Default LDAP Properties

Specify the following LDAP properties using Configurator:

Default/LDAP Properties
Property in Configurator Description
Authentication > LDAP > First Name Attribute

authentication.ldap.firstName=FIRSTNAME

Attribute name in LDAP output which identifies the first name.
Authentication > LDAP > Last Name Attribute

authentication.ldap.lastName=LASTNAME

Attribute name in LDAP output which identifies the last name.
Authentication > Default/LDAP > LDAP Filter Pattern The application substitutes $ with the login ID. Only one substitution takes place. The default pattern is:

(&(uid=$)(objectClass=*)(mail=*@tibco.com))

Optionally, you can use:

(&(uid=$)(objectClass=*))

Authentication > Default/LDAP > LDAP JNDI Factory Class Names the class you should use to get a directory service class. It is mapped to java.naming.factory.initial.

The default class is com.sun.jndi.ldap.LdapCtxFactory.

Note: It is recommended that you use the default class and do not change this class.

Authentication > Default/LDAP > LDAP Search Attributes Optional. Lists the attribute names to return in a query. The default is null, which indicates all attributes.

Search attributes are used only during existence check for the user. During auto create or update, no search attributes are used and an attempt is made to pull all the information defined in LDAP.

The default is

uid,cn,sn,objectClass,mail,memberOf

You can also specify email and phone. Email and phone numbers from LDAP gets inserted or updated while creating or updating a member or user. For example, uid,cn,sn,objectClass,mail, telephonenumber,memberOf.

This property is used to initialize javax.naming.directory.SearchControls.

Authentication > Default/LDAP > LDAP Search Base DN Refers to the full distinguished name of a node under an LDAP directory. Users are searched in this specified directory.

The default is ou=People,dc=apac,dc=tibco,dc=com.

Identifies the default location in the LDAP tree. This is used as the root in all LDAP searches. In this case, the search is restricted to nodes below People.

Authentication > Default/LDAP > LDAP Search Scope Optional. Defines the scope of the search operation on an LDAP Directory. Controls the depth of the LDAP search, using these parameters:
  • ONELEVEL_SCOPE (0): Indicates the current node only.
  • OBJECTLEVEL_SCOPE (1): Indicates the current node and immediate sub-nodes.
  • SUBTREE_SCOPE (2): Indicates the current node and all sub-nodes. (Default)

    This property is used to initialize javax.naming.directory.SearchControls.

Authentication > Default/LDAP > LDAP Security Credential Optional. Identifies the administrator password of the principal for binding to LDAP Directory.
It is mapped to java.naming.security.credential.
Note: If binding is required, you must configure this property. If binding credentials are provided, they are used for binding else anonymous binding is used. If either user name or password is empty, anonymous LDAP binding is used.
Authentication > Default/LDAP > LDAP Security Principal Optional. Specify the identity of the principal for binding to LDAP Directory. It is a fully qualified Distinguished Name.

It is mapped to java.naming.security.principal.

Note: You must configure this property if binding is required.

The default is cn=Directory Manager on SunOne.

If binding to LDAP server is required, you must configure this property. If binding credentials are provided, they are used for binding else anonymous binding is used. If either user name or password is empty, anonymous LDAP binding is used.

The default is cn=Directory Manager, which refers to the Administrator user for Oracle Directory Server (formerly, SunOne Directory Server).

Authentication > Default/LDAP > LDAP Security Protocol Identifies the protocol to connect to the LDAP Server. The valid values are Plain or SSL.

It is mapped to java.naming.security.protocol. Required only if SSL is used for LDAP connection.

Authentication > Default/LDAP > LDAP Security Type The security level to use. Its value is one of the following: none, simple, or strong. It is a required property and is not null if LDAP is used for authentication.

It is mapped to java.naming.security.authentication.

The default is simple. This authentication mode requires username/password based authentication.

Authentication > Default/LDAP > LDAP Server URL Identifies the URL for connecting to the LDAP server. It is mapped to java.naming.provider.url. By default, the value is ldap://localhost:port number. For example: ldap:// 10.97.101.68:27242

LDAP is supported in the fault tolerance mode. You can specify multiple URLs separated with a space. For example, ldap:// 10.97.107.21:388 and ldap:// 10.97.107.21:389

Authentication > Default/LDAP > Modify User on Login Specifies if the user is updated automatically after each login. The valid values are true or false. By default, the value is false.
Authentication > Default/LDAP > Role Mapping File Refers to the name of the file where role mappings are stored. This file is searched in following order:
  • Enterprise specific directory in $MQ_COMMON_DIR
  • $MQ_COMMON_DIR/standard
  • Absolute path of the role mapping file name
    The valid value is a file name. By default the filename is rolemap.prop.
    Note: It is recommended that you use the default file name.
Authentication > Default/LDAP > Web service header extractor Refers to the Java class that is used to extract headers from web service. For details on the header extractor, refer to the sectionHeader Extractors. The default value is com.tibco.mdm.integration.webservice.HeaderExtractor.

The LDAP properties are read from Configurator and collected as java.util.properties. The properties that are mapped to java.naming properties, are used to create an instance of LdapHelper class.

LdapHelper ldapHelper = new LdapHelper(ldapProps);

User Search

When a new user is being created, this is how the user is searched for in the existing user list of the LDAP directory server:

String filterStr = ldapHelper.constructFilter(ldapSearchPattern, new String[]{login});
NamingEnumeration userenum = ldapHelper.search(filterStr);

Here, the input is the value specified as ldapSearchPattern is taken from the property com.tibco.cim.ldap.filter.pattern.

Search is carried under the tree specified by value in the Configurator > Authentication > Default/LDAP > LDAP Search Base DN property (com.tibco.cim.ldap.searchAnchor). All users are expected to be under this node.

If a user is found, a user with the details provided is created. The LDAP properties used to find the user and are stored in the user description when the user is created. The description is set as name=value and each property is separated by a new line.

Following table lists the map of LDAP properties to user attributes. Set these properties to corresponding ldap attributes defined.

LDAP Properties for Mapping
Property User Attribute Description Optional?
authentication.ldap.lastName Last Name Last name of the user Yes, if not provided during creation, defaults to login name
authentication.ldap.firstName First Name First name of the user Yes, if not provided during creation, defaults to login name
authentication.ldap.middleName Middle Name Middle name of the user Yes, if not provided during creation, defaults to null
authentication.ldap.role List of roles Roles assigned to user, these roles are mapped to the internal TIBCO MDM roles Mandatory for create, optional for update
authentication.ldap.dateFormat Date format User preferred date format - no validation is done Yes, if not provided, null
authentication.ldap.timeFormat Time format User preferred time format - no validation is done Yes, if not provided, null
authentication.ldap.locale Locale User preferred locale - no validation is done Yes, if not provided, null
authentication.ldap.language Language User preferred language - no validation is done Yes, if not provided, null
authentication.ldap.partitioningKey Partitioning Key User preferred Partitioning Key - no validation is done Yes, if not provided, null

Other properties which control the login process are:

Other Login Properties
Property Description
com.tibco.cim.ldap.singlesignon Is password NOT required for login.

If set to true, password is not required except for login explicitly through TIBCO MDM login UI.

com.tibco.cim.authentication.option.createuser Should the user be automatically created if not existing in TIBCO MDM.
com.tibco.cim.authentication.option.modifyuser Should the user be automatically updated if information has changed.
com.tibco.cim.authentication.rolemap.propfile Refers to the location of a role mapping file. The mappings specified in this file map roles assigned to the user in TIBCO MDM. Required if createUser = true or modifyUser = true.