Defines authentication and attribution properties for the 'admin' security configuration. The file is located in SMP_HOME\Servers\UnwiredServer\Repository\CSI\conf.
<config:authenticationProvider name="<authProviderName>" controlFlag="<myValue>" />See the controlFlag Attribute Values reference topic for possible configuration values. The default is required.
<config:options name="<propertyName>" value="<myValue>" />For an LDAP security provider, properties can include:
| Property | Default | Description |
|---|---|---|
| ServerType | None | The LDAP server type. For example, msad2k, sunone5, nsds4, or openldap. |
| ProviderURL | ldap://<host-name>:389 | The URL to connect to the LDAP server. For example, ldap://localhost:389. For SSL, use ldap://localhost:636. |
| SecurityProtocol | None | The protocol used to connect to the LDAP server. SAP recommends that you set this to SSL. An SSL connection is required for ActiveDirectory when you set the password attribute. |
| InitialContextFactory | None | The factory class used to obtain initial directory context. |
| Referral | ignore | The behavior when a referral is encountered. The valid values are those dictated by LdapContext, for example, ignore, follow, or throw. |
| DefaultSearchBase | None | The default search base to use when performing general operations. |
| AuthenticationSearchBase | None | The search base to use when performing authentication operations. If you do not set this value, the default search base is used. |
| SelfRegistrationSearchBase | None | The search base to use when creating a new user as part of self-registration. If you do not set this value, the authentication search base is used for self-update operations and the default search base is used for all other operations. |
| AuthenticationScope | ONELEVEL | Options include ONELEVEL or SUBTREE. |
| AuthenticationFilter | For most LDAP servers: (&(uid={uid})(objectclass=person))
or For Active Directory e-mail lookups: (&(userPrincipalName={uid}) (objectclass=user)) [ActiveDirectory] For Active Directory Windows user name lookups: (&(sAMAccountName={uid})(objectclass=user)) |
The user name and password authentication search filter. This must be a legal LDAP search filter, as defined in RFC 2254. The filter may contain the special string "{uid}" which is replaced with the user name of the user attempting to authenticate. |
| CertificateAuthenticationFilter | For Active Directory server: (&({certattr}={0})(objectclass=user))" For most LDAP server types: "(&({certattr}={0})(objectclass=person))" |
The certificate authentication search filter. The filter may contain the special string "{certattr}" which is replaced with the certificate attribute or the mapped LDAP attribute (if mapping between certificate attributes and LDAP attributes is defined). The value "{0}" is set to the encoded certificate or an attribute value from the certificate. |
| AuthenticationMethod | simple | The authentication method to use for all binding. Supported values are DIGEST-MD5 or simple. |
| Attributes | None | Defines an attribute mapping from a CSI attribute to an LDAP attribute, including:
|
| BindDN | None | The DN to bind against when building the initial LDAP connection. The user being authenticated with the login module must have read permission on all user records. |
| BindPassword | None | The password to bind with for the initial LDAP connection. For example, <config:options name="BindPassword" encrypted="true" value="1-AAAAEgQQyyYzC2+njB4K4QGPcMB1pM6XErTqZ1InyYrW/s56J69VfW5iBdFZehDrY66+6g9u1+a5VAqBiv/v5q08B3f59YMB1EQx9k93VgVTSC0w8q0="/>. |
| RoleSearchBase | None | The search base used to retrieve lists of roles. If this you do not set this value, the default search base is used. |
| RoleFilter | For SunONE/iPlanet: (&(objectclass=ldapsubentry) (objectclass=nsroledefinition))
For Netscape Directory Server: (objectclass=groupofnames) (objectclass=groupofuniquenames)) For ActiveDirectory: (objectclass=groupofnames) (objectclass=group)) |
When combined with the role search base and role scope, returns a complete list of roles within the LDAP server. |
| RoleScope | ONELEVEL | The role search scope. Options include ONELEVEL or SUBTREE. |
| RoleNameAttribute | cn | The attribute for retrieved roles that is the common name of the role. |
| UserFreeformRoleMembershipAttributes | None | The "freeform" role membership attribute list. Users who have attributes in this comma-delimited list are automatically granted access to roles that have names that are the same as the attribute value. |
| UserRoleMembershipAttributes | The default value of this
property depends on the chosen server type:
|
Defines the attributes that contain the DNs of all of the roles the user is a member of. These comma-delimited values are then cross-referenced with the roles retrieved from the role search base and search filter to create a list of user roles. |
| RoleMemberAttributes | There is a default value only for Netscape 4.x server: "member,uniquemember" | A comma-delimited list of potential attributes for roles. This list defines the DNs of people who are granted the specified roles. These values are cross-referenced with the active user to determine the user's roles. |
<config:provider name="<secProviderName>" type="<secType>" />Security types include: authorizer, attributer, or roleMapper.