LDAP Configuration Properties

(Not applicable to Online Data Proxy) Use these properties to configure the LDAP provider used to authenticate SCC administration logins or to configure the LDAP provider used to authenticate device application logins. If you are creating a provider for device application logins, then Unwired Platform administrators use Sybase Control Center to write these properties to the <UnwiredPlatform_InstallDir>\Servers\UnwiredServer\Repository\CSI\default.xml file.Use these properties to configure the LDAP provider used to authenticate SCC administration logins or to configure the LDAP provider used to authenticate device application logins. If you are creating a provider for device application logins, then Unwired Platform administrators use Sybase Control Center to write these properties to the <UnwiredPlatform_InstallDir>\Servers\UnwiredServer\Repository\CSI\default.xml file.

Unwired Server implements a Java LDAP provider through a common security interface used by other Sybase products like Sybase Control Center.

The Java LDAP provider consists of three provider modules, each of which is in the com.sybase.security.ldap Java package. This is why the syntax used between Sybase Control Center provider and Unwired Server varies.
  • LDAPLoginModule– provides authentication services. Through appropriate configuration, you can enable certificate authentication in LDAPLoginModule.
  • (Optional)LDAPAuthorizer or RoleCheckAuthorizer – provide authorization services for LDAPLoginModule. LDAPLoginModule works with either authorizer. In most production deployments, you must always configure your own authorizer. However, if you are authenticating against a service other than LDAP, but want to perform authorization against LDAP, you can use the LDAPAuthorizer.

    The RoleCheckAuthorizer is used with every security configuration but does not appear in Sybase Control Center.

    Use LDAPAuthorizer only when LDAPLoginModule is not used to perform authentication, but roles are still required to perform authorization checks against the LDAP data store. If you use LDAPAuthorizer, always explicitly configure properties; for it cannot share the configuration options specified for the LDAPLoginModule.

Use this table to help you configure properties for one or more of the supported LDAP providers. When configuring modules or general server properties in Sybase Control Center, note that properties and values can vary, depending on which module or server type you configure.

Property Default Value Description
ServerType None
Optional. The type of LDAP server you are connecting to:
  • sunone5 -- SunOne 5.x OR iPlanet 5.x
  • msad2k -- Microsoft ActiveDirectory, Windows 2000
  • nsds4 -- Netscape Directory Server 4.x
  • openldap -- OpenLDAP Directory Server 2.x
The value you choose establishes default values for these other authentication properties:
  • RoleFilter
  • UserRoleMembership
  • RoleMemberAttributes
  • AuthenticationFilter
  • DigestMD5Authentication
  • UseUserAccountControl
ProviderURL ldap://localhost:389 The URL used to connect to the LDAP server. Without this URL configured, Unwired Server cannot contact your server. Use the default value if the server is:
  • Located on the same machine as your product that is enabled with the common security infrastructure.
  • Configured to use the default port (389).

Otherwise, use this syntax for setting the value:

ldap://<hostname>:<port>

DefaultSearchBase None The LDAP search base that is used if no other search base is specified for authentication, roles, attribution and self registration:
  1. dc=<domainname>,dc=<tld>

    For example, a machine in sybase.com domain would have a search base of dc=sybase,dc=com.

  2. o=<company name>,c=<country code>

    For example, this might be o=Sybase,c=us for a machine within the Sybase organization.

SecurityProtocol None The protocol to be used when connecting to the LDAP server.
To use an encrypted protocol, use "ssl" instead of "ldaps" in the url.
Note: ActiveDirectory requires the SSL protocol when setting the value for the password attribute. This occurs when creating a user or updating the password of an existing user.
AuthenticationMethod simple The authentication method to use for all authentication requests into LDAP. Legal values are generally the same as those of the java.naming.security.authentication JNDI property. Choose one of:
  • simple — For clear-text password authentication.
  • DIGEST-MD5 — For more secure hashed password authentication. This method requires that the server use plain text password storage and only works with JRE 1.4 or later.
AuthenticationFilter For most LDAP servers: (&amp;(uid={uid})(objectclass=person))

or

For Active Directory email lookups: (&amp;(userPrincipalName={uid}) (objectclass=user)) [ActiveDirectory]

For Active Directory Windows username lookups: (&amp;(sAMAccountName={uid})(objectclass=user))

Note: Please note these restrictions when using this property to authenticate Sybase Control Center administration use cases only:
  • Do not use special characters (for example, , = : ' " * ? &) in user names identified with this property.
  • Do not use Chinese or Japanese characters in the user name or passwords of this property.
 The filter to use when looking up the user.

When performing a username based lookup, this filter is used to determine the LDAP entry that matches the supplied username.

The string "{uid}" in the filter is replaced with the supplied username.

AuthenticationScope onelevel The authentication search scope. The supported values for this are:
  • onelevel
  • subtree

If you do not specify a value or if you specify an invalid value, the default value is used.

AuthenticationSearchBase none The search base used to authenticate users. If this property is not configured, the value for DefaultSearchBase is used.
BindDN none

The user DN to bind against when building the initial LDAP connection.

In many cases, this user may need read permissions on all user records. If you do not set a value, anonymous binding is used. Anonymous binding works on most servers without additional configuration.

However, the LDAP attributer may also use this DN to create the users in the LDAP server. When the self-registration feature is used, this user may also need the requisite permissions to create a user record. This behavior can occur if you do not set useUserCredentialsToBind to true. In this case, the LDAP attributer uses this DN to update the user attributes.

BindPassword none

BindPassword is the password for BindDN, which is used to authenticate any user. BindDN and BindPassword are used to separate the LDAP connection into units.

The AuthenticationMethod property determines the bind method used for this initial connection.

Sybase recommends encrypting passwords and provides a password encryption utility for the purpose. If you encrypt BindPassword, include encrypted=true in the line that sets the option. For example: 
<options name="BindPassword" encrypted="true" value="1snjikfwregfqr43hu5io..."/>
If you do not encrypt BindPassword, the option might look like this: 
<options name="BindPassword" value="s3cr3T"/>
RoleSearchBase none The search base used to retrieve lists of roles. If this property is not configured, the value for DefaultSearchBase is used.
RoleFilter For SunONE/iPlanet: (&amp;(objectclass=ldapsubentry) (objectclass=nsroledefinition))

For Netscape Directory Server: (|(objectclass=groupofnames) (objectclass=groupofuniquenames))

For ActiveDirectory: (|(objectclass=groupofnames) (objectclass=group))

The role search filter. This filter should, when combined with the role search base and role scope, return a complete list of roles within the LDAP server. There are several default values depending on the chosen server type. If the server type is not chosen and this property is not initialized, no roles are available.
RoleMemberAttributes For Netscape Directory Server and OpenLDAP Server: member,uniquemember A comma-separated list of role attributes from which LDAP derives the DNs of users who have this role.

These values are cross referenced with the active user to determine the user's role list. One example of the use of this property is when using LDAP groups as placeholders for roles. This property only has a default value when the Netscape server type is chosen.
RoleNameAttribute cn The attribute of the role entry used as the role name in Unwired Platform. This is the role name displayed in the role list or granted to the authenticated user.
RoleScope onelevel The role search scope. The supported values for this are:
  • onelevel
  • subtree

If you do not specify a value or if you specify an invalid value, the default value is used.

SkipRoleLookup false Set this property to true to grant the roles looked up using the attributes specified by the property UserRoleMembershipAttributes without cross-referencing them with the roles looked up using the RoleSearchBase and RoleFilter.
UserRoleMembershipAttributes For iPlanet/SunONE: nsRoleDN

For ActiveDirectory: memberOf

For all others: none

 The user's role membership attributes property is used to define an attribute that a user has that contains the DN's of all of the roles as user is a member of.

These comma-delimited values are then cross-referenced with the roles retrieved in the role search base and search filter to come up with a list of user's roles.

Note: If SkipRoleSearch property is set to true, then these comma-delimited values will not be cross-referenced with the roles retrieved in the role search base and role search filter. See Skipping LDAP Role Lookups (SkipRoleLookup).
Note: If you use nested groups with ActiveDirectory, you must set this property to "tokenGroups". See Using LDAP Nested Groups and Roles.
UserFreeformRoleMembershipAttributes None The "freeform" role membership attribute list. Users who have attributes in this comma-delimited list are automatically granted access to roles whose names are equal to the attribute value. For example, if the value of this property is "department" and user's LDAP record has the following values for the department attribute, { "sales", "consulting" }, then the user will be granted roles whose names are "sales" and "consulting".
Referral ignore The behavior when a referral is encountered. The valid values are those dictated by LdapContext, for example, "follow", "ignore", "throw".
DigestMD5AuthenticationFormat DN

For OpenLDAP: Username

 The DIGEST-MD5 bind authentication identity format.
UseUserAccountControlAttribute

For ActiveDirectory: true

 When this property is set to true, the UserAccountControl attribute is used for detecting disabled user accounts, account expirations, password expirations and so on. ActiveDirectory also uses this attribute to store the above information.
controlFlag optional When you configure multiple Authentication providers, use controlFlag for each provider to control how the authentication providers are used in the login sequence.
Note: controlFlag is a generic login module option rather than an LDAP configuration property.
EnableLDAPConnectionTrace None Enables LDAP connection tracing. The output is logged to a file in temp directory. The location of the file is logged to the server log.
Parent topic: Security Provider Configuration Properties
Related concepts
LDAP Security Provider
Related tasks
Adding a Production-Grade Provider
Stacking Providers and Combining Authentication Results