ServerType
|
None |
Optional. The type of LDAP server you are
connecting to: -
sunone5 -- SunOne 5.x OR
iPlanet 5.x
-
msad2k -- Microsoft
ActiveDirectory, Windows 2000
-
nsds4 -- Netscape Directory
Server 4.x
-
openldap -- OpenLDAP
Directory Server 2.x
The value you choose establishes default
values for these other authentication properties: - RoleFilter
- UserRoleMembership
- RoleMemberAttributes
- AuthenticationFilter
- DigestMD5Authentication
- UseUserAccountControl
|
ProviderURL
|
ldap://localhost:389
|
The URL used to connect to the
LDAP server. Use the
default value if the server is:- Located on the same machine as your product that is
enabled with the common security infrastructure.
- Configured to use the default port (389).
Otherwise, use this syntax for setting the
value:
ldap://<hostname>:<port>
|
DefaultSearchBase
|
None |
The LDAP search base that is
used if no other search base is specified for authentication,
roles, attribution and self registration: -
dc=<domainname>,dc=<tld>
For example, a machine in sybase.com
domain would have a search base of dc=sybase,dc=com.
-
o=<company name>,c=<country
code>
For example, this might be
o=Sybase,c=us for a machine within the Sybase
organization.
|
SecurityProtocol
|
None |
The protocol to be used when
connecting to the LDAP server. To use an
encrypted protocol, use "ssl" instead "ldaps" in the url.
Note: ActiveDirectory requires the SSL
protocol when setting the value for the password
attribute. This occurs when creating a user or updating
the password of an existing user.
|
AuthenticationMethod
|
simple |
The authentication method to
use for all authentication requests into LDAP. Legal values are
generally the same as those of the
java.naming.security.authentication JNDI property. Choose one
of:- simple — For clear-text password authentication.
- DIGEST-MD5 — For more secure hashed password
authentication. This method requires that the server use
plain text password storage and only works with JRE 1.4
or later.
|
AuthenticationFilter
|
For most LDAP servers:
(&(uid={uid})(objectclass=person))
or
For Active Directory email lookups:
(&(userPrincipalName={uid})
(objectclass=user)) [ActiveDirectory]
For Active Directory Windows username
lookups:
(&(sAMAccountName={uid})(objectclass=user))
|
The filter to use when
looking up the user. When performing a
username based lookup, this filter is used to determine the
LDAP entry that matches the supplied username.
The string "{uid}" in the filter is replaced
with the supplied username.
|
AuthenticationScope
|
onelevel |
The authentication search
scope. The supported values for this are:
If you do not specify a value or if you
specify an invalid value, the default value is used.
|
AuthenticationSearchBase
|
none |
The search base used to
authenticate users. If this value is not specified, the LDAP
DefaultSearchBase is used. |
BindDN
|
none |
The user DN to bind against when building the
initial LDAP connection.
In many cases, this user may need read
permissions on all user records. If you do not set a value,
anonymous binding is used. Anonymous binding works on most
servers without additional configuration.
However, the LDAP attributer may also use
this DN to create the users in the LDAP server. When the
self-registration feature is used, this user may also need
the requisite permissions to create a user record. This
behavior can occur if you do not set useUserCredentialsToBind to
true. In this case, the LDAP
attributer uses this DN to update the user attributes.
|
BindPassword
|
none |
BindPassword is the password for BindDN,
which is used to authenticate any user. BindDN and
BindPassword are used to separate the LDAP connection into
units.
The AuthenticationMethod property determines the
bind method used for this initial connection.
Sybase
recommends encrypting passwords and provides a password
encryption utility for the purpose. If
you
encrypt
BindPassword,
include
encrypted=true in the line that sets
the
option.
For example:
<options name="BindPassword" encrypted="true" value="1snjikfwregfqr43hu5io..."/>
If you do not encrypt BindPassword, the option might look
like this:
<options name="BindPassword" value="s3cr3T"/>
|
RoleSearchBase
|
none |
The search base used to
retrieve lists of roles. If this value is not specified, the
LDAP DefaultSearchBase is used. |
RoleFilter
|
For SunONE/iPlanet:
(&(objectclass=ldapsubentry)
(objectclass=nsroledefinition))
For Netscape Directory Server:
(objectclass=groupofnames)
(objectclass=groupofuniquenames))
For ActiveDirectory:
(objectclass=groupofnames)
(objectclass=group))
|
The role search filter. This
filter should, when combined with the role search base and role
scope, return a complete list of roles within the LDAP server.
There are several default values depending on the chosen server
type. If the server type is not chosen or this property is not
initialized, no roles are available. |
RoleMemberAttributes
|
For Netscape Directory
Server: member,uniquemember |
The role's member attributes
defines a comma-delimited list of attributes that roles may have
that define a list of DN's of people who are in the role. These values are cross referenced with the
active user to determine the user's role list. One example
of the use of this property is when using LDAP groups as
placeholders for roles. This property only has a default
value when the Netscape server type is chosen.
|
RoleNameAttribute
|
cn |
The attribute for retrieved
roles that is the common name of the role. If this value is "dn"
it is interpreted specially as the entire dn of the role as the
role name. |
RoleScope
|
onelevel |
The role search scope. The
supported values for this are:
If you do not specify a value or if you
specify an invalid value, the default value is used.
|
UserRoleMembershipAttributes
|
For iPlanet/SunONE: nsRoleDN
For ActiveDirectory: memberOf
For all others: none
|
The user's role membership
attributes property is used to define an attribute that a user
has that contains the DN's of all of the roles as user is a
member of. These comma-delimited values are
then cross-referenced with the roles retrieved in the role
search base and search filter to come up with a list of
user's roles.
|
UserFreeformRoleMembershipAttributes
|
None |
The "freeform" role
membership attribute list. Users who have attributes in this
comma-delimited list are automatically granted access to roles
whose names are equal to the attribute value. For example, if
the value of this property is "department" and user's LDAP
record has the following values for the department attribute, {
"sales", "consulting" }, then the user will be granted roles
whose names are "sales" and "consulting". |
Referral
|
ignore |
The behavior when a referral
is encountered. The valid values are those dictated by
LdapContext, for example, "follow", "ignore", "throw". |
DigestMD5AuthenticationFormat
|
DN For
OpenLDAP: Username
|
The DIGEST-MD5 bind
authentication identity format. |
UseUserAccountControlAttribute
|
For most LDAP servers:
false For ActiveDirectory: true
|
The UserAccountControl
attribute to be used for detecting disabled user accounts,
account expirations, password expirations and so on.
ActiveDirectory also uses this attribute to store the above
information. |
controlFlag
|
optional |
Indicates whether
authentication with this login module is sufficient to allow the
user to log in, or whether the user must also be authenticated
with another login module. Rarely set to anything other than
"sufficient" for any login module.
Note: controlFlag is a generic login module
option rather than an LDAP configuration property.
|