|
ServerType
|
None |
Optional. The type of LDAP server you are
connecting to: -
sunone5 --
SunOne 5.x OR iPlanet 5.x
-
msad2k --
Microsoft Active Directory, Windows 2000
-
nsds4 --
Netscape Directory Server 4.x
-
openldap --
OpenLDAP Directory Server 2.x
The value you choose establishes default
values for these other authentication properties: - RoleFilter
- UserRoleMembership
- RoleMemberAttributes
- AuthenticationFilter
- DigestMD5Authentication
- UseUserAccountControl
|
|
ProviderURL
|
ldap://localhost:389
|
The URL used to connect to the
LDAP server. Use the default value if the server is:- Located on the same machine as your product that is
enabled with the common security infrastructure.
- Configured to use the default port (389).
Otherwise, use this syntax for setting the
value:
ldap://<hostname>:<port>
|
|
DefaultSearchBase
|
None |
The LDAP search base that is
used if no other search base is specified for authentication,
roles, attribution, and self registration: -
dc=<domainname>,dc=<tld>
For example, a machine in the
mycomnpany.com domain would have a search base of
dc=mycompany,dc=com.
-
o=<company
name>,c=<country code>
For example, this might be
o=mycompnay,c=us for a machine within the Mycompany
organization.
Note: When you use this property to authenticate SCC: - Do not use special characters, as listed above, in common names or distinguished
names in the value of this property.
- Do not use Chinese or Japanese characters in user names or passwords of this
property.
|
|
SecurityProtocol
|
None |
The protocol to be used when
connecting to the LDAP server. To use an
encrypted protocol, use ssl instead
of ldaps in the URL.
|
|
AuthenticationMethod
|
Simple |
The authentication method to
use for all authentication requests into LDAP. Legal values are
generally the same as those of the
java.naming.security.authentication JNDI property. Choose one
of:- simple — For clear-text password authentication.
- DIGEST-MD5 — For more secure hashed password
authentication. This method requires that the server use
plain text password storage and only works with JRE 1.4
or later.
|
|
AuthenticationFilter
|
For most LDAP servers:
(&(uid={uid})(objectclass=person))
or
For Active Directory e-mail lookups: (&(userPrincipalName={uid})
(objectclass=user)) [ActiveDirectory]
For Active Directory Windows user name
lookups: (&(sAMAccountName={uid})(objectclass=user))
|
The filter to use when
looking up the user. When performing a user
name based lookup, this filter is used to determine the LDAP
entry that matches the supplied user name.
The string "{uid}" in the filter is replaced
with the supplied user name.
Note: When you use this property to authenticate SCC: - Do not use special characters, as listed above, in common names or distinguished
names in the value of this property.
- Do not use Chinese or Japanese characters in user names or passwords of this
property.
|
|
AuthenticationScope
|
onelevel |
The authentication search
scope. The supported values for this are:
If you do not specify a value or if you
specify an invalid value, the default value is used.
|
|
AuthenticationSearchBase
|
None |
The search base used to
authenticate users. If this property is not configured, the
value for DefaultSearchBase is used. Note: When you use this property to authenticate SCC: - Do not use special characters, as listed above, in common names or distinguished
names in the value of this property.
- Do not use Chinese or Japanese characters in user names or passwords of this
property.
|
|
BindDN
|
None |
The user DN to bind against when building the
initial LDAP connection.
In many cases, this user may need read
permissions on all user records. If you do not set a value,
anonymous binding is used. Anonymous binding works on most
servers without additional configuration.
However, the LDAP attributer may use this DN
to create users in the LDAP server. When the
self-registration feature is used, this user may need
permissions to create a user record. This behavior may occur
if you do not set useUserCredentialsToBind to true. In this
case, the LDAP attributer uses this DN to update the user
attributes.
|
|
BindPassword
|
None |
The password for BindDN, which is used to
authenticate any user. BindDN and BindPassword separate the
LDAP connection into units.
The AuthenticationMethod property determines the
bind method used for this initial connection.
SAP recommends
that you encrypt passwords, and provides a password
encryption utility. If you encrypt BindPassword, include
encrypted=true in the
line that sets the option. For example:
<options name="BindPassword" encrypted="true" value="1snjikfwregfqr43hu5io..."/>
If you do not encrypt BindPassword, the
option might look like this:
<options name="BindPassword" value="s3cr3T"/>
|
|
RoleSearchBase
|
None |
The search base used to retrieve lists of
roles. If this property is not configured, LDAP uses the
value for DefaultSearchBase.
Note: When you use this property to authenticate SCC: - Do not use special characters, as listed above, in common names or distinguished
names in the value of this property.
- Do not use Chinese or Japanese characters in user names or passwords of this
property.
|
|
RoleFilter
|
For SunONE/iPlanet: (&(objectclass=ldapsubentry)
(objectclass=nsroledefinition))
For Netscape Directory Server: (|(objectclass=groupofnames)
(objectclass=groupofuniquenames))
For ActiveDirectory: (|(objectclass=groupofnames)
(objectclass=group))
|
The role search filter. This
filter should, when combined with the role search base and role
scope, return a complete list of roles within the LDAP server.
There are several default values, depending on the chosen server
type. If the server type is not chosen and this property is not
initialized, no roles are available. Note: When you use this property to authenticate SCC: - Do not use special characters, as listed above, in common names or distinguished
names in the value of this property.
- Do not use Chinese or Japanese characters in user names or passwords of this
property.
|
|
RoleMemberAttributes
|
For Netscape Directory Server
and OpenLDAP Server: member,uniquemember |
A comma-separated list of
role attributes from which LDAP derives the DNs of users who
have this role. These values are
cross-referenced with the active user to determine the
user's role list. One example of the use of this property is
when using LDAP groups as placeholders for roles. This
property has a default value only when the Netscape server
type is chosen.
|
|
RoleNameAttribute
|
cn |
The attribute of the role
entry used as the role
name.
This is the role name displayed in the role list or granted to
the authenticated user. |
|
RoleScope
|
onelevel |
The role search scope.
Supported values include:
If you do not specify a value or if you
specify an invalid value, LDAP uses the default value.
|
| SkipRoleLookup |
false |
Set this property to true to
grant the roles looked up using the attributes specified by the
property UserRoleMembershipAttributes without cross-referencing
them with the roles looked up using the RoleSearchBase and
RoleFilter. LDAP configuration validation
succeeds even when an error is encountered when listing all
the available roles. The error is logged to the server log
during validation but not reported in SCC, allowing the
configuration to be saved. This has an impact when listing
the physical roles for role mapping as well as in SCC. To
successfully authenticate the user, set the SkipRoleLookup
property to true.
|
|
UserRoleMembershipAttributes
|
For iPlanet/SunONE: nsRoleDN
For Active Directory: memberOf
For all others: none
|
Defines a user attribute that
contains the DNs of all of the roles a user is a member of. These comma-delimited values are
cross-referenced with the roles retrieved in the role search
base and search filter to generate a list of user's roles.
If the SkipRoleSearch property is
set to true, these comma-delimited values are not
cross-referenced with the roles retrieved in the role search
base and role search filter. See SkipRoleLookup.
Note: If you
use nested groups with Active Directory, you must set this
property to tokenGroups.
|
|
UserFreeformRoleMembershipAttributes
|
None |
The free-form role membership
attribute list. Users who have attributes in this
comma-delimited list are automatically granted access to roles
whose names are equal to the attribute value. For example, if
the value of this property is department and the department
attribute in the user's LDAP record has the values {sales,
consulting}, the user is granted the roles sales and
consulting. |
|
Referral
|
ignore |
The behavior when a referral
is encountered. Valid values are dictated by LdapContext, but
might include follow, ignore, or throw. |
|
DigestMD5AuthenticationFormat
|
DN For
OpenLDAP: User name
|
The DIGEST-MD5 bind
authentication identity format. |
|
UseUserAccountControlAttribute
|
For Active Directory: true
|
When this property is set to
true, the UserAccountControl attribute detects disabled user
accounts, account expirations, password expirations, and so on.
Active Directory also uses this attribute to store the above
information. |
|
EnableLDAPConnectionTrace |
False |
Enables LDAP connection
tracing. The output is logged to a file in the
temp directory. The location of the
file is logged to the server log. |
| ConnectTimeout |
0 |
Specifies the timeout, in
milliseconds, for attempts to connect to the LDAP server. The
property value sets the JNDI com.sun.jndi.ldap.connect.timeout
property when attempting to establish a connection to a
configured LDAP server. If the LDAP provider cannot establish a
connection within the configured interval, it aborts the
connection attempt. An integer value less than or equal to zero
results in the use of the network protocol's timeout
value. |
| ReadTimeout |
0 |
Controls the length of time,
in milliseconds, the client waits for the server to respond to a
read attempt after the initial connection to the server has been
established. The property values sets the JNDI
com.sun.jndi.ldap.read.timeout property when attempting to
establish a connection to a configured LDAP server. If the LDAP
provider does not receive an LDAP response within the configured
interval, it aborts the read attempt. The read timeout applies
to the LDAP response from the server after the initial
connection is established with the server. An integer value less
than or equal to zero indicates no read timeout is specified. |
| LDAPPoolMaxActive |
8 |
Caps the number of concurrent
LDAP connections to the LDAP server. A non-positive value
indicates no limit. If this option is set for multiple LDAP
providers, the value set by the first LDAP provider loaded takes
precedence over all the others. When LDAPPoolMaxActive is
reached, any further attempts by the LDAP provider classes to
borrow LDAP connections from the pool are blocked indefinitely
until a new or idle object becomes available in the pool.
Connection pooling improves the LDAP provider's performance and
resource utilization by managing the number of TCP connections
established with configured LDAP servers. |
| controlFlag |
optional |
When you configure multiple authentication
providers, use controlFlag for each provider to control how the
authentication providers are used in the login sequence.
controlFlag is a generic login module option rather than
an LDAP configuration property.
|