LDAP Configuration Properties

The LDAP login provider provides authentication, authorization, and attribution services. Configure the LDAP provider by setting properties in the <installation directory>\EAServer\Repository\CSI\conf\default.xml file.

To share configuration properties among authentication, authorization, and attributer providers for a single LDAP provider, set properties only for the authorization provider. If you require more than one LDAP module however, each LDAP provider must have its own configuration as the configuration cannot be shared among multiple LDAP providers. The LDAP attributer derives its configuration as appropriate from all active login module configurations.

The properties listed in the tables below are considered to be the properties most likely to be used in Service Container deployments. The properties in this table are part of a comprehensive list of supported LDAP properties. For a definitive list, See the CSI 2.0.1 Java LDAP Provider technical note located at http://www.sybase.com/techdocs.

Important properties

The following properties are required when configuring an LDAP login provider:

Property Default value Description
ServerType None
The type of LDAP server you are connecting to. LDAP servers might be one of:
  • sunone5 -- SunOne 5.x OR iPlanet 5.x
  • msad2k -- Microsoft ActiveDirectory, Windows 2000
  • nsds4 -- Netscape Directory Server 4.x
  • openldap -- OpenLDAP Directory Server 2.x
The value you choose helps to establish default values for these other authentication properties:
  • RoleFilter
  • UserRoleMembership
  • Attributes
  • RoleMemberAttributes
  • AuthenticationFilter
  • DigestMD5Authentication
  • Format
  • UseUserAccountControl
  • Attribute

For the description of these properties see the Javadoc documentation for com.sybase.security.ldap.LDAPConst .
ProviderURL ldap://localhost:389 The URL used to connect to the LDAP server.

Use the following syntax for setting the value:

ldap://<hostname>:<port>

Use the default value if the server is:
  • Located on the same machine as your product that is enabled with the common security infrastructure.
  • Configured to use the default port (389).
DefaultSearchBase None The LDAP search base to use for general operations. If you do not specify unique search bases for authentication, role and self-registration, then this search base is used for those purposes as well.

Use the following syntax for setting the value:

dc=<domainname>,dc=com

For example, a machine in the sybase.com domain would have a search base of dc=sybase,dc=com.

You can also include organization an country codes if required:o=<company name>,c=<country code>.

Using Sybase as an example, you could set this information as o=Sybase,c=us for a machine within the Sybase organization.

Other important properites

While the following properties are not used as frequently as those listed above, they can still be important for authentication and role evaluation.

Property Default Value Description
     
AuthenticationMethod simple The authentication method to use for all authentication requests into LDAP. Legal values are generally the same as those of the java.naming.security.authentication JNDI property. Choose one of:
  • simple -- use this for cleartext password authentication.
  • DIGEST-MD5 -- use this for more secure hashed password authentication. This method equires that the server use plaintext password storage and only works with JRE 1.4 or later. See theJava Sun website for more information.
AuthenticationSearchBase none The search base used to authenticate users. If this value is not specified, the LDAP DefaultSearchBase is used.
AuthenticationScope onelevel The authentication search scope. The supported values for this are:
  • onelevel
  • subtree

If you do not specify a value or if you specify an invalid value, the default value is used.

BindDN none

The user DN to bind against when building the initial LDAP connection.

In many cases, this user may need only read permissions on all user records. If you do not set a value, anonymous binding is used. Anonymous binding works on most servers without additional configuration.

However, the LDAP attributer may also use this DN to create the users in the LDAP server. When the self-registration feature is used, this user then may also the requisite permissions to create a user record. This behavior can occur if you do not set useUserCredentialsToBindto true. In this case, the LDAP attributer then uses this DN to update the user attributes.

BindPassword none The user password to bind against when building the initial LDAP connection.

You need to only set this value if the Bind DN property is set.

The AuthenticationMethod property determines the bind method used for this initial connection.

RoleSearchBase none The search base used to retrieve lists of roles. If this value is not specified, the LDAP DefaultSearchBase is used.
RoleScope onelevel The role search scope. The supported values for this are:
  • onelevel
  • subtree

If you do not specify a value or if you specify an invalid value, the default value is used.

Parent topic: LDAP Security
Related concepts
LDAP Role Computation
LDAP Security
RADIUS Security
Certificate Security
Native Basic Provider Suite Security
Related tasks
Delegating EAServer Security to a Third-Party Provider
Related reference
Example: LDAP Role Computation

Send your feedback on this help topic to Sybase Technical Publications: pubs@sybase.com

Your comments will be sent to the technical publications staff at Sybase, Inc. For product-related issues or technical support, contact Sybase Technical Support at 1-800-8SYBASE.