (target="ldap:///cn=lcuser,cn=userRoot,cn=ldbm database,cn=plugins,cn=config")(targetattr="*")(version 3.0; acl "Config" 
;allow(read,search,compare) userdn="ldap:///all"; ) 
dn: cn=lcuser,cn=lcuser,cn=userRoot,cn=ldbm database,cn=plugins,cn=config 
cn: lcuser 
vlvSort: cn 
objectclass: top 
objectclass: vlvIndex

After configuring the directory settings and creating the LDAP VLV entries for users and groups, stop the server and create the required index.

1. After creating object entries, stop the Sun ONE Server.

2. Using the vlvindex tool, generate the index by typing the following text:

   directory server instance \vlvindex.bat -n userRoot -T lcuser

   The following output is generated:

   D:\tools\ldap\sun\shared\bin>..\..\slapd-chetanmeh-xp3\vlvindex.bat -n userRoot -T livecycle 
   [21/Nov/2007:16:47:26 +051800] - userRoot: Indexing VLV: livecycle 
   [21/Nov/2007:16:47:27 +051800] - userRoot: Indexed 1000 entries (5%). 
   [21/Nov/2007:16:47:27 +051800] - userRoot: Indexed 2000 entries (9%). 
   ... 
   [21/Nov/2007:16:47:29 +051800] - userRoot: Indexed 20000 entries (94%). 
   [21/Nov/2007:16:47:29 +051800] - userRoot: Indexed 21000 entries (99%). 
   [21/Nov/2007:16:47:29 +051800] - userRoot: Finished indexing.

   The vlvindex tool is present in the directory server instance directory. If the Sun ONE Server has two instances running server1 and server2, the vlvindex tool is located in Sun ONE server directory \server1 directory. The value for parameter -T is the value of the cn attribute of the vlvindex entry created previously in the sample LDIF. In this case, it is lcuser .

3. If VLV is also enabled for groups, create the corresponding index for the groups. Verify whether the indexes are created by running the following command:

   sun one server directory \shared\bin>ldapsearch -h hostname -p port no -s base -b "" objectclass=*

   Output such as the following sample data is generated:

   D:\tools\ldap\sun\shared\bin>ldapsearch.exe -h localhost -p 55850 -s base -b "" objectclass=* 
   ldapsearch.exe: started Tue Nov 27 16:34:20 2007 
   version: 1 
   dn: 
   objectClass: top 
   namingContexts: dc=corp,dc=adobe,dc=com 
   supportedExtension: 2.16.840.1.113730.3.5.7 
   ... 
   vlvsearch: cn=MCC ou=testdata dc=corp dc=adobe dc=com, cn=userRoot,cn=ldbm dat 
       abase,cn=plugins,cn=config 
   vlvsearch: cn=lcuser,cn=userRoot,cn=ldbm database,cn=plugins,cn=config 
   vlvsearch: cn=Browsing ou=testdata,cn=userRoot,cn=ldbm database,cn=plugins,cn= 
       config 
   1 matches