Default LDAP Properties
Specify the following LDAP properties using Configurator:
| Property in Configurator | Description |
|---|---|
| Authentication > LDAP >
First Name Attribute
authentication.ldap.firstName=FIRSTNAME |
Attribute name in LDAP output which identifies the first name. |
| Authentication > LDAP >
Last Name Attribute
authentication.ldap.lastName=LASTNAME |
Attribute name in LDAP output which identifies the last name. |
| Authentication > Default/LDAP > LDAP Filter Pattern | The application substitutes $ with the login ID. Only one substitution takes place. The default pattern is:
(&(uid=$)(objectClass=*)(mail=*@tibco.com)) Optionally, you can use: (&(uid=$)(objectClass=*)) |
| Authentication > Default/LDAP > LDAP JNDI Factory Class | Names the class you should use to get a directory service class. It is mapped to java.naming.factory.initial.
The default class is com.sun.jndi.ldap.LdapCtxFactory. Note: It is recommended that you use the default class and do not change this class. |
| Authentication > Default/LDAP > LDAP Search Attributes | Optional. Lists the attribute names to return in a query. The default is null, which indicates all attributes.
Search attributes are used only during existence check for the user. During auto create or update, no search attributes are used and an attempt is made to pull all the information defined in LDAP. The default is uid,cn,sn,objectClass,mail,memberOf You can also specify email and phone. Email and phone numbers from LDAP gets inserted or updated while creating or updating a member or user. For example, uid,cn,sn,objectClass,mail, telephonenumber,memberOf. This property is used to initialize javax.naming.directory.SearchControls. |
| Authentication > Default/LDAP > LDAP Search Base DN | Refers to the full distinguished name of a node under an LDAP directory. Users are searched in this specified directory.
The default is ou=People,dc=apac,dc=tibco,dc=com. Identifies the default location in the LDAP tree. This is used as the root in all LDAP searches. In this case, the search is restricted to nodes below People. |
| Authentication > Default/LDAP > LDAP Search Scope | Optional. Defines the scope of the search operation on an LDAP Directory. Controls the depth of the LDAP search, using these parameters: |
| Authentication > Default/LDAP > LDAP Security Credential | Optional. Identifies the administrator password of the principal for binding to LDAP Directory. |
| Authentication > Default/LDAP > LDAP Security Principal | Optional. Specify the identity of the principal for binding to LDAP Directory. It is a fully qualified Distinguished Name.
It is mapped to java.naming.security.principal. Note: You must configure this property if binding is required. The default is cn=Directory Manager on SunOne. If binding to LDAP server is required, you must configure this property. If binding credentials are provided, they are used for binding else anonymous binding is used. If either user name or password is empty, anonymous LDAP binding is used. The default is cn=Directory Manager, which refers to the Administrator user for Oracle Directory Server (formerly, SunOne Directory Server). |
| Authentication > Default/LDAP > LDAP Security Protocol | Identifies the protocol to connect to the LDAP Server. The valid values are Plain or SSL.
It is mapped to java.naming.security.protocol. Required only if SSL is used for LDAP connection. |
| Authentication > Default/LDAP > LDAP Security Type | The security level to use. Its value is one of the following: none, simple, or strong. It is a required property and is not null if LDAP is used for authentication.
It is mapped to java.naming.security.authentication. The default is simple. This authentication mode requires username/password based authentication. |
| Authentication > Default/LDAP > LDAP Server URL | Identifies the URL for connecting to the LDAP server. It is mapped to
java.naming.provider.url. By default, the value is ldap://localhost:port number. For example: ldap:// 10.97.101.68:27242
LDAP is supported in the fault tolerance mode. You can specify multiple URLs separated with a space. For example, ldap:// 10.97.107.21:388 and ldap:// 10.97.107.21:389 |
| Authentication > Default/LDAP > Modify User on Login | Specifies if the user is updated automatically after each login. The valid values are true or false. By default, the value is false. |
| Authentication > Default/LDAP > Role Mapping File | Refers to the name of the file where role mappings are stored. This file is searched in following order: |
| Authentication > Default/LDAP > Web service header extractor | Refers to the Java class that is used to extract headers from web service. For details on the header extractor, refer to the sectionHeader Extractors. The default value is com.tibco.mdm.integration.webservice.HeaderExtractor. |
The LDAP properties are read from Configurator and collected as java.util.properties. The properties that are mapped to java.naming properties, are used to create an instance of LdapHelper class.
LdapHelper ldapHelper = new LdapHelper(ldapProps);
User Search
When a new user is being created, this is how the user is searched for in the existing user list of the LDAP directory server:
String filterStr = ldapHelper.constructFilter(ldapSearchPattern, new String[]{login});
NamingEnumeration userenum = ldapHelper.search(filterStr);
Here, the input is the value specified as ldapSearchPattern is taken from the property com.tibco.cim.ldap.filter.pattern.
Search is carried under the tree specified by value in the Configurator > Authentication > Default/LDAP > LDAP Search Base DN property (com.tibco.cim.ldap.searchAnchor). All users are expected to be under this node.
If a user is found, a user with the details provided is created. The LDAP properties used to find the user and are stored in the user description when the user is created. The description is set as name=value and each property is separated by a new line.
Following table lists the map of LDAP properties to user attributes. Set these properties to corresponding ldap attributes defined.
| Property | User Attribute | Description | Optional? |
|---|---|---|---|
| authentication.ldap.lastName | Last Name | Last name of the user | Yes, if not provided during creation, defaults to login name |
| authentication.ldap.firstName | First Name | First name of the user | Yes, if not provided during creation, defaults to login name |
| authentication.ldap.middleName | Middle Name | Middle name of the user | Yes, if not provided during creation, defaults to null |
| authentication.ldap.role | List of roles | Roles assigned to user, these roles are mapped to the internal TIBCO MDM roles | Mandatory for create, optional for update |
| authentication.ldap.dateFormat | Date format | User preferred date format - no validation is done | Yes, if not provided, null |
| authentication.ldap.timeFormat | Time format | User preferred time format - no validation is done | Yes, if not provided, null |
| authentication.ldap.locale | Locale | User preferred locale - no validation is done | Yes, if not provided, null |
| authentication.ldap.language | Language | User preferred language - no validation is done | Yes, if not provided, null |
| authentication.ldap.partitioningKey | Partitioning Key | User preferred Partitioning Key - no validation is done | Yes, if not provided, null |
Other properties which control the login process are:
| Property | Description |
|---|---|
| com.tibco.cim.ldap.singlesignon | Is password NOT required for login.
If set to true, password is not required except for login explicitly through TIBCO MDM login UI. |
| com.tibco.cim.authentication.option.createuser | Should the user be automatically created if not existing in TIBCO MDM. |
| com.tibco.cim.authentication.option.modifyuser | Should the user be automatically updated if information has changed. |
| com.tibco.cim.authentication.rolemap.propfile | Refers to the location of a role mapping file. The mappings specified in this file map roles assigned to the user in TIBCO MDM. Required if createUser = true or modifyUser = true. |