ServerType
|
None |
Optional. The type of LDAP server you are connecting to: -
sunone5 -- SunOne 5.x OR iPlanet 5.x
-
msad2k -- Microsoft ActiveDirectory, Windows 2000
-
nsds4 -- Netscape Directory Server 4.x
-
openldap -- OpenLDAP Directory Server 2.x
The value you choose establishes default values for these other authentication properties: - RoleFilter
- UserRoleMembership
- RoleMemberAttributes
- AuthenticationFilter
- DigestMD5Authentication
- UseUserAccountControl
|
ProviderURL
|
ldap://localhost:389
|
The URL used to connect to the LDAP server. Without this URL configured, Unwired Server cannot contact your server. Use the default value if the server is:- Located on the same machine as your product that is enabled with the common security infrastructure.
- Configured to use the default port (389).
Otherwise, use this syntax for setting the value:
ldap://<hostname>:<port>
|
DefaultSearchBase
|
None
|
The LDAP search base that is used if no other search base is specified for authentication, roles, attribution and self registration:
-
dc=<domainname>,dc=<tld>
For example, a machine in sybase.com domain would have a search base of dc=sybase,dc=com.
-
o=<company name>,c=<country code>
For example, this might be o=Sybase,c=us for a machine within the Sybase organization.
|
SecurityProtocol
|
None |
The protocol to be used when connecting to the LDAP server. To use an encrypted protocol, use "ssl" instead "ldaps" in the url. Note: ActiveDirectory requires the SSL protocol when setting the value for the password attribute. This occurs when creating a user or updating the password of an existing user.
|
AuthenticationMethod
|
simple |
The authentication method to use for all authentication requests into LDAP. Legal values are generally the same as those of the java.naming.security.authentication JNDI property. Choose one of:- simple — For clear-text password authentication.
- DIGEST-MD5 — For more secure hashed password authentication. This method requires that the server use plain text password storage and only works with JRE 1.4 or later.
|
AuthenticationFilter
|
For most LDAP servers: (&(uid={uid})(objectclass=person))
or
For Active Directory email lookups: (&(userPrincipalName={uid}) (objectclass=user))
[ActiveDirectory]
For Active Directory Windows username lookups: (&(sAMAccountName={uid})(objectclass=user))
|
The filter to use when looking up the user. When performing a username based lookup, this filter is used to determine the LDAP entry that matches the supplied username.
The string "{uid}" in the filter is replaced with the supplied username.
|
AuthenticationScope
|
onelevel |
The authentication search scope. The supported values for this are:
If you do not specify a value or if you specify an invalid value, the default value is used.
|
AuthenticationSearchBase
|
none |
The search base used to authenticate users. If this value is not specified, the LDAP DefaultSearchBase is used.
|
BindDN
|
none |
The user DN to bind against when building the initial LDAP connection.
In many cases, this user may need read permissions on all user records. If you do not set a value, anonymous binding is used. Anonymous binding works on most servers without additional configuration.
However, the LDAP attributer may also use this DN to create the users in the LDAP server. When the self-registration feature is used, this user may also need the requisite permissions to create a user record. This behavior can occur if you do not set useUserCredentialsToBind to true. In this case, the LDAP attributer uses this DN to update the user attributes.
|
BindPassword
|
none |
BindPassword is the password for BindDN, which is used to authenticate any user. BindDN and BindPassword are used to separate the LDAP connection into units.
The AuthenticationMethod property determines the bind method used for this initial connection.
If you use an encrypted the password using the CSI encryption utility, append .e to the property name. For example: CSI.loginModule.7.options.
BindPassword.e=1-AAAAEgQQOLL+LpX
JO8fO9T4SrQYRC9lRT1w5ePfdczQTDs
P8iACk9mDAbm3F3p5a1wXWKK8+NdJuk
nc7w2nw5aGJlyG3xQ==
|
RoleSearchBase
|
none |
The search base used to retrieve lists of roles. If this value is not specified, the LDAP DefaultSearchBase is used.
|
RoleFilter
|
For SunONE/iPlanet: (&(objectclass=ldapsubentry) (objectclass=nsroledefinition))
For Netscape Directory Server: (objectclass=groupofnames) (objectclass=groupofuniquenames))
For ActiveDirectory: (objectclass=groupofnames) (objectclass=group))
|
The role search filter. This filter should, when combined with the role search base and role scope, return a complete list of roles within the LDAP server. There are several default values depending on the chosen server type. If the server type is not chosen or this property is not initialized, no roles are available.
|
RoleMemberAttributes
|
For Netscape Directory Server: member,uniquemember
|
The role's member attributes defines a comma-delimited list of attributes that roles may have that define a list of DN's of people who are in the role. These values are cross referenced with the active user to determine the user's role list. One example of the use of this property is when using LDAP groups as placeholders for roles.
This property only has a default value when the Netscape server type is chosen.
|
RoleNameAttribute
|
cn |
The attribute for retrieved roles that is the common name of the role. If this value is "dn" it is interpreted specially as the entire dn of the role as the role name.
|
RoleScope
|
onelevel |
The role search scope. The supported values for this are:
If you do not specify a value or if you specify an invalid value, the default value is used.
|
UserRoleMembershipAttributes
|
For iPlanet/SunONE: nsRoleDN For ActiveDirectory:
memberOf
For all others: none
|
The user's role membership attributes property is used to define an attribute that a user has that contains the DN's of all of the roles as user is a member of. These comma-delimited values are then cross-referenced with the roles retrieved in the role search base and search filter to come up with a list of user's roles.
|
UserFreeformRoleMembershipAttributes
|
None |
The "freeform" role membership attribute list. Users who have attributes in this comma-delimited list are automatically granted access to roles whose names are equal to the attribute value. For example, if the value of this property is "department" and user's LDAP record has the following values for the department attribute, { "sales", "consulting" }, then the user will be granted roles whose names are "sales" and "consulting". |
Referral
|
ignore |
The behavior when a referral is encountered. The valid values are those dictated by LdapContext, for example, "follow", "ignore", "throw". |
DigestMD5AuthenticationFormat
|
DN For OpenLDAP: Username
|
The DIGEST-MD5 bind authentication identity format. |
UseUserAccountControlAttribute
|
For most LDAP servers: false For ActiveDirectory: true
|
The UserAccountControl attribute to be used for detecting disabled user accounts, account expirations, password expirations and so on. ActiveDirectory also uses this attribute to store the above information. |
controlFlag
|
optional |
Indicates whether authentication with this login module is sufficient to allow the user to log in, or whether the user must also be authenticated with another login module. Rarely set to anything other than "sufficient" for any login module.
Note: controlFlag is a generic login module option rather than an LDAP configuration property.
|