LDAP Authentication

The LDAP Authentication resource template represents an LDAP server providing authentication services.

General

LDAP authentication is done in one of the following ways:

  • Bind mode — The bind mode authenticates (binds) each user's Distinguished Name (DN) and password to the LDAP server. In this case, you can use the DN Template field to so that users do not have to provide their whole DN. For example, a DN Template of uid={0},OU=Department,DC=company,DC=com allows users to type in only their uid and the RI will use the template to create the DN.
  • Search mode — In the search mode, a connection binds as the administrative user. It then searches for the given users and authenticates their found DNs and passwords with the LDAP server. In this case, you need to provide the credentials of such an administrative user by checking Log in as Administrator.
Property Required? Editable? Accepts SVars? Description
Server URLs Y Y Y A space-separated list of URLs for an LDAP server. To achieve fault tolerance, you can specify URLs. For example, ldap://server1.example.com:686 ldap://server2.example.com:1686.

Default: ldap://localhost:389.

User Attribute with User Name N Y Y The name of the LDAP attribute from which the user display name can be obtained. Always specify an Attribute Name even though this field is labeled optional.

You must use an attribute that is part of the LDAP schema. Otherwise, any attribute not defined by the schema can result in an error.

Default: None

Search Entire Subtree Starting at Base DN N N N Determines whether the authentication should search sub-branches of the LDAP directory. Always check Yes.

Default: Checked

Log in as Administrator Y N N If you check "Log in as Administrator", you must provide the DN of the administrative user to connect to the LDAP server. If checked, the following fields display:
  • User Search Base DN
  • Login Type with Username + Password option shown
  • Username
  • Password

If unchecked, the User DN Template field displays.

Default: Unchecked

User DN Template Y Y Y The template by which the User DN, used to bind to the LDAP server, is generated. Because the full DN is always supplied, the template should always contain {0} which gets replaced with the actual username.

Default: {0}

User Search Base DN Y Y Y Base distinguished name from which the search starts.

Example: ou=department, dc=company, dc=com.

User Search Expression N Y Y The expression used for searching a user. An example for this expression is (CN={0}). '{0}' is replaced by the username being searched for. You can define any complex filter like (&(cn={0})(objectClass=account)).

Default: &(objectClass=person)(uid={0})

Login Credentials Y Y N Method to identify the administrative user:
  • Username + Password - Activates the Username and Password fields.
  • Identity Provider that Supplies Credentials - Activates the Identity Provider field.
  • Keystore Provider to Supply Identity (deprecated) - Activates the Keystore Provider fields.

Default: Username + Password

Username Y Y Y Full Distinguished Name (DN) of an administrative user in the LDAP server.
Password Y Y Y Password for the user.
Identity Provider Y Y Y The name of an Identity Provider .
Keystore Provider to Supply Identity Y Y Y The name of a Keystore Provider .

Default: None

Key Alias to Access Identity Y Y Y Alias of the user's key entry in the keystore managed by the keystore provider.

Default: None

Key Alias Password Y Y Y The password protecting the key entry.

Default: None

Group Attributes

Property Required? Editable? Accepts SVars? Description
Group Indication N Y N Specifies how a user's group memberships are found. Group information is used by Administrator when a user, once authenticated, performs other activities in the system.

Options:

  • Group has users A list of users that belong to the group.
  • User has groups A list of groups to which the user belongs.
  • User DN has groupsThe DN with a list of groups to which the user belongs.
  • No Group Info Group memberships are not handled.

If the selected value is User has groups or User DN has groups, the Users Attribute with Group Names field displays.

If the selected value is Group has users, the following fields display:

  • Group Search Base DN
  • Group Search Expression
  • Group Attribute with User Names
  • Group Attribute with Group Name
  • Group Attribute with Subgroup Names
  • Group Search Scope Subtree

Default: No Group Info.

User Attribute with Group Names Y Y Y The name of the attribute in each user object that lists the groups to which the user belongs.

Default: None.

Group Search Base DN N Y Y Searches for groups beginning at this base distinguished name (DN).

Default: None.

Group Search Expression Y Y Y Search by matching this expression against potential groups.

Default: None.

Group Attribute with User Names Y Y Y The name of the attribute in the group object that contains its users. For example, for OpenLDAP: uniqueMember, for ActiveDirectory: member.

Default: None.

Group Attribute with Group Name Y Y Y The name of the attribute in the group object that contains the name of the group. For example, for OpenLDAP: cn, for ActiveDirectory:sAMAccountName.

Default: None.

Group Attribute with Subgroup Names N Y Y The name of the attribute in the group object that contains its subgroups. For example, for OpenLDAP: uniqueMember, for ActiveDirectory: member.

Default: None.

Group Search Scope Subtree N N N Search the entire subtree starting at the base DN for groups (default). Otherwise, search only the nodes one level below the base DN.

Default: Checked.

SAML Options

SAML assertions are accessed from a security context and can be propagated between components to achieve single sign-on

Property Required? Editable? Accepts SVars? Description
Validity of SAML Tokens (s) N Y Y The duration of the validity of the SAML tokens.

Default: 600 s.

Signer of SAML Tokens N Y Y The name of an Identity Provider resource that identifies the signer of the SAML tokens.

Advanced

GUI Property Required? Editable? Accepts SVars? Description
Context Factory N Y Y The factory object that provides the starting point for resolution of names within the LDAP server.

Default: com.sun.jndi.ldap.LdapCtxFactory.

Maximum Connections (disabled in non-Admin mode) N Y Y The maximum number of connections to keep active in the pool. (Enabled only when Log in as Administrator is selected in General tab)

Default: 10.

Security Authentication N Y Y Value of Simple Authentication and Security Layer (SASL) authentication protocol to use. Values are implementation-dependent. Some possible values are simple, none, md-5.

Default: Blank.

Search Timeout (ms) N Y Y The time to wait for a response from the LDAP directory server.

Default: -1, which means to wait forever.

Follow Referrals N Y N Indicate whether the client should follow referrals returned by the LDAP server.

Default: Unchecked.

User Attributes Extra N Y Y Optional list of user attributes to retrieve from the LDAP directory during authentication.

Default: None.

SSL

Property Required? Editable? Accepts SVars? Description
Enable SSL N N N Enable SSL connections. When checked, the SSL properties display.

Default: Unchecked.

SSL Client Provider N Y N The name of an SSL Client Provider resource.
Configure SSL N N N (Not applicable to some resource templates) Invokes a wizard to import certificates from an SSL-enabled server, optionally create an SSL Client Provider resource, and configure the trust store of the newly created or an existing SSL Client Provider with the imported certificates. When you complete the wizard, the SSL Client Provider field is filled in.