LDAP Authentication
The LDAP Authentication resource template represents an LDAP server providing authentication services.
General
LDAP authentication is done in one of the following ways:
- Bind mode — The bind mode authenticates (binds) each user's Distinguished Name (DN) and password to the LDAP server. In this case, you can use the DN Template field to so that users do not have to provide their whole DN. For example, a DN Template of uid={0},OU=Department,DC=company,DC=com allows users to type in only their uid and the RI will use the template to create the DN.
- Search mode — In the search mode, a connection binds as the administrative user. It then searches for the given users and authenticates their found DNs and passwords with the LDAP server. In this case, you need to provide the credentials of such an administrative user by checking Log in as Administrator.
Property | Required? | Editable? | Accepts SVars? | Description |
---|---|---|---|---|
Server URLs | Y | Y | Y | A space-separated list of URLs for an LDAP server. To achieve fault tolerance, you can specify URLs. For example, ldap://server1.example.com:686 ldap://server2.example.com:1686.
Default: ldap://localhost:389. |
User Attribute with User Name | N | Y | Y | The name of the LDAP attribute from which the user display name can be obtained. Always specify an Attribute Name even though this field is labeled optional.
You must use an attribute that is part of the LDAP schema. Otherwise, any attribute not defined by the schema can result in an error. Default: None |
Search Entire Subtree Starting at Base DN | N | N | N | Determines whether the authentication should search sub-branches of the LDAP directory. Always check Yes.
Default: Checked |
Log in as Administrator | Y | N | N | If you check "Log in as Administrator", you must provide the DN of the administrative user to connect to the LDAP server. If checked, the following fields display:
If unchecked, the User DN Template field displays. Default: Unchecked |
User DN Template | Y | Y | Y | The template by which the User DN, used to bind to the LDAP server, is generated. Because the full DN is always supplied, the template should always contain {0} which gets replaced with the actual username.
Default: {0} |
User Search Base DN | Y | Y | Y | Base distinguished name from which the search starts.
Example: ou=department, dc=company, dc=com. |
User Search Expression | N | Y | Y | The expression used for searching a user. An example for this expression is (CN={0}). '{0}' is replaced by the username being searched for. You can define any complex filter like (&(cn={0})(objectClass=account)).
Default: &(objectClass=person)(uid={0}) |
Login Credentials | Y | Y | N | Method to identify the administrative user:
Default: Username + Password |
Username | Y | Y | Y | Full Distinguished Name (DN) of an administrative user in the LDAP server. |
Password | Y | Y | Y | Password for the user. |
Identity Provider | Y | Y | Y | The name of an Identity Provider . |
Keystore Provider to Supply Identity | Y | Y | Y | The name of a
Keystore Provider
.
Default: None |
Key Alias to Access Identity | Y | Y | Y | Alias of the user's key entry in the keystore managed by the keystore provider.
Default: None |
Key Alias Password | Y | Y | Y | The password protecting the key entry.
Default: None |
Max Pool Size |
N | Y | Y |
The maximum number of connections per connection identity that can be maintained concurrently. Default: 20 |
Group Attributes
SAML Options
SAML assertions are accessed from a security context and can be propagated between components to achieve single sign-on
Property | Required? | Editable? | Accepts SVars? | Description |
---|---|---|---|---|
Validity of SAML Tokens (s) | N | Y | Y | The duration of the validity of the SAML tokens.
Default: 600 s. |
Signer of SAML Tokens | N | Y | Y | The name of an Identity Provider resource that identifies the signer of the SAML tokens. |
Advanced
GUI Property | Required? | Editable? | Accepts SVars? | Description |
---|---|---|---|---|
Context Factory | N | Y | Y | The factory object that provides the starting point for resolution of names within the LDAP server.
Default: com.sun.jndi.ldap.LdapCtxFactory. |
Maximum Connections (disabled in non-Admin mode) | N | Y | Y | The maximum number of connections to keep active in the pool. (Enabled only when
Log in as Administrator is selected in
General tab)
Default: 10. |
Security Authentication | N | Y | Y | Value of Simple Authentication and Security Layer (SASL) authentication protocol to use. Values are implementation-dependent. Some possible values are simple, none, md-5.
Default: Blank. |
Search Timeout (ms) | N | Y | Y | The time to wait for a response from the LDAP directory server.
Default: -1, which means to wait forever. |
Follow Referrals | N | Y | N | Indicate whether the client should follow referrals returned by the LDAP server.
Default: Unchecked. |
User Attributes Extra | N | Y | Y | Optional list of user attributes to retrieve from the LDAP directory during authentication.
Default: None. |
SSL
Property | Required? | Editable? | Accepts SVars? | Description |
---|---|---|---|---|
Enable SSL
|
Y | Y | N | Enable SSL connections. When checked, the SSL properties display.
Default: Unchecked. |
SSL Client Provider
|
Y | Y | Y | The name of an SSL Client Provider resource. |
Configure SSL | N | N | N | (Not applicable to some resource templates) Invokes a wizard to import certificates from an SSL-enabled server, optionally create an SSL Client Provider resource, and configure the trust store of the newly created or an existing SSL Client Provider with the imported certificates. When you complete the wizard, the SSL Client Provider field is filled in. |