LDAP User Registry (ldapRegistry)

Configuration properties for the LDAP user registry.

NameTypeDefaultDescription

activedFiltersRef

A reference to top level activedLdapFilterProperties element (string).

Specifies the list of Microsoft Active Directory LDAP filters.

allowWriteToSecondaryServers

boolean

false

Allow create, update, and delete operations on failover servers.

baseDN

string
Required

Base distinguished name (DN) of the directory service, which indicates the starting point for LDAP searches in the directory service.

bindAuthMechanism

  • GSSAPI

  • none

  • simple

simple

The authentication mechanism for binding to the LDAP server when searching or modifying an LDAP entry.
GSSAPI
GSS-API Kerberos v5 (krb5) support to bind to the directory service. The krb5Principal attribute is required
none
Anonymous bind to the directory service. No additional login attributes are required.
simple
Use the bindDN and bindPassword to bind to the directory service. The bindDN and bindPassword attributes are required.

bindDN

string

Distinguished name (DN) for the application server, which is used to bind to the directory service.

bindPassword

Reversably encoded password (string)

Password for the bind DN. The value can be stored in clear text or encoded form. It is recommended that you encode the password. To do so, use the securityUtility tool with the encode option.

certificateFilter

string

Specifies the filter certificate mapping property for the LDAP filter when the X.509 certificate authentication mapping mode is CERTIFICATE_FILTER. The filter is used to map attributes in the client certificate to entries in the LDAP registry. For example, the filter can be specified as: uid=${SubjectCN}.

certificateMapMode

  • CERTIFICATE_FILTER

  • CUSTOM

  • EXACT_DN

  • NOT_SUPPORTED

EXACT_DN

Specifies the X.509 certificate authentication mapping mode for the LDAP registry: CUSTOM, EXACT_DN, CERTIFICATE_FILTER, or NOT_SUPPORTED.
CERTIFICATE_FILTER
The LDAP registry attempts X.509 certificate authentication by using the certificate filter mapping property for the LDAP filter. If a single matching entity is found, the authentication is successful. If a matching entity is not found or more than a single matching entity is found, authentication fails and the program returns an error.
CUSTOM
The LDAP registry attempts X.509 certificate authentication by using the custom CertificateMapper implementation specified by the certificateMapperId attribute. If a single matching entity is found, the authentication is successful. If a matching entity is not found or more than a single matching entity is found, authentication fails and the program returns an error.
EXACT_DN
The LDAP registry attempts X.509 certificate authentication by mapping the PrincipalName value in the X.509 certificate to the exact distinguished name (DN) in the repository. If a single matching entity is found, the authentication is successful. If a matching entity is not found or more than a single matching entity is found, authentication fails and the program returns an error.
NOT_SUPPORTED
The LDAP registry does not support X.509 certificate authentication. Attempts to authenticate with an X.509 certificate fail, and a CertificateMapNotSupportedException is thrown.

certificateMapperId

string

Specifies the X509CertificateMapper to use when the X.509 certificate authentication mapping mode is CUSTOM. The value must match the value of the 'x509.certificate.mapper.id' property that is specified for the X509CertificateMapper implementation.

connectTimeout

A period of time with millisecond precision

1m

Maximum time for establishing a connection to the LDAP server. A value of 0 indicates that the TCP protocol's timeout value should be used. The program logs an error message if the specified time expires. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

customFiltersRef

A reference to top level customLdapFilterProperties element (string).

Specifies the list of Custom LDAP filters.

derefAliases

  • always

  • never

always

When an alias entry is encountered, specifies whether the alias is dereferenced so that the object that is returned is the object that is pointed to by the alias DN.
always
Always dereference aliases.
never
Never dereference aliases.

domino50FiltersRef

A reference to top level domino50LdapFilterProperties element (string).

Specifies the list of IBM Lotus Domino LDAP filters.

edirectoryFiltersRef

A reference to top level edirectoryLdapFilterProperties element (string).

Specifies the list of Novell eDirectory LDAP filters.

host

string
Required

Address of the LDAP server in the form of an IP address or a domain name service (DNS) name.

id

string

A unique configuration ID.

idsFiltersRef

A reference to top level idsLdapFilterProperties element (string).

Specifies the list of IBM Tivoli Directory Server LDAP filters.

ignoreCase

boolean

true

Perform a case-insensitive authentication check.

iplanetFiltersRef

A reference to top level iplanetLdapFilterProperties element (string).

Specifies the list of Sun Java System Directory Server LDAP filters.

krb5Principal

string

The name of the Kerberos principal name or Kerberos service name to be used.

krb5TicketCache

Path to a file

The file location where Kerberos credentials for the Kerberos principal name or service name will be stored. Also known as the Kerberos credential cache (ccache)

ldapType

  • Custom

  • IBM Lotus Domino

  • IBM SecureWay Directory Server

  • IBM Tivoli Directory Server

  • Microsoft Active Directory

  • Netscape Directory Server

  • Novell eDirectory

  • Sun Java System Directory Server

Type of LDAP server to which a connection is established.
Custom
Configure the LDAP registry to use a custom LDAP server.
IBM Lotus Domino
Configure the LDAP registry to use IBM Lotus Domino.
IBM SecureWay Directory Server
Configure the LDAP registry to use IBM SecureWay Directory Server.
IBM Tivoli Directory Server
Configure the LDAP registry to use IBM Tivoli Directory Server.
Microsoft Active Directory
Configure the LDAP registry to use Microsoft Active Directory.
Netscape Directory Server
Configure the LDAP registry to use Netscape Directory Server.
Novell eDirectory
Configure the LDAP registry to use Novell eDirectory.
Sun Java System Directory Server
Configure the LDAP registry to use Sun Java System Directory Server.

netscapeFiltersRef

A reference to top level netscapeLdapFilterProperties element (string).

Specifies the list of Netscape Directory Server LDAP filters.

port

int
Required

Port number of the LDAP server.

primaryServerQueryTimeInterval

int

15

The interval, in minutes, at which the virtual member manager tests the primary server for availability.

readTimeout

A period of time with millisecond precision

1m

Maximum time to wait for read operations for LDAP operations. A value of 0 indicates that no timeout exists and the read waits indefinitely. The program logs an error message if the specified time expires. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

realm

string

LdapRegistry

The realm name that represents the user registry.

recursiveSearch

boolean

false

Performs a nested group search. Select this option only if the LDAP server does not support recursive server-side searches.

referral

  • follow

  • ignore

ignore

Specify the behavior for LDAP referrals. The default behavior is to ignore referrals.
follow
Follow LDAP referrals.
ignore
Ignore LDAP referrals.

returnToPrimaryServer

boolean

true

A boolean value that indicates if the search should be done against the Primary Server.

reuseConnection

boolean

true

Requests the application server to reuse the LDAP server connection.

searchTimeout

A period of time with millisecond precision

1m

Maximum time for an LDAP server to respond before a request is canceled. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

securewayFiltersRef

A reference to top level securewayLdapFilterProperties element (string).

Specifies the list of IBM SecureWay Directory Server LDAP filters.

sslEnabled

boolean

false

Indicates whether an SSL connection should be made to the LDAP server.

sslRef

A reference to top level ssl element (string).

ID of the SSL configuration to be used to connect to the SSL-enabled LDAP server.

timestampFormat

string

A string value that provides a SimpleDateFormat pattern that is used to parse timestamp attribute values. For example, you can use 'yyyyMMddHHmmss.SSSZ' to parse '20181120214852.869-0000Z'. If this attribute is not defined, a default will be provided based on ldapType.

activedFilters

Specifies the list of Microsoft Active Directory LDAP filters.

NameTypeDefaultDescription

groupFilter

string

(&(cn=%v)(objectcategory=group))

An LDAP filter clause for searching the user registry for groups. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, cn=%v. During searches, the %v in the AVA is replaced with the group or group pattern being searched for.

groupIdMap

string

*:cn

An LDAP filter that maps the name of a group to an LDAP entry.

groupMemberIdMap

string

memberOf:member

An LDAP filter that identifies user to group memberships.

userFilter

string

(&(sAMAccountName=%v)(objectcategory=user))

An LDAP filter clause for searching the user registry for users. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, uid=%v. During searches, the %v in the AVA is replaced with the user or user pattern being searched for.

userIdMap

string

user:sAMAccountName

An LDAP filter that maps the name of a user to an LDAP entry.

attributeConfiguration

The configuration that maps the LDAP attributes with the user registry schema (for example; Person, PersonAccount or Group) field names.

attributeConfiguration > attribute

Define the user registry schema field names to be mapped to the LDAP attribute.

NameTypeDefaultDescription

defaultValue

string

The default value of the attribute.

entityType

string

The entity type of the attribute.

id

string

A unique configuration ID.

name

string
Required

The name of the LDAP attribute.

propertyName

string

The user registry schema field name that needs to be mapped with the LDAP attribute.

syntax

string

The attribute syntax.

attributeConfiguration > externalIdAttribute

Define the name of the LDAP attribute and its properties that needs to be mapped to the user registry externalId attribute.

NameTypeDefaultDescription

autoGenerate

boolean

false

When enabled, the externalId attribute value is generated automatically by the user registry instead of using the value that is stored in LDAP. By default it is disabled.

entityType

string

The entity type of the attribute.

id

string

A unique configuration ID.

name

string
Required

The name of the LDAP attribute to be used for the user registry externalId attribute.

syntax

string

The attribute syntax.

contextPool

Properties of the context pool.

NameTypeDefaultDescription

enabled

boolean

true

A boolean value that determines if the context pool is enabled. Disabling it can cause performance degradation.

initialSize

int

1

An integer value that determines the initial size of the context pool. Set this based on the load on the repository.

maxSize

int

0

An integer value that defines the maximum context pool size. Set this based on the maximum load on the repository.

preferredSize

int

3

The preferred size of the context pool. Set this based on the load on the repository.

timeout

A period of time with millisecond precision

0s

The duration after which the context pool times out. An integer that represents the time that an idle context instance can remain in the pool without being closed and removed from the pool. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s) or milliseconds (ms). For example, specify 1 second as 1s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 1.5 minutes. The minimum timeout allowed is 1 second. Millisecond entries are rounded to the nearest second. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

waitTime

A period of time with millisecond precision

3s

The duration after which the context pool times out. The time interval that the request waits until the context pool checks again if an idle context instance is available in the pool when the number of context instances reaches the maximum pool size. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

customFilters

Specifies the list of Custom LDAP filters.

NameTypeDefaultDescription

groupFilter

string

(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))

An LDAP filter clause for searching the user registry for groups. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, cn=%v. During searches, the %v in the AVA is replaced with the group or group pattern being searched for.

groupIdMap

string

*:cn

An LDAP filter that maps the name of a group to an LDAP entry.

groupMemberIdMap

string

ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember

An LDAP filter that identifies user to group memberships.

userFilter

string

(&(uid=%v)(objectclass=ePerson))

An LDAP filter clause for searching the user registry for users. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, uid=%v. During searches, the %v in the AVA is replaced with the user or user pattern being searched for.

userIdMap

string

*:uid

An LDAP filter that maps the name of a user to an LDAP entry.

domino50Filters

Specifies the list of IBM Lotus Domino LDAP filters.

NameTypeDefaultDescription

groupFilter

string

(&(cn=%v)(objectclass=dominoGroup))

An LDAP filter clause for searching the user registry for groups. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, cn=%v. During searches, the %v in the AVA is replaced with the group or group pattern being searched for.

groupIdMap

string

*:cn

An LDAP filter that maps the name of a group to an LDAP entry.

groupMemberIdMap

string

dominoGroup:member

An LDAP filter that identifies user to group memberships.

userFilter

string

(&(uid=%v)(objectclass=Person))

An LDAP filter clause for searching the user registry for users. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, uid=%v. During searches, the %v in the AVA is replaced with the user or user pattern being searched for.

userIdMap

string

person:uid

An LDAP filter that maps the name of a user to an LDAP entry.

edirectoryFilters

Specifies the list of Novell eDirectory LDAP filters.

NameTypeDefaultDescription

groupFilter

string

(&(cn=%v)(objectclass=groupOfNames))

An LDAP filter clause for searching the user registry for groups. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, cn=%v. During searches, the %v in the AVA is replaced with the group or group pattern being searched for.

groupIdMap

string

*:cn

An LDAP filter that maps the name of a group to an LDAP entry.

groupMemberIdMap

string

groupOfNames:member

An LDAP filter that identifies user to group memberships.

userFilter

string

(&(cn=%v)(objectclass=Person))

An LDAP filter clause for searching the user registry for users. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, uid=%v. During searches, the %v in the AVA is replaced with the user or user pattern being searched for.

userIdMap

string

person:cn

An LDAP filter that maps the name of a user to an LDAP entry.

failoverServers

List of LDAP failover servers.

NameTypeDefaultDescription

id

string

A unique configuration ID.

name

string

Configuration properties for LDAP failover servers. Specify it as a backup server for the primary LDAP servers. For example, <failoverServers name="failoverLdapServers"><server host="myfullyqualifiedhostname1" port="389"/><server host="myfullyqualifiedhostname2" port="389"/></failoverServers>.

failoverServers > server

Configuration properties for LDAP failover server.

NameTypeDefaultDescription

host

string
Required

LDAP server host name, which can be either an IP address or a domain name service (DNS) name.

id

string

A unique configuration ID.

port

int
Required

LDAP failover server port.

groupProperties

The configuration for group membership properties (for example; memberAttribute or membershipAttribute).

groupProperties > dynamicMemberAttribute

The configuration for the dynamic member attribute.

NameTypeDefaultDescription

name

string
Required

The name of the member.

objectClass

string
Required

The name of the object class.

groupProperties > memberAttribute

The LDAP member attribute.

NameTypeDefaultDescription

dummyMember

string

The name of the dummy member.

id

string

A unique configuration ID.

name

string
Required

The name of the member.

objectClass

string
Required

The object class of the member attribute.

scope

  • all

  • direct

  • nested

The scope of the member attribute.
all
The specified member attribute includes direct, nested, and dynamic members.
direct
The specified member attribute only includes direct members.
nested
The specified member attribute includes direct and nested members.

groupProperties > membershipAttribute

The configuration for the membership attribute.

NameTypeDefaultDescription

name

string
Required

The name of the membership attribute.

scope

  • all

  • direct

  • nested

The scope of the membership attribute.
all
The specified group membership attribute includes direct, nested, and dynamic groups.
direct
The specified group membership attribute only includes direct groups.
nested
The specified group membership attribute includes direct and nested groups.

idsFilters

Specifies the list of IBM Tivoli Directory Server LDAP filters.

NameTypeDefaultDescription

groupFilter

string

(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))

An LDAP filter clause for searching the user registry for groups. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, cn=%v. During searches, the %v in the AVA is replaced with the group or group pattern being searched for.

groupIdMap

string

*:cn

An LDAP filter that maps the name of a group to an LDAP entry.

groupMemberIdMap

string

ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember

An LDAP filter that identifies user to group memberships.

userFilter

string

(&(uid=%v)(objectclass=ePerson))

An LDAP filter clause for searching the user registry for users. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, uid=%v. During searches, the %v in the AVA is replaced with the user or user pattern being searched for.

userIdMap

string

*:uid

An LDAP filter that maps the name of a user to an LDAP entry.

iplanetFilters

Specifies the list of Sun Java System Directory Server LDAP filters.

NameTypeDefaultDescription

groupFilter

string

(&(cn=%v)(objectclass=ldapsubentry))

An LDAP filter clause for searching the user registry for groups. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, cn=%v. During searches, the %v in the AVA is replaced with the group or group pattern being searched for.

groupIdMap

string

*:cn

An LDAP filter that maps the name of a group to an LDAP entry.

groupMemberIdMap

string

nsRole:nsRole

An LDAP filter that identifies user to group memberships.

userFilter

string

(&(uid=%v)(objectclass=inetOrgPerson))

An LDAP filter clause for searching the user registry for users. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, uid=%v. During searches, the %v in the AVA is replaced with the user or user pattern being searched for.

userIdMap

string

inetOrgPerson:uid

An LDAP filter that maps the name of a user to an LDAP entry.

ldapCache

Configure the attributes of the cache.

ldapCache > attributesCache

The attribute cache properties configuration.

NameTypeDefaultDescription

enabled

boolean

true

A Boolean value to indicate that the property is enabled.

size

int

2000

Defines the number of entities that can be stored in the cache. You can increase the size of the cache based on the number of entities that are required to be stored in the cache.

sizeLimit

int

2000

The maximum number of attributes per LDAP entity that will be cached.

timeout

A period of time with millisecond precision

1200s

Defines the maximum time that the contents of the LDAP attribute cache are available. When the specified time has elapsed, the LDAP attribute cache is cleared. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

ldapCache > searchResultsCache

The configuration for the search results cache.

NameTypeDefaultDescription

enabled

boolean

true

A Boolean value to indicate that the property is enabled.

resultsSizeLimit

int

2000

The maximum number of results that can be cached for a single LDAP search.

size

int

2000

The size of the cache. The number of search results that are stored in the cache. This needs to be configured based on the number of search queries executed on the system and the hardware system resources available.

timeout

A period of time with millisecond precision

1200s

Defines the maximum time that the contents of the search results cache are available. When the specified time has elapsed, the search results cache is cleared. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

ldapEntityType

Configure the LDAP object class, search filters, search bases and LDAP relative distinguished name (RDN) for Person, Group and Organizational Unit. For example, the Group entity type can have a search filter such as (&(ObjectCategory=Groupofnames)(ObjectClass=Groupofnames)) and the object class as Groupofnames with search base ou=iGroups,o=ibm,c=us.

NameTypeDefaultDescription

id

string

A unique configuration ID.

name

string
Required

The name of the LDAP entity type.

objectClass

string

The object class defined for the given LDAP entity type in the LDAP server. For example, the object class for the group LDAP entity type can be Groupofnames.

searchBase

string

Specify the sub tree of the LDAP server for the search call for the given entity type which will override the base DN in search operations. For example, if the base DN is o=ibm,c=us and the search base for the PersonAccount entity type is defined to be ou=iUsers,o=ibm,c=us, then all search calls for PersonAccout will be made under subtree ou=iUsers,o=ibm,c=us. Multiple search bases can be configured for the same entity type.

searchFilter

string

A custom LDAP search expression used while searching for entity types. For example, searchFilter="(|(ObjectCategory=User)(ObjectClass=User))".

loginProperty

A WIM PersonAccount property that is used to generate the LDAP filter for user searches. The first instance of this attribute is returned as the principal name for the user. The mapping of WIM properties to LDAP attributes can be modified by using the attributeConfiguration attribute. Setting this attribute will override userFilter if it is defined. This attribute is case-sensitive.

NameTypeDefaultDescription

id

string

A unique configuration ID.

name

string
Required

A WIM PersonAccount property that is used to generate the LDAP filter for user searches. The first instance of this attribute is returned as the principal name for the user. The mapping of WIM properties to LDAP attributes can be modified by using the attributeConfiguration attribute. Setting this attribute will override userFilter if it is defined. This attribute is case-sensitive.

netscapeFilters

Specifies the list of Netscape Directory Server LDAP filters.

NameTypeDefaultDescription

groupFilter

string

(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))

An LDAP filter clause for searching the user registry for groups. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, cn=%v. During searches, the %v in the AVA is replaced with the group or group pattern being searched for.

groupIdMap

string

*:cn

An LDAP filter that maps the name of a group to an LDAP entry.

groupMemberIdMap

string

groupOfNames:member;groupOfUniqueNames:uniqueMember

An LDAP filter that identifies user to group memberships.

userFilter

string

(&(uid=%v)(objectclass=inetOrgPerson))

An LDAP filter clause for searching the user registry for users. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, uid=%v. During searches, the %v in the AVA is replaced with the user or user pattern being searched for.

userIdMap

string

inetOrgPerson:uid

An LDAP filter that maps the name of a user to an LDAP entry.

securewayFilters

Specifies the list of IBM SecureWay Directory Server LDAP filters.

NameTypeDefaultDescription

groupFilter

string

(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))

An LDAP filter clause for searching the user registry for groups. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, cn=%v. During searches, the %v in the AVA is replaced with the group or group pattern being searched for.

groupIdMap

string

*:cn

An LDAP filter that maps the name of a group to an LDAP entry.

groupMemberIdMap

string

groupOfNames:member;groupOfUniqueNames:uniqueMember

An LDAP filter that identifies user to group memberships.

userFilter

string

(&(uid=%v)(objectclass=ePerson))

An LDAP filter clause for searching the user registry for users. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, uid=%v. During searches, the %v in the AVA is replaced with the user or user pattern being searched for.

userIdMap

string

*:uid

An LDAP filter that maps the name of a user to an LDAP entry.