LDAP User Registry (ldapRegistry)
Configuration properties for the LDAP user registry.
Name | Type | Default | Description |
---|---|---|---|
activedFiltersRef | A reference to top level activedLdapFilterProperties element (string). | Specifies the list of Microsoft Active Directory LDAP filters. | |
allowWriteToSecondaryServers | boolean | false | Allow create, update, and delete operations on failover servers. |
baseDN | string | Base distinguished name (DN) of the directory service, which indicates the starting point for LDAP searches in the directory service. | |
bindAuthMechanism |
| simple | The authentication mechanism for binding to the LDAP server when searching or modifying an LDAP entry. |
bindDN | string | Distinguished name (DN) for the application server, which is used to bind to the directory service. | |
bindPassword | Reversably encoded password (string) | Password for the bind DN. The value can be stored in clear text or encoded form. It is recommended that you encode the password. To do so, use the securityUtility tool with the encode option. | |
certificateFilter | string | Specifies the filter certificate mapping property for the LDAP filter when the X.509 certificate authentication mapping mode is CERTIFICATE_FILTER. The filter is used to map attributes in the client certificate to entries in the LDAP registry. For example, the filter can be specified as: uid=${SubjectCN}. | |
certificateMapMode |
| EXACT_DN | Specifies the X.509 certificate authentication mapping mode for the LDAP registry: CUSTOM, EXACT_DN, CERTIFICATE_FILTER, or NOT_SUPPORTED. |
certificateMapperId | string | Specifies the X509CertificateMapper to use when the X.509 certificate authentication mapping mode is CUSTOM. The value must match the value of the 'x509.certificate.mapper.id' property that is specified for the X509CertificateMapper implementation. | |
connectTimeout | A period of time with millisecond precision | 1m | Maximum time for establishing a connection to the LDAP server. A value of 0 indicates that the TCP protocol's timeout value should be used. The program logs an error message if the specified time expires. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
customFiltersRef | A reference to top level customLdapFilterProperties element (string). | Specifies the list of Custom LDAP filters. | |
derefAliases |
| always | When an alias entry is encountered, specifies whether the alias is dereferenced so that the object that is returned is the object that is pointed to by the alias DN. |
domino50FiltersRef | A reference to top level domino50LdapFilterProperties element (string). | Specifies the list of IBM Lotus Domino LDAP filters. | |
edirectoryFiltersRef | A reference to top level edirectoryLdapFilterProperties element (string). | Specifies the list of Novell eDirectory LDAP filters. | |
host | string | Address of the LDAP server in the form of an IP address or a domain name service (DNS) name. | |
id | string | A unique configuration ID. | |
idsFiltersRef | A reference to top level idsLdapFilterProperties element (string). | Specifies the list of IBM Tivoli Directory Server LDAP filters. | |
ignoreCase | boolean | true | Perform a case-insensitive authentication check. |
iplanetFiltersRef | A reference to top level iplanetLdapFilterProperties element (string). | Specifies the list of Sun Java System Directory Server LDAP filters. | |
krb5Principal | string | The name of the Kerberos principal name or Kerberos service name to be used. | |
krb5TicketCache | Path to a file | The file location where Kerberos credentials for the Kerberos principal name or service name will be stored. Also known as the Kerberos credential cache (ccache) | |
ldapType |
| Type of LDAP server to which a connection is established. | |
netscapeFiltersRef | A reference to top level netscapeLdapFilterProperties element (string). | Specifies the list of Netscape Directory Server LDAP filters. | |
port | int | Port number of the LDAP server. | |
primaryServerQueryTimeInterval | int | 15 | The interval, in minutes, at which the virtual member manager tests the primary server for availability. |
readTimeout | A period of time with millisecond precision | 1m | Maximum time to wait for read operations for LDAP operations. A value of 0 indicates that no timeout exists and the read waits indefinitely. The program logs an error message if the specified time expires. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
realm | string | LdapRegistry | The realm name that represents the user registry. |
recursiveSearch | boolean | false | Performs a nested group search. Select this option only if the LDAP server does not support recursive server-side searches. |
referral |
| ignore | Specify the behavior for LDAP referrals. The default behavior is to ignore referrals. |
returnToPrimaryServer | boolean | true | A boolean value that indicates if the search should be done against the Primary Server. |
reuseConnection | boolean | true | Requests the application server to reuse the LDAP server connection. |
searchTimeout | A period of time with millisecond precision | 1m | Maximum time for an LDAP server to respond before a request is canceled. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
securewayFiltersRef | A reference to top level securewayLdapFilterProperties element (string). | Specifies the list of IBM SecureWay Directory Server LDAP filters. | |
sslEnabled | boolean | false | Indicates whether an SSL connection should be made to the LDAP server. |
sslRef | A reference to top level ssl element (string). | ID of the SSL configuration to be used to connect to the SSL-enabled LDAP server. | |
timestampFormat | string | A string value that provides a SimpleDateFormat pattern that is used to parse timestamp attribute values. For example, you can use 'yyyyMMddHHmmss.SSSZ' to parse '20181120214852.869-0000Z'. If this attribute is not defined, a default will be provided based on ldapType. |
activedFilters
Specifies the list of Microsoft Active Directory LDAP filters.
Name | Type | Default | Description |
---|---|---|---|
groupFilter | string | (&(cn=%v)(objectcategory=group)) | An LDAP filter clause for searching the user registry for groups. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, cn=%v. During searches, the %v in the AVA is replaced with the group or group pattern being searched for. |
groupIdMap | string | *:cn | An LDAP filter that maps the name of a group to an LDAP entry. |
groupMemberIdMap | string | memberOf:member | An LDAP filter that identifies user to group memberships. |
userFilter | string | (&(sAMAccountName=%v)(objectcategory=user)) | An LDAP filter clause for searching the user registry for users. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, uid=%v. During searches, the %v in the AVA is replaced with the user or user pattern being searched for. |
userIdMap | string | user:sAMAccountName | An LDAP filter that maps the name of a user to an LDAP entry. |
attributeConfiguration
The configuration that maps the LDAP attributes with the user registry schema (for example; Person, PersonAccount or Group) field names.
attributeConfiguration > attribute
Define the user registry schema field names to be mapped to the LDAP attribute.
Name | Type | Default | Description |
---|---|---|---|
defaultValue | string | The default value of the attribute. | |
entityType | string | The entity type of the attribute. | |
id | string | A unique configuration ID. | |
name | string | The name of the LDAP attribute. | |
propertyName | string | The user registry schema field name that needs to be mapped with the LDAP attribute. | |
syntax | string | The attribute syntax. |
attributeConfiguration > externalIdAttribute
Define the name of the LDAP attribute and its properties that needs to be mapped to the user registry externalId attribute.
Name | Type | Default | Description |
---|---|---|---|
autoGenerate | boolean | false | When enabled, the externalId attribute value is generated automatically by the user registry instead of using the value that is stored in LDAP. By default it is disabled. |
entityType | string | The entity type of the attribute. | |
id | string | A unique configuration ID. | |
name | string | The name of the LDAP attribute to be used for the user registry externalId attribute. | |
syntax | string | The attribute syntax. |
contextPool
Properties of the context pool.
Name | Type | Default | Description |
---|---|---|---|
enabled | boolean | true | A boolean value that determines if the context pool is enabled. Disabling it can cause performance degradation. |
initialSize | int | 1 | An integer value that determines the initial size of the context pool. Set this based on the load on the repository. |
maxSize | int | 0 | An integer value that defines the maximum context pool size. Set this based on the maximum load on the repository. |
preferredSize | int | 3 | The preferred size of the context pool. Set this based on the load on the repository. |
timeout | A period of time with millisecond precision | 0s | The duration after which the context pool times out. An integer that represents the time that an idle context instance can remain in the pool without being closed and removed from the pool. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s) or milliseconds (ms). For example, specify 1 second as 1s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 1.5 minutes. The minimum timeout allowed is 1 second. Millisecond entries are rounded to the nearest second. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
waitTime | A period of time with millisecond precision | 3s | The duration after which the context pool times out. The time interval that the request waits until the context pool checks again if an idle context instance is available in the pool when the number of context instances reaches the maximum pool size. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
customFilters
Specifies the list of Custom LDAP filters.
Name | Type | Default | Description |
---|---|---|---|
groupFilter | string | (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs))) | An LDAP filter clause for searching the user registry for groups. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, cn=%v. During searches, the %v in the AVA is replaced with the group or group pattern being searched for. |
groupIdMap | string | *:cn | An LDAP filter that maps the name of a group to an LDAP entry. |
groupMemberIdMap | string | ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember | An LDAP filter that identifies user to group memberships. |
userFilter | string | (&(uid=%v)(objectclass=ePerson)) | An LDAP filter clause for searching the user registry for users. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, uid=%v. During searches, the %v in the AVA is replaced with the user or user pattern being searched for. |
userIdMap | string | *:uid | An LDAP filter that maps the name of a user to an LDAP entry. |
domino50Filters
Specifies the list of IBM Lotus Domino LDAP filters.
Name | Type | Default | Description |
---|---|---|---|
groupFilter | string | (&(cn=%v)(objectclass=dominoGroup)) | An LDAP filter clause for searching the user registry for groups. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, cn=%v. During searches, the %v in the AVA is replaced with the group or group pattern being searched for. |
groupIdMap | string | *:cn | An LDAP filter that maps the name of a group to an LDAP entry. |
groupMemberIdMap | string | dominoGroup:member | An LDAP filter that identifies user to group memberships. |
userFilter | string | (&(uid=%v)(objectclass=Person)) | An LDAP filter clause for searching the user registry for users. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, uid=%v. During searches, the %v in the AVA is replaced with the user or user pattern being searched for. |
userIdMap | string | person:uid | An LDAP filter that maps the name of a user to an LDAP entry. |
edirectoryFilters
Specifies the list of Novell eDirectory LDAP filters.
Name | Type | Default | Description |
---|---|---|---|
groupFilter | string | (&(cn=%v)(objectclass=groupOfNames)) | An LDAP filter clause for searching the user registry for groups. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, cn=%v. During searches, the %v in the AVA is replaced with the group or group pattern being searched for. |
groupIdMap | string | *:cn | An LDAP filter that maps the name of a group to an LDAP entry. |
groupMemberIdMap | string | groupOfNames:member | An LDAP filter that identifies user to group memberships. |
userFilter | string | (&(cn=%v)(objectclass=Person)) | An LDAP filter clause for searching the user registry for users. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, uid=%v. During searches, the %v in the AVA is replaced with the user or user pattern being searched for. |
userIdMap | string | person:cn | An LDAP filter that maps the name of a user to an LDAP entry. |
failoverServers
List of LDAP failover servers.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
name | string | Configuration properties for LDAP failover servers. Specify it as a backup server for the primary LDAP servers. For example, <failoverServers name="failoverLdapServers"><server host="myfullyqualifiedhostname1" port="389"/><server host="myfullyqualifiedhostname2" port="389"/></failoverServers>. |
failoverServers > server
Configuration properties for LDAP failover server.
Name | Type | Default | Description |
---|---|---|---|
host | string | LDAP server host name, which can be either an IP address or a domain name service (DNS) name. | |
id | string | A unique configuration ID. | |
port | int | LDAP failover server port. |
groupProperties
The configuration for group membership properties (for example; memberAttribute or membershipAttribute).
groupProperties > dynamicMemberAttribute
The configuration for the dynamic member attribute.
Name | Type | Default | Description |
---|---|---|---|
name | string | The name of the member. | |
objectClass | string | The name of the object class. |
groupProperties > memberAttribute
The LDAP member attribute.
Name | Type | Default | Description |
---|---|---|---|
dummyMember | string | The name of the dummy member. | |
id | string | A unique configuration ID. | |
name | string | The name of the member. | |
objectClass | string | The object class of the member attribute. | |
scope |
| The scope of the member attribute. |
groupProperties > membershipAttribute
The configuration for the membership attribute.
Name | Type | Default | Description |
---|---|---|---|
name | string | The name of the membership attribute. | |
scope |
| The scope of the membership attribute. |
idsFilters
Specifies the list of IBM Tivoli Directory Server LDAP filters.
Name | Type | Default | Description |
---|---|---|---|
groupFilter | string | (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs))) | An LDAP filter clause for searching the user registry for groups. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, cn=%v. During searches, the %v in the AVA is replaced with the group or group pattern being searched for. |
groupIdMap | string | *:cn | An LDAP filter that maps the name of a group to an LDAP entry. |
groupMemberIdMap | string | ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember | An LDAP filter that identifies user to group memberships. |
userFilter | string | (&(uid=%v)(objectclass=ePerson)) | An LDAP filter clause for searching the user registry for users. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, uid=%v. During searches, the %v in the AVA is replaced with the user or user pattern being searched for. |
userIdMap | string | *:uid | An LDAP filter that maps the name of a user to an LDAP entry. |
iplanetFilters
Specifies the list of Sun Java System Directory Server LDAP filters.
Name | Type | Default | Description |
---|---|---|---|
groupFilter | string | (&(cn=%v)(objectclass=ldapsubentry)) | An LDAP filter clause for searching the user registry for groups. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, cn=%v. During searches, the %v in the AVA is replaced with the group or group pattern being searched for. |
groupIdMap | string | *:cn | An LDAP filter that maps the name of a group to an LDAP entry. |
groupMemberIdMap | string | nsRole:nsRole | An LDAP filter that identifies user to group memberships. |
userFilter | string | (&(uid=%v)(objectclass=inetOrgPerson)) | An LDAP filter clause for searching the user registry for users. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, uid=%v. During searches, the %v in the AVA is replaced with the user or user pattern being searched for. |
userIdMap | string | inetOrgPerson:uid | An LDAP filter that maps the name of a user to an LDAP entry. |
ldapCache
Configure the attributes of the cache.
ldapCache > attributesCache
The attribute cache properties configuration.
Name | Type | Default | Description |
---|---|---|---|
enabled | boolean | true | A Boolean value to indicate that the property is enabled. |
size | int | 2000 | Defines the number of entities that can be stored in the cache. You can increase the size of the cache based on the number of entities that are required to be stored in the cache. |
sizeLimit | int | 2000 | The maximum number of attributes per LDAP entity that will be cached. |
timeout | A period of time with millisecond precision | 1200s | Defines the maximum time that the contents of the LDAP attribute cache are available. When the specified time has elapsed, the LDAP attribute cache is cleared. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
ldapCache > searchResultsCache
The configuration for the search results cache.
Name | Type | Default | Description |
---|---|---|---|
enabled | boolean | true | A Boolean value to indicate that the property is enabled. |
resultsSizeLimit | int | 2000 | The maximum number of results that can be cached for a single LDAP search. |
size | int | 2000 | The size of the cache. The number of search results that are stored in the cache. This needs to be configured based on the number of search queries executed on the system and the hardware system resources available. |
timeout | A period of time with millisecond precision | 1200s | Defines the maximum time that the contents of the search results cache are available. When the specified time has elapsed, the search results cache is cleared. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
ldapEntityType
Configure the LDAP object class, search filters, search bases and LDAP relative distinguished name (RDN) for Person, Group and Organizational Unit. For example, the Group entity type can have a search filter such as (&(ObjectCategory=Groupofnames)(ObjectClass=Groupofnames)) and the object class as Groupofnames with search base ou=iGroups,o=ibm,c=us.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
name | string | The name of the LDAP entity type. | |
objectClass | string | The object class defined for the given LDAP entity type in the LDAP server. For example, the object class for the group LDAP entity type can be Groupofnames. | |
searchBase | string | Specify the sub tree of the LDAP server for the search call for the given entity type which will override the base DN in search operations. For example, if the base DN is o=ibm,c=us and the search base for the PersonAccount entity type is defined to be ou=iUsers,o=ibm,c=us, then all search calls for PersonAccout will be made under subtree ou=iUsers,o=ibm,c=us. Multiple search bases can be configured for the same entity type. | |
searchFilter | string | A custom LDAP search expression used while searching for entity types. For example, searchFilter="(|(ObjectCategory=User)(ObjectClass=User))". |
loginProperty
A WIM PersonAccount property that is used to generate the LDAP filter for user searches. The first instance of this attribute is returned as the principal name for the user. The mapping of WIM properties to LDAP attributes can be modified by using the attributeConfiguration attribute. Setting this attribute will override userFilter if it is defined. This attribute is case-sensitive.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
name | string | A WIM PersonAccount property that is used to generate the LDAP filter for user searches. The first instance of this attribute is returned as the principal name for the user. The mapping of WIM properties to LDAP attributes can be modified by using the attributeConfiguration attribute. Setting this attribute will override userFilter if it is defined. This attribute is case-sensitive. |
netscapeFilters
Specifies the list of Netscape Directory Server LDAP filters.
Name | Type | Default | Description |
---|---|---|---|
groupFilter | string | (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))) | An LDAP filter clause for searching the user registry for groups. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, cn=%v. During searches, the %v in the AVA is replaced with the group or group pattern being searched for. |
groupIdMap | string | *:cn | An LDAP filter that maps the name of a group to an LDAP entry. |
groupMemberIdMap | string | groupOfNames:member;groupOfUniqueNames:uniqueMember | An LDAP filter that identifies user to group memberships. |
userFilter | string | (&(uid=%v)(objectclass=inetOrgPerson)) | An LDAP filter clause for searching the user registry for users. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, uid=%v. During searches, the %v in the AVA is replaced with the user or user pattern being searched for. |
userIdMap | string | inetOrgPerson:uid | An LDAP filter that maps the name of a user to an LDAP entry. |
securewayFilters
Specifies the list of IBM SecureWay Directory Server LDAP filters.
Name | Type | Default | Description |
---|---|---|---|
groupFilter | string | (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))) | An LDAP filter clause for searching the user registry for groups. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, cn=%v. During searches, the %v in the AVA is replaced with the group or group pattern being searched for. |
groupIdMap | string | *:cn | An LDAP filter that maps the name of a group to an LDAP entry. |
groupMemberIdMap | string | groupOfNames:member;groupOfUniqueNames:uniqueMember | An LDAP filter that identifies user to group memberships. |
userFilter | string | (&(uid=%v)(objectclass=ePerson)) | An LDAP filter clause for searching the user registry for users. When defined, this filter requires an Attribute Value Assertion (AVA) containing a %v. For example, uid=%v. During searches, the %v in the AVA is replaced with the user or user pattern being searched for. |
userIdMap | string | *:uid | An LDAP filter that maps the name of a user to an LDAP entry. |