ServerType
|
None |
Optional. The type of LDAP server you are
connecting to: -
sunone5 --
SunOne 5.x OR iPlanet 5.x
-
msad2k --
Microsoft ActiveDirectory, Windows 2000
-
nsds4 --
Netscape Directory Server 4.x
-
openldap --
OpenLDAP Directory Server 2.x
The value you choose establishes default
values for these other authentication properties: - RoleFilter
- UserRoleMembership
- RoleMemberAttributes
- AuthenticationFilter
- DigestMD5Authentication
- UseUserAccountControl
|
ProviderURL
|
ldap://localhost:389
|
The URL used to connect to the
LDAP server. Without this
URL configured, Unwired Server cannot contact your
server. Use the default value if the server is:- Located on the same machine as your product that is
enabled with the common security infrastructure.
- Configured to use the default port (389).
Otherwise, use this syntax for setting the
value:
ldap://<hostname>:<port>
|
DefaultSearchBase
|
None |
The LDAP search base that is
used if no other search base is specified for authentication,
roles, attribution and self registration: -
dc=<domainname>,dc=<tld>
For example, a machine in sybase.com
domain would have a search base of dc=sybase,dc=com.
-
o=<company
name>,c=<country code>
For example, this might be
o=Sybase,c=us for a machine within the Sybase
organization.
|
SecurityProtocol
|
None |
The protocol to be used when
connecting to the LDAP server. To use an
encrypted protocol, use "ssl" instead
of
"ldaps" in the url. Note: ActiveDirectory requires the SSL
protocol when setting the value for the password
attribute. This occurs when creating a user or updating
the password of an existing user.
Note: ActiveDirectory requires the SSL
protocol when setting the value for the password attribute.
This occurs when creating a user or updating the password of
an existing user.
|
AuthenticationMethod
|
simple |
The authentication method to
use for all authentication requests into LDAP. Legal values are
generally the same as those of the
java.naming.security.authentication JNDI property. Choose one
of:- simple — For clear-text password authentication.
- DIGEST-MD5 — For more secure hashed password
authentication. This method requires that the server use
plain text password storage and only works with JRE 1.4
or later.
|
AuthenticationFilter
|
For most LDAP servers:
(&(uid={uid})(objectclass=person))
or
For Active Directory email lookups: (&(userPrincipalName={uid})
(objectclass=user)) [ActiveDirectory]
For Active Directory Windows username
lookups: (&(sAMAccountName={uid})(objectclass=user))
Note: Please note these
restrictions when using this property to authenticate Sybase
Control Center administration use cases only: - Do not use special characters (for example,
, = : ' " * ? &)
in user names identified with this property.
- Do not use Chinese or Japanese characters in the
user name or passwords of this property.
|
The filter to use when
looking up the user. When performing a
username based lookup, this filter is used to determine the
LDAP entry that matches the supplied username.
The string "{uid}" in the filter is replaced
with the supplied username.
|
AuthenticationScope
|
onelevel |
The authentication search
scope. The supported values for this are:
If you do not specify a value or if you
specify an invalid value, the default value is used.
|
AuthenticationSearchBase
|
none |
The search base used to
authenticate users. If this
property
is not configured, the
value
for
DefaultSearchBase
is used. |
BindDN
|
none |
The user DN to bind against when building the
initial LDAP connection.
In many cases, this user may need read
permissions on all user records. If you do not set a value,
anonymous binding is used. Anonymous binding works on most
servers without additional configuration.
However, the LDAP attributer may also use this DN to create
the users in the LDAP server. When the self-registration
feature is used, this user may also need the requisite
permissions to create a user record. This behavior can occur
if you do not set useUserCredentialsToBind to true. In this case, the
LDAP attributer uses this DN to update the user attributes.
|
BindPassword
|
none |
BindPassword is the password for BindDN,
which is used to authenticate any user. BindDN and
BindPassword are used to separate the LDAP connection into
units.
The AuthenticationMethod property determines the
bind method used for this initial connection.
Sybase recommends encrypting passwords and
provides a password encryption utility for the purpose. If
you encrypt BindPassword, include encrypted=true in the line that sets the
option. For example:
<options name="BindPassword" encrypted="true" value="1snjikfwregfqr43hu5io..."/>
If you do not encrypt BindPassword, the
option might look like this:
<options name="BindPassword" value="s3cr3T"/>
|
RoleSearchBase
|
none |
The search base used to
retrieve lists of roles. If this
property
is not configured, the
value
for
DefaultSearchBase
is used. |
RoleFilter
|
For SunONE/iPlanet: (&(objectclass=ldapsubentry)
(objectclass=nsroledefinition))
For Netscape Directory Server:
(|(objectclass=groupofnames)
(objectclass=groupofuniquenames))
For ActiveDirectory: (|(objectclass=groupofnames)
(objectclass=group))
|
The role search filter. This
filter should, when combined with the role search base and role
scope, return a complete list of roles within the LDAP server.
There are several default values depending on the chosen server
type. If the server type is not chosen
and
this property is not initialized, no roles are available.
|
RoleMemberAttributes
|
For Netscape Directory
Server
and OpenLDAP Server: member,uniquemember |
A comma-separated list
of role attributes from which LDAP derives the DNs of users who
have this role.
These values are cross referenced with the
active user to determine the user's role list. One example
of the use of this property is when using LDAP groups as
placeholders for roles. This property only has a default
value when the Netscape server type is chosen.
|
RoleNameAttribute
|
cn |
The
attribute of the role entry used as the role name in Unwired
Platform. This is the role name displayed in the role list or
granted to the authenticated user. |
RoleScope
|
onelevel |
The role search scope. The
supported values for this are:
If you do not specify a value or if you
specify an invalid value, the default value is used.
|
SkipRoleLookup |
false |
Set
this property to true to grant the roles looked up using the
attributes specified by the property
UserRoleMembershipAttributes without cross-referencing them with
the roles looked up using the RoleSearchBase and
RoleFilter. |
UserRoleMembershipAttributes
|
For iPlanet/SunONE: nsRoleDN
For ActiveDirectory: memberOf
For all others: none
|
The user's role membership
attributes property is used to define an attribute that a user
has that contains the DN's of all of the roles as user is a
member of. These comma-delimited values are
then cross-referenced with the roles retrieved in the role
search base and search filter to come up with a list of
user's
roles.
Note: If
SkipRoleSearch property is set to true, then these
comma-delimited values will not be cross-referenced with the
roles retrieved in the role search base and role search
filter. See Skipping LDAP Role Lookups
(SkipRoleLookup).
Note: If
you use nested groups with ActiveDirectory, you must set
this property to "tokenGroups". See Using LDAP Nested
Groups and Roles.
|
UserFreeformRoleMembershipAttributes
|
None |
The "freeform" role
membership attribute list. Users who have attributes in this
comma-delimited list are automatically granted access to roles
whose names are equal to the attribute value. For example, if
the value of this property is "department" and user's LDAP
record has the following values for the department attribute, {
"sales", "consulting" }, then the user will be granted roles
whose names are "sales" and "consulting". |
Referral
|
ignore |
The behavior when a referral
is encountered. The valid values are those dictated by
LdapContext, for example, "follow", "ignore", "throw". |
DigestMD5AuthenticationFormat
|
DN For
OpenLDAP: Username
|
The DIGEST-MD5 bind
authentication identity format. |
UseUserAccountControlAttribute
|
For ActiveDirectory: true
|
When
this property is set to true, the UserAccountControl attribute
is used for detecting disabled user accounts, account
expirations, password expirations and so on.
ActiveDirectory also uses this attribute to
store the above information. |
controlFlag
|
optional |
When
you configure multiple Authentication providers, use controlFlag
for each provider to control how the authentication providers
are used in the login sequence. Note: For
more information, see controlFlag Attribute
Values.
Note: controlFlag is a generic login module
option rather than an LDAP configuration property.
|
EnableLDAPConnectionTrace |
None |
Enables LDAP connection tracing. The output is
logged to a file in temp directory. The location of the file is
logged to the server log. |