LDAP Configuration Properties

Use these properties to configure the LDAP provider used to authenticate Sybase Control Center administration logins or to configure the LDAP provider used to authenticate device application logins. If you are configuring an LDAP provider for device application logins in Sybase Control Center, then Unwired Platform administrators use Sybase Control Center these properties are saved to the SUP_HOME\Servers\UnwiredServer\Repository\CSI\<security configuration name file.

The Java LDAP provider consists of three provider modules.

The LDAPLoginModule provides authentication services. Through appropriate configuration, you can enable certificate authentication in LDAPLoginModule.
(Optional) LDAPAuthorizer or RoleCheckAuthorizer provide authorization service in conjunction with LDAPLoginModule. LDAPLoginModule works with either authorizer.
The RoleCheckAuthorizer is part of every security configuration but does not appear in Sybase Control Center.

Use LDAPAuthorizer only when LDAPLoginModule is not used to perform authentication, but roles are still required to perform authorization checks against the LDAP data store. If you use LDAPAuthorizer, always explicitly configure properties; for it cannot share the configuration options specified for the LDAPLoginModule.
(Optional) LDAPAttributer is used to retrieve the list of roles from the LDAP repository. These roles are displayed in the role mapping screen in Sybase Control Center. The LDAP attributer is capable of sharing the configuration properties from the LDAPLoginModules. If no configuration properties are explicitly specified, then the attributer iterates through the configured LDAPLoginModules and retrieves the roles from all the LDAP repositories configured for the different LDAPLoginModules.

Use this table to help you configure properties for one or more of the supported LDAP providers. When configuring modules or general server properties in Sybase Control Center, note that properties and values can vary, depending on which module or server type you configure.

Property	Default Value	Description
ServerType	None	Optional. The type of LDAP server you are connecting to: `sunone5` -- SunOne 5.x OR iPlanet 5.x `msad2k` -- Microsoft Active Directory, Windows 2000 `nsds4` -- Netscape Directory Server 4.x `openldap` -- OpenLDAP Directory Server 2.x The value you choose establishes default values for these other authentication properties: RoleFilter UserRoleMembership RoleMemberAttributes AuthenticationFilter DigestMD5Authentication UseUserAccountControl
ProviderURL	ldap://localhost:389	The URL used to connect to the LDAP server. Without this URL configured, Unwired Server cannot contact your server. Use the default value if the server is: Located on the same machine as your product that is enabled with the common security infrastructure. Configured to use the default port (389). Otherwise, use this syntax for setting the value: `ldap://<hostname>:<port>`
DefaultSearchBase	None	The LDAP search base that is used if no other search base is specified for authentication, roles, attribution and self registration: `dc=<domainname>,dc=<tld>` For example, a machine in sybase.com domain would have a search base of dc=sybase,dc=com. `o=<company name>,c=<country code>` For example, this might be o=Sybase,c=us for a machine within the Sybase organization. Note: When you configure this property in the "admin" security configuration used to authenticate the administrator in Sybase Control Center, the property value should not contain any special characters, as listed above, in any of the common names or distinguished names.
SecurityProtocol	None	The protocol to be used when connecting to the LDAP server. The specified value overrides the environment property java.naming.security.protocol. To use an encrypted protocol, use SSL instead of ldaps in the URL.
AuthenticationMethod	Simple	The authentication method to use for all authentication requests into LDAP. Legal values are generally the same as those of the java.naming.security.authentication JNDI property. Choose one of: simple — For clear-text password authentication. DIGEST-MD5 — For more secure hashed password authentication. This method requires that the server use plain text password storage and only works with JRE 1.4 or later.
AuthenticationFilter	For most LDAP servers: `(&(uid={uid})(objectclass=person))` or For Active Directory e-mail lookups: `(&(userPrincipalName={uid}) (objectclass=user)) [ActiveDirectory]` For Active Directory Windows user name lookups: `(&(sAMAccountName={uid})(objectclass=user))`	The filter to use when looking up the user. When performing a user name based lookup, this filter is used to determine the LDAP entry that matches the supplied user name. The string "{uid}" in the filter is replaced with the supplied user name. Note: When you use this property to authenticate a user in Sybase Control Center: The property value should not contain any special characters, as listed above, in any of the common names or distinguished names. Do not use Chinese or Japanese characters in user names or passwords of this property.
AuthenticationScope	onelevel	The authentication search scope. The supported values for this are: `onelevel` `subtree` If you do not specify a value or if you specify an invalid value, the default value is used.
AuthenticationSearchBase	None	The search base used to authenticate users. If this property is not configured, the value for DefaultSearchBase is used. Note: When you configure this property in the "admin" security configuration used to authenticate the administrator in Sybase Control Center, the property value should not contain any special characters, as listed above, in any of the common names or distinguished names.
BindDN	None	The user DN to bind against when building the initial LDAP connection. In many cases, this user may need read permissions on all user records. If you do not set a value, anonymous binding is used. Anonymous binding works on most servers without additional configuration.
BindPassword	None	The password for BindDN, which is used to authenticate any user. BindDN and BindPassword separate the LDAP connection into units. The AuthenticationMethod property determines the bind method used for this initial connection. Sybase recommends that you encrypt passwords, and provides a password encryption utility. If you encrypt BindPassword, include `encrypted=true` in the line that sets the option. For example: <options name="BindPassword" encrypted="true" value="1snjikfwregfqr43hu5io..."/> If you do not encrypt BindPassword, the option might look like this: <options name="BindPassword" value="s3cr3T"/>
RoleSearchBase	None	The search base used to retrieve lists of roles. If this property is not configured, the value for DefaultSearchBase is used. Note: Setting the RoleSearchBase to the root in Active Directory (for example "DC=example,DC=com") results in a PartialResultsException error when validating the configuration or authenticating a user. To confirm, verify that example.com:389 is reachable. The DNS lookup may successfully resolve example.com to an IP address but port 389 may not be open with an Active Directory server listening on that port. In this case, adding an entry to the systemroot\system32\drivers\etc\hosts (typically, C:\WINDOWS\system32\drivers\etc\hosts) file on the machine where Sybase Unwired Platform is installed resolves any communication error. Note: When you configure this property in the "admin" security configuration used to authenticate the administrator in Sybase Control Center, the property value should not contain any special characters, as listed above, in any of the common names or distinguished names.
RoleFilter	For SunONE/iPlanet: `(&(objectclass=ldapsubentry) (objectclass=nsroledefinition))` For Netscape Directory Server: `(\|(objectclass=groupofnames) (objectclass=groupofuniquenames))` For ActiveDirectory: `(\|(objectclass=groupofnames) (objectclass=group))`	The role search filter. This filter should, when combined with the role search base and role scope, return a complete list of roles within the LDAP server. There are several default values, depending on the chosen server type. If the server type is not chosen and this property is not initialized, no roles are available. Note: When you use this property to authenticate a user in Sybase Control Center: The property value should not contain any special characters, as listed above, in any of the common names or distinguished names. Do not use Chinese or Japanese characters in user names or passwords of this property.
RoleMemberAttributes	For Netscape Directory Server and OpenLDAP Server: member,uniquemember	A comma-separated list of role attributes from which LDAP derives the DNs of users who have this role. These values are cross-referenced with the active user to determine the user's role list. One example of the use of this property is when using LDAP groups as placeholders for roles. This property has a default value only when the Netscape server type is chosen.
RoleNameAttribute	cn	The attribute of the role entry used as the role name in Unwired Platform. This is the role name displayed in the role list or granted to the authenticated user.
RoleScope	onelevel	The role search scope. Supported values include: `onelevel` `subtree` If you do not specify a value or if you specify an invalid value, the default value is used.
SkipRoleLookup	false	Set this property to true to grant the roles looked up using the attributes specified by the property UserRoleMembershipAttributes without cross-referencing them with the roles looked up using the RoleSearchBase and RoleFilter. LDAP configuration validation succeeds even when an error is encountered when listing all the available roles. The error is logged to the server log during validation but not reported in Sybase Control Center, allowing the configuration to be saved. This has an impact when listing the physical roles for role mapping as well as in Sybase Control Center. To successfully authenticate the user, set the SkipRoleLookup property to true.
UserRoleMembershipAttributes	For iPlanet/SunONE: nsRoleDN For Active Directory: memberOf For all others: none	Defines a user attribute that contains the DNs of all of the roles a user is a member of. These comma-delimited values are cross-referenced with the roles retrieved in the role search base and search filter to generate a list of user's roles. If SkipRoleSearch property is set to true, these comma-delimited values are not cross-referenced with the roles retrieved in the role search base and role search filter. See Skipping LDAP Role Lookups (SkipRoleLookup). Note: If you use nested groups with Active Directory, you must set this property to tokenGroups. See LDAP Nested Groups and Roles in LDAP.
UserFreeformRoleMembershipAttributes	None	The freeform role membership attribute list. Users who have attributes in this comma-delimited list are automatically granted access to roles whose names are equal to the attribute value. For example, if the value of this property is department and user's LDAP record has the following values for the department attribute, { sales, consulting }, then the user will be granted roles whose names are sales and consulting.
Referral	ignore	The behavior when a referral is encountered. Valid values are dictated by LdapContext, for example, follow, ignore, throw.
DigestMD5AuthenticationFormat	DN For OpenLDAP: User name	The DIGEST-MD5 bind authentication identity format.
UseUserAccountControlAttribute	For Active Directory: true	When this property is set to true, the UserAccountControl attribute is used to detect if a user account is disabled, if the account has expired, if the password associated with the account has expired, and so on. Active Directory uses this attribute to store this information.
controlFlag	optional	When you configure multiple authentication providers, use controlFlag for each provider to control how the authentication providers are used in the login sequence. controlFlag is a generic login module option rather than an LDAP configuration property. For more information, see controlFlag Attribute Values.