Configuring LDAP Authentication Service Provider (LDAP ASP)

Description

The LDAP authentication service provider is used to authenticate the user name and password against the LDAP server. The user name is specified as the usernameToken in the incoming request from the client.

Use Case

Verifying usernameToken in the incoming request.

Example Properties

See the following properties:

Properties

Table Properties for LDAP Authentication Service Provider describes the properties for LDAP Authentication Service Provider.

Properties for LDAP Authentication Service Provider
Property	Description
com.tibco.asg.intent.usernameToken
	Boolean intent property indicates if the LDAP authentication method can be enforced on the request message or not. Possible values are true or false. If the value of this property set to true, the request message must contain a valid username token.
com.tibco.trinity.runtime.core.provider.authn.ldap.initialCtxFactory
	Specifies the name of the JNDI Factory to use. The default value is com.sun.jndi.ldap.LdapCtxFactory (Sun's LdapCtxFactory). Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.serverURL
	Specifies the URL to connect to the LDAP directory server. TIBCO API Exchange Gateway supports list of multiple values separated by comma to configure LDAP server in a high availability and fault tolerant setup. The LDAP URL is defined as: `ldap://hostname1:port ,ldap://hostname2:port` The LDAP SSL URL is defined as: `ldaps://hostname1:port,ldaps://hostname2:port,` Required.
com.tibco.trinity.runtime.core.provider.authn.ldap.searchTimeOut
	The time (in milliseconds) to wait for a response from the LDAP directory server. A value of 0 causes it to wait indefinitely. If a negative number is specified, it uses the provider's default setting. Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.userAttributeUsersName
	The name of the attribute in the user object that represents the user's name. The value depends on which LDAP server is used. If you are using ActiveDirectory LDAP Server, set this value as CN. If SunOne or OpenLDAP LDAP Server is used, set this value as `uid`. Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.userAttributesExtra
	Specifies the optional list of user attributes to retrieve from the LDAP directory during authentication. Separation characters for the list of user attributes are comma, any ASCII whitespace or semicolon. For example, mail givenname Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.userSearchBaseDN
	Specifies the base distinguished name (DN) where the searches for the users begin. You must supply the base DN that narrows the search to the smallest set of objects that includes all valid users. This is relevant only when used with the administrator's credentials in search mode. For example, ou=people,ou=na,dc=example,dc=org Required in admin (search) mode.
com.tibco.trinity.runtime.core.provider.authn.ldap.userSearchExpression
	Specifies the expression to be used for searching in admin mode against potential user objects. For example, the search expression is specified as: (&(uid={0})(objectClass=person)). In this string, the variable {0} represents the name of the user. The code substitutes the user name for this variable, and passes the resulting Boolean expression to the LDAP server. The LDAP server matches that search expression against user objects to find a match. The search result must contain exactly one match. This property is relevant only when credentialProvider property is set and the binding is done as an administrator; otherwise userDNTemplate is used. Required in admin (search) mode.
com.tibco.trinity.runtime.core.provider.authn.ldap.userDNTemplate
	Specifies a template to be used when formatting user's DN before binding. It is used as an alternative to admin (search) mode. For example, uid={0},ou=employee,ou=tsi,o=tibco Required for bind mode (not in admin (search) mode).
com.tibco.trinity.runtime.core.provider.authn.ldap.userAttributeGroupsName
	If you specified "LDAP user indicates groups" (as either userHasGroups or userDNHasGroups) then you must supply the name of the attribute in each user object that lists the groups to which the user belongs. Otherwise, this parameter is not relevant. Mandatory when relevant.
com.tibco.trinity.runtime.core.provider.authn.ldap.userAttributesExtraList
	Same as userAttributesExtra property but this is specified in list form. Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.userSearchScopeSubtree
	A Boolean property which determines if the entire sub-tree is searched or not. If a true value is specified, the entire sub-tree starting at the base DN is searched. Otherwise, the nodes one level below the base DN are searched. Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.groupSearchBaseDN
	Specifies the base distinguished name (DN) where the searches for the groups begin. Supply the base DN that narrows the search to the smallest set of objects that includes all valid groups. For example, ou=groups,ou=na,dc=example,dc=org The default value is empty. Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.enableNestedGroupSearch
	Indicates the flag to determine if nested groups should be searched for. If the value is not set to `true`, the groups are only returned in which the user is the direct member. The default value is `false`. Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.groupSearchExpression
	Specifies the expression to be used for searching against potential groups. For example, search expression is specified as: (&(uid={0})(objectClass=person)). In this string, the variable {0} represents the name of the user. The code substitutes the user name for this variable, and passes the resulting Boolean expression to the LDAP server. The LDAP server matches that search expression against groups to find all groups containing the username. The values might be different for different LDAP server. For example, its defined as uniquemember={0} for SunOne, cn={0} for OpenLDAP, member={0} for Active Directory. Required.
com.tibco.trinity.runtime.core.provider.authn.ldap.groupSearchScopeSubtree
	A Boolean property which determines if the entire sub-tree is searched or not. If a true value is specified, the entire sub-tree starting at the base DN for groups is searched. Otherwise, the nodes one level below the base DN are searched. Optional.
com.tibco.trinity.runtime.core.provider.authn.ldap.groupIndication
	Specifies how the group memberships for users are found. The default value is noGroupInfo. Optional. The possible values are as follows: userHasGroups userDNHasGroups groupHasUsers noGroupInfo If the value has userHasGroups,you must specify the attribute name which points the groups the user belongs to in the userAttributeGroupsName property. If the value has userDNHasGroups,the userAttributeGroupsName property has the attribute name which hold the DNs of groups to which the user belongs. You must specify groupAttributeGroupsName property to get a specific part of the DN name. If the value has groupHasUsers,each group object includes a list of users that belong to the group. If the value has noGroupInfo, group memberships are not handled.
com.tibco.trinity.runtime.core.provider.authn.ldap.groupAttributeGroupsName
	Depends on value of groupIndication. Required if the groupIndication property has groupHasUsers value. groupHasUsers: Specifies the group attribute holding the name of group. For example, the value is defined as `cn` for OpenLDAP server, `sAMAccountName` for ActiveDirectory LDAP server. userHasGroups:Specifies the name of the group. If this is not specified, the whole DN of the group is used. For example, the value is defined as cn for OpenLDAP server.
com.tibco.trinity.runtime.core.provider.authn.ldap.groupAttributeSubgroupsName
	Specifies the name of the attribute in each group object denoting subgroups. For example, the value is defined as uniqueMember for OpenLDAP server, member for ActiveDirectory LDAP server. Optional
com.tibco.trinity.runtime.core.provider.authn.ldap.groupAttributeUsersName
	Specifies the attribute name if the groupIndication property has groupHasUsers value. It specifies the name of the attribute in each group object denoting its users. For example, the value is uniqueMember for OpenLDAP, member for ActiveDirectory Server. Required if the groupIndication property has groupHasUsers value.
followReferrals
	Determines if the client follow referrals are returned by the LDAP server. The default value is `false`. Optional.
LDAP SSL
com.tibco.trinity.runtime.core.provider.identity.trust.trustStoreServiceProvider
	Specifies the Identity Trust Provider configuration to provide SSL support for LDAP
com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStoreLocation
	Specifies the location of the keystore for the credentials.
com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStorePassword
	Specifies the location of the keystore for the credentials.
com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStoreRefreshInterval
	Specifies the refresh interval (milliseconds).
com.tibco.trinity.runtime.core.provider.credential.keystore.truststore.keyStoreType
	Specifies the keystore type. Supported formats are JKS,PKCS12.

Sample File

The properties and example configuration for LDAP authentication service providers are found in the following sample files:

ASG_CONFIG_HOME/default/wss/req_usernametoken_ldapbind.properties
This file lists the properties with the example configuration for the LDAP server in bind mode.
ASG_CONFIG_HOME/default/wss/req_usernametoken_ldapsearch.properties
This file lists the properties with the example configuration for the LDAP server in search mode.
ASG_CONFIG_HOME/default/wss/req_usernametoken_ldapbindssl.properties
This file lists the properties with the example configuration for the LDAP server in SSL mode.

Contents