LDAP Authentication

The LDAP Authentication resource template represents an LDAP server providing authentication services.

LDAP authentication is done in one of the following ways:

Bind mode — The bind mode authenticates (binds) each user's Distinguished Name (DN) and password to the LDAP server. In this case, you can use the DN Template field so that users do not have to provide their whole DN.

For example, a DN Template of uid={0}, OU=Department, DC=company, and DC=com allows users to type in only their uid and the resource will use the template to create the DN.
Search mode — In the search mode, a connection binds as the administrative user. It then searches for the given users and authenticates their found DNs and passwords with the LDAP server. In this case, you must provide the credentials of such an administrative user by selecting Log in as Administrator.

General
Field	Required?	Editable?	Accepts SVars?	Description
Server URLs	Y	Y	Y	A space-separated list of URLs for an LDAP server. To achieve fault tolerance, you can specify URLs. For example: `ldap://server1.example.com:686` `ldap://server2.example.com:1686` Default: `ldap://localhost:389`
User Attribute with User Name	N	Y	Y	The name of the LDAP attribute from which the user display name can be obtained. Always specify an Attribute Name even though this field is labeled optional. You must use an attribute that is part of the LDAP schema. Otherwise, any attribute not defined by the schema can result in an error. Default: None
Search Entire Subtree Starting at Base DN	N	N	N	Determines whether the authentication should search sub-branches of the LDAP directory. Always select Yes. Default: Checked
Log in as Administrator	Y	N	N	If you select the check box Log in as Administrator, you must provide the DN of the administrative user to connect to the LDAP server. If selected, the following fields are displayed: User Search Base DN Login Type with Username + Password option shown Username Password Default: Unchecked
User DN Template	Y	Y	Y	The template by which the User DN used to bind to the LDAP server is generated. Because the full DN is always supplied, the template should always contain {0} which gets replaced with the actual user name. Default: {0}
User Search Base DN	Y	Y	Y	Base distinguished name from which the search starts. Example: ou=department, dc=company, dc=com.
User Search Expression	N	Y	Y	The expression used for searching a user. An example for this expression is (CN={0}). '{0}' is replaced by the username being searched for. You can define any complex filter like (&(cn={0})(objectClass=account)). Default: &(objectClass=person)(uid={0})
Login Credentials	Y	Y	N	Method to identify the administrative user: Username + Password - Activates the Username and Password fields. Identity Provider that Supplies Credentials - Activates the Identity Provider field. Default: Username + Password
Username	Y	Y	N	Full Distinguished Name (DN) of an administrative user in the LDAP server.
Password	Y	Y	N	Password for the user. Note: If you try to update the existing encrypted password then the existing password will be removed. You can add a new password.
Identity Provider	Y	Y	Y	The name of an Identity Provider.
Keystore Provider to Supply Identity	Y	Y	Y	Name of a Keystore Provider resource that maintains a keystore used to assert an identity.
Max Pool Size	N	Y	Y	The maximum number of connections per connection identity that can be maintained concurrently. Default: 20

Group Attributes
Field	Required?	Editable?	Accepts SVars?	Description
Group Indication	N	Y	N	Specifies how a user's group memberships are found. Group information is used by Administrator when a user, once authenticated, performs other activities in the system. Options: Group has users: A list of users that belong to the group. User has groups: A list of groups to which the user belongs. User DN has groups: The DN with a list of groups to which the user belongs. No Group Info: Group memberships are not handled. If the selected value is User has groups or User DN has groups, the Users Attribute with Group Names field is displayed. If the selected value is Group has users, the following fields are displayed: Group Search Base DN Group Search Expression Group Attribute with User Names Group Attribute with Group Name Group Attribute with Subgroup Names Group Search Scope Subtree Default: No Group Info
User Attribute with Group Names	Y	Y	Y	The name of the attribute in each user object that lists the groups to which the user belongs. Default: None
Group Search Base DN	N	Y	Y	Searches for groups beginning at this base distinguished name (DN). Default: None
Group Search Expression	Y	Y	Y	Searches by matching this expression against potential groups. Default: None
Group Attribute with User Names	Y	Y	Y	The name of the attribute in the group object that contains its users. For example: For OpenLDAP: `uniqueMember` For ActiveDirectory: `member` Default: None
Group Attribute with Group Name	Y	Y	Y	The name of the attribute in the group object that contains the name of the group. For example: For OpenLDAP: `cn` For ActiveDirectory: `AccountName` Default: None
Group Attribute with Subgroup Names	N	Y	Y	The name of the attribute in the group object that contains its subgroups. For example: For OpenLDAP: `uniqueMember` For ActiveDirectory: `member` Default: None
Group Search Scope Subtree	N	N	N	Search the entire subtree starting at the base DN for groups (default). Otherwise, search only the nodes one level below the base DN. Default: Checked

SAML Options

SAML assertions are accessed from a security context and can be propagated between components to achieve single sign-on.

Field	Required?	Editable?	Accepts SVars?	Description
Validity of SAML Tokens (s)	N	Y	Y	The duration of the validity of the SAML tokens. Default: 600 s
Signer of SAML Tokens	N	Y	Y	The name of an Identity Provider resource that identifies the signer of the SAML tokens.

Advanced
Field	Required?	Editable?	Accepts SVars?	Description
Context Factory	N	Y	Y	The factory object that provides the starting point for resolution of names within the LDAP server. Default:`com.sun.jndi.ldap.LdapCtxFactory`
Maximum Connections (disabled in non-Admin mode)	N	Y	Y	The maximum number of connections to keep active in the pool. (Enabled only when Log in as Administrator is selected in the General tab) Default: 10
Security Authentication	N	Y	Y	Value of Simple Authentication and Security Layer (SASL) authentication protocol to use. Values are implementation-dependent. Some possible values are simple, none, and md-5. Default: Blank
Search Timeout (ms)	N	Y	Y	The time to wait for a response from the LDAP directory server. Default: -1, which means to wait forever.
Follow Referrals	N	Y	N	Indicates whether the client should follow referrals returned by the LDAP server. Default: Unchecked
User Attributes Extra	N	Y	Y	Optional list of user attributes to retrieve from the LDAP directory during authentication. Default: None

SSL
Field	Required?	Editable?	Accepts SVars?	Description
Enable SSL	Y	Y	N	Enables SSL connections. When selected, the SSL properties are displayed. Default: Unchecked
SSL Client Provider	Y	Y	Y	The name of an SSL Client Provider resource. Default: None