Parameters
In addition to all parameters available for the LDAP Authentication module, which are described in the following table, the following parameters are supported:
| Parameter | Description |
|---|---|
| tibems.ldap.group_attribute | The attribute of a static LDAP group that contains the group name.
Default is cn. |
| tibems.ldap.group_base_dn | The base path for the LDAP static group search. If null or not set, static groups are not searched. |
| tibems.ldap.group_filter | The filter used in the static group search. By default, a filter is created using the
ems_ldap.group_member_attribute parameter. If a more complex filter is needed, use this property to override the default. Any occurrence of
{0} in the search string is replaced with the group member attribute. Any occurrence of
{1} is replaced with the user DN.
{2} contains solely the user name for cases where the DN does not match group membership.
Default is {0}={1}. |
| tibems.ldap.group_member_attribute | The attribute ID of a dynamic LDAP group object that specifies the name of members of the group.
Default is uniqueMember. |
| tibems.ldap.group_scope | The scope of the static group search. Valid values include
onelevel,
subtree, and
object.
Default is to use a subtree search. |
| tibems.ldap.dynamic_group_base_dn | Base path for the LDAP dynamic group search. If null or not set, dynamic groups are not searched. |
| tibems.ldap.dynamic_group_class | The class name of a dynamic group.
Default is groupOfURLs. |
| tibems.ldap.dynamic_group_attribute | The attribute of an LDAP dynamic group that contains the group name.
Default is cn. |
| tibems.ldap.dynamic_group_filter | The filter used in the dynamic group search. By default, a filter is created using the
ems_ldap.dynamic_group_member_attribute property. If a more complex filter is needed, use this property to override the default. Any occurrence of
{0} is replaced with the group member property. Any occurrence of
{1} is replaced with the DN of the user for cases where that may be required. A
{2} in the search string is replaced with the user name.
When using tibems.ldap.dynamic_group_search_direct, a simple filter should be used which matches all dynamic groups that may contain the user. For example, (objectClass=GroupOfURLs). Default is {0}={1}. |
| tibems.ldap.dynamic_group_member_attribute | The attribute ID of a dynamic LDAP group object that specifies the name of members of the group.
Default is uniqueMember. |
| tibems.ldap.dynamic_group_member_url | The attribute of a dynamic LDAP group object that specifies the URL generating the membership list.
Default is memberURL. |
| tibems.ldap.dynamic_group_scope | The scope of the dynamic group search. Valid values include
onelevel,
subtree, and
object.
Default is to use a subtree search. |
| tibems.ldap.dynamic_group_search_direct | Changes the search algorithm used for determining membership of dynamic groups.
Normally, LDAP servers automatically populate dynamic groups based on a configured search URL. However, some LDAP servers have issues where the generated attributes representing members of the groups are not properly returned by a search. When enabled, this parameter changes the group search algorithm to parse out a DN, scope, and filter from the search URL specified by the dynamic group and use those to search for a user. Use of this parameter is only recommended when it has been determined that dynamic group searches are not working. Default is false. |
| tibems.ldap.backlink_group_base_dn | The base path for the back-linked LDAP group search.
By default, back-linked group searches are not enabled. If enabled, back-linked groups, including nested groups, are searched using back link parameters. To disable nested searches for back links, set tibems.ldap.nested_groups_enabled to false. Back link parameter defaults are set for use with Active Directory, the most commonly used LDAP server supporting back links. |
| tibems.ldap.backlink_group_attribute | The attribute that contains the groups an LDAP object (member or group) belongs to.
Default is memberOf. |
| tibems.ldap.backlink_group_rdn | A back-link RDN that specifies the name portion of the DN representing the group. If the entire contents of the back link value is to be used as the group name, do not set this value.
Default is CN. |
| tibems.ldap.backlink_group_filter | A back-link filter used by a group search to find groups the member belongs to. If nested groups are not used, then it is highly advisable to disable nested groups.
Default is (distinguishedName={1}). |
| tibems.ldap.backlink_group_scope | The scope of the back link group search. Valid values include
onelevel,
subtree, and
object.
Default is to use a subtree search. |