|
ServerType
|
None |
Optional. The type of LDAP server you are
connecting to: -
sunone5 --
SunOne 5.x OR iPlanet 5.x
-
msad2k --
Microsoft ActiveDirectory, Windows 2000
-
nsds4 --
Netscape Directory Server 4.x
-
openldap --
OpenLDAP Directory Server 2.x
The value you choose establishes default
values for these other authentication properties: - RoleFilter
- UserRoleMembership
- RoleMemberAttributes
- AuthenticationFilter
- DigestMD5Authentication
- UseUserAccountControl
|
|
ProviderURL
|
ldap://localhost:389
|
The URL used to connect to the
LDAP server. Use the default value if the server is:- Located on the same machine as your product that is
enabled with the common security infrastructure.
- Configured to use the default port (389).
Otherwise, use this syntax for setting the
value:
ldap://<hostname>:<port>
|
|
DefaultSearchBase
|
None |
The LDAP search base that is
used if no other search base is specified for authentication,
roles, attribution and self registration: -
dc=<domainname>,dc=<tld>
For example, a machine in sybase.com
domain would have a search base of dc=sybase,dc=com.
-
o=<company
name>,c=<country code>
For example, this might be
o=Sybase,c=us for a machine within the Sybase
organization.
|
|
SecurityProtocol
|
None |
The protocol to be used when
connecting to the LDAP server. To use an
encrypted protocol, use "ssl" instead of "ldaps" in the url.
Note: ActiveDirectory requires the SSL
protocol when setting the value for the password
attribute. This occurs when creating a user or updating
the password of an existing user.
Note: ActiveDirectory requires the SSL
protocol when setting the value for the password attribute.
This occurs when creating a user or updating the password of
an existing user.
|
|
AuthenticationMethod
|
simple |
The authentication method to
use for all authentication requests into LDAP. Legal values are
generally the same as those of the
java.naming.security.authentication JNDI property. Choose one
of:- simple — For clear-text password authentication.
- DIGEST-MD5 — For more secure hashed password
authentication. This method requires that the server use
plain text password storage and only works with JRE 1.4
or later.
|
|
AuthenticationFilter
|
For most LDAP servers:
(&(uid={uid})(objectclass=person))
or
For Active Directory email lookups: (&(userPrincipalName={uid})
(objectclass=user)) [ActiveDirectory]
For Active Directory Windows username
lookups: (&(sAMAccountName={uid})(objectclass=user))
Note: Please note these restrictions when
using this property to authenticate Sybase Control Center
administration use cases only: - Do not use special characters (for
example, , = : ' " *
? &) in user names identified
with this property.
- Do not use Chinese or Japanese
characters in the user name or passwords of this
property.
|
The filter to use when
looking up the user. When performing a
username based lookup, this filter is used to determine the
LDAP entry that matches the supplied username.
The string "{uid}" in the filter is replaced
with the supplied username.
|
|
AuthenticationScope
|
onelevel |
The authentication search
scope. The supported values for this are:
If you do not specify a value or if you
specify an invalid value, the default value is used.
|
|
AuthenticationSearchBase
|
none |
The search base used to
authenticate users. If this property is not configured, the
value for DefaultSearchBase is used. |
|
BindDN
|
none |
The user DN to bind against when building the
initial LDAP connection.
In many cases, this user may need read
permissions on all user records. If you do not set a value,
anonymous binding is used. Anonymous binding works on most
servers without additional configuration.
However, the LDAP attributer may also use this DN to create
the users in the LDAP server. When the self-registration
feature is used, this user may also need the requisite
permissions to create a user record. This behavior can occur
if you do not set useUserCredentialsToBind to true. In this case, the
LDAP attributer uses this DN to update the user attributes.
|
|
BindPassword
|
none |
BindPassword is the password for BindDN,
which is used to authenticate any user. BindDN and
BindPassword are used to separate the LDAP connection into
units.
The AuthenticationMethod property determines the
bind method used for this initial connection.
Sybase recommends encrypting passwords and
provides a password encryption utility for the purpose. If
you encrypt BindPassword, include encrypted=true in the line that sets the
option. For example:
<options name="BindPassword" encrypted="true" value="1snjikfwregfqr43hu5io..."/>
If you do not encrypt BindPassword, the
option might look like this:
<options name="BindPassword" value="s3cr3T"/>
|
|
RoleSearchBase
|
none |
The search base used to
retrieve lists of roles. If this property is not configured, the
value for DefaultSearchBase is used. |
|
RoleFilter
|
For SunONE/iPlanet: (&(objectclass=ldapsubentry)
(objectclass=nsroledefinition))
For Netscape Directory Server: (|(objectclass=groupofnames)
(objectclass=groupofuniquenames))
For ActiveDirectory: (|(objectclass=groupofnames)
(objectclass=group))
|
The role search filter. This
filter should, when combined with the role search base and role
scope, return a complete list of roles within the LDAP server.
There are several default values depending on the chosen server
type. If the server type is not chosen and this property is not
initialized, no roles are available. |
|
RoleMemberAttributes
|
For Netscape Directory Server
and OpenLDAP Server: member,uniquemember |
A comma-separated list of
role attributes from which LDAP derives the DNs of users who
have this role. These values are cross
referenced with the active user to determine the user's role
list. One example of the use of this property is when using
LDAP groups as placeholders for roles. This property only
has a default value when the Netscape server type is
chosen.
|
|
RoleNameAttribute
|
cn |
The attribute of the role
entry used as the role name in Unwired Platform. This is the
role name displayed in the role list or granted to the
authenticated user. |
|
RoleScope
|
onelevel |
The role search scope. The
supported values for this are:
If you do not specify a value or if you
specify an invalid value, the default value is used.
|
| SkipRoleLookup |
false |
Set this property to true to
grant the roles looked up using the attributes specified by the
property UserRoleMembershipAttributes without cross-referencing
them with the roles looked up using the RoleSearchBase and
RoleFilter. |
|
UserRoleMembershipAttributes
|
For iPlanet/SunONE: nsRoleDN
For ActiveDirectory: memberOf
For all others: none
|
The user's role membership
attributes property is used to define an attribute that a user
has that contains the DN's of all of the roles as user is a
member of. These comma-delimited values are
then cross-referenced with the roles retrieved in the role
search base and search filter to come up with a list of
user's roles.
Note: If
SkipRoleSearch property is set to true, then these
comma-delimited values will not be cross-referenced with the
roles retrieved in the role search base and role search
filter. See Skipping LDAP Role
Lookups (SkipRoleLookup).
Note: If you use nested groups with
ActiveDirectory, you must set this property to
"tokenGroups". See Using LDAP Nested
Groups and Roles.
|
|
UserFreeformRoleMembershipAttributes
|
None |
The "freeform" role
membership attribute list. Users who have attributes in this
comma-delimited list are automatically granted access to roles
whose names are equal to the attribute value. For example, if
the value of this property is "department" and user's LDAP
record has the following values for the department attribute, {
"sales", "consulting" }, then the user will be granted roles
whose names are "sales" and "consulting". |
|
Referral
|
ignore |
The behavior when a referral
is encountered. The valid values are those dictated by
LdapContext, for example, "follow", "ignore", "throw". |
|
DigestMD5AuthenticationFormat
|
DN For
OpenLDAP: Username
|
The DIGEST-MD5 bind
authentication identity format. |
|
UseUserAccountControlAttribute
|
For ActiveDirectory: true
|
When this property is set to
true, the UserAccountControl attribute is used for detecting
disabled user accounts, account expirations, password
expirations and so on. ActiveDirectory also uses this attribute
to store the above information. |
|
controlFlag
|
optional |
When you configure multiple
Authentication providers, use controlFlag for each provider to
control how the authentication providers are used in the login
sequence. Note: For more
information, see controlFlag
Attribute Values.
Note: controlFlag is a generic login module
option rather than an LDAP configuration property.
|
|
EnableLDAPConnectionTrace |
None |
Enables LDAP connection
tracing. The output is logged to a file in temp directory. The
location of the file is logged to the server log. |
| ConnectTimeout |
0 |
Controls how an LDAP connection is obtained by
the configured LDAP server within the LDAP provider classes. The
property sets the connection timeout interval in milliseconds.
The property value sets the JNDI
"com.sun.jndi.ldap.connect.timeout" property, when attempting to
establish a connection to a configured LDAP server. If the LDAP
provider cannot establish a connection within the configured
interval, it aborts the connection attempt. An integer less than
or equal to zero results in the use of the network protocol's
timeout value. |
| ReadTimeout |
0 |
Controls how long the client waits for the
server to respond to a read attempt after the initial connection
to the server has been established. The property sets the read
timeout interval in milliseconds. The property values sets the
JNDI "com.sun.jndi.ldap.read.timeout" property, when attempting
to establish a connection to a configured LDAP server. If the
LDAP provider cannot get a LDAP response within the configured
interval, it aborts the read attempt. The read timeout applies
to the LDAP response from the server after the initial
connection is established with the server. An integer less than
or equal to zero means no read timeout is specified. |
| LDAPPoolMaxActive |
8 |
Caps the number of concurrent LDAP connections
to the LDAP server. A negative value indicates no limit. In case
multiple LDAP providers are configured with this configuration
option set, the value set by the first LDAP provider to be
loaded would take precedence over all the others. |