LDAP Configuration Properties

The LDAP security provider provides authentication, authorization, and attribution services.

Important properties

The following properties are required when configuring an LDAP login provider:

Property	Default value	Description
ServerType	None	The type of LDAP server you are connecting to: `sunone5` -- SunOne 5.x OR iPlanet 5.x `msad2k` -- Microsoft ActiveDirectory, Windows 2000 `nsds4` -- Netscape Directory Server 4.x `openldap` -- OpenLDAP Directory Server 2.x The value you choose helps to establish default values for these other authentication properties: RoleFilter UserRoleMembership Attributes RoleMemberAttributes AuthenticationFilter DigestMD5Authentication Format UseUserAccountControl Attribute For the description of these properties, see the Javadoc for the LDAP provider installed with your Sybase product.
ProviderURL	ldap://localhost:389	The URL used to connect to the LDAP server. In a production environment, OpenDS is not installed with this type of installation. Without this URL configured, Unwired Server cannot contact your server. Use this syntax for setting the value: `ldap://<hostname>:<port>` Use the default value if the server is: Located on the same machine as your product that is enabled with the common security infrastructure. Configured to use the default port (389). Note that development editions of Unwired Platform includes an OpenDS LDAP server that runs on a non-standard port of 10389. However, most LDAP servers use the standard port of 389.
DefaultSearchBase	None	The LDAP search base to use for general operations. If you do not specify unique search bases for authentication, role and self-registration, this search base is used for those purposes as well. Use this syntax for setting the value: `dc=<domain name>,dc=com` For example, a machine in the sybase.com domain has a search base of `dc=sybase,dc=com`. You can also include organization and country codes if required: `o=<company name>,c=<country code>.` Using Sybase as an example, you could set this information as `o=Sybase,c=us` for a machine within the Sybase organization.

Property

Default value

Description

ServerType

None

The type of LDAP server you are connecting to:

sunone5 -- SunOne 5.x OR iPlanet 5.x
msad2k -- Microsoft ActiveDirectory, Windows 2000
nsds4 -- Netscape Directory Server 4.x
openldap -- OpenLDAP Directory Server 2.x

The value you choose helps to establish default values for these other authentication properties:

RoleFilter
UserRoleMembership
Attributes
RoleMemberAttributes
AuthenticationFilter
DigestMD5Authentication
Format
UseUserAccountControl
Attribute

For the description of these properties, see the Javadoc for the LDAP provider installed with your Sybase product.

ProviderURL

ldap://localhost:389

The URL used to connect to the LDAP server. In a production environment, OpenDS is not installed with this type of installation. Without this URL configured, Unwired Server cannot contact your server.

Use this syntax for setting the value:

ldap://<hostname>:<port>

Use the default value if the server is:

Located on the same machine as your product that is enabled with the common security infrastructure.
Configured to use the default port (389). Note that development editions of Unwired Platform includes an OpenDS LDAP server that runs on a non-standard port of 10389. However, most LDAP servers use the standard port of 389.

DefaultSearchBase

None

The LDAP search base to use for general operations. If you do not specify unique search bases for authentication, role and self-registration, this search base is used for those purposes as well.

Use this syntax for setting the value:

dc=<domain name>,dc=com

For example, a machine in the sybase.com domain has a search base of dc=sybase,dc=com.

You can also include organization and country codes if required:

o=<company name>,c=<country code>.

Using Sybase as an example, you could set this information as o=Sybase,c=us for a machine within the Sybase organization.

Other important properties

These properties may be used less frequently as those listed above. However, they may still be important for authentication and role evaluation.

Property	Default value	Description

AuthenticationMethod	simple	The authentication method to use for all authentication requests into LDAP. Legal values are generally the same as those of the java.naming.security.authentication JNDI property. Choose one of: simple — use this for clear-text password authentication. DIGEST-MD5 — use this for more secure hashed password authentication. This method requires that the server use plain text password storage and only works with JRE 1.4 or later. See theJava Sun Web site for more information.
AuthenticationSearchBase	none	The search base used to authenticate users. If this value is not specified, the LDAP DefaultSearchBase is used.
AuthenticationScope	onelevel	The authentication search scope. The supported values for this are: `onelevel` `subtree` If you do not specify a value or if you specify an invalid value, the default value is used.
BindDN	none	The user DN to bind against when building the initial LDAP connection. In many cases, this user may need read permissions on all user records. If you do not set a value, anonymous binding is used. Anonymous binding works on most servers without additional configuration. However, the LDAP attributer may also use this DN to create the users in the LDAP server. When the self-registration feature is used, this user may also need the requisite permissions to create a user record. This behavior can occur if you do not set useUserCredentialsToBind to `true`. In this case, the LDAP attributer uses this DN to update the user attributes.
BindPassword	none	BindPassword is the password for BindDN, which is used to authenticate any user. BindDN and BindPassword are used to separate the LDAP connection into units. The AuthenticationMethod property determines the bind method used for this initial connection.
RoleSearchBase	none	The search base used to retrieve lists of roles. If this value is not specified, the LDAP DefaultSearchBase is used.
RoleScope	onelevel	The role search scope. The supported values for this are: `onelevel` `subtree` If you do not specify a value or if you specify an invalid value, the default value is used.