Versions Compared

Old Version 15

changes.mady.by.user Kim Rasmussen

Saved on

compared with

New Version 16

changes.mady.by.user Kim Rasmussen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Property

Value

ldap.servers

<ip address or hostname:port>

IP address or hostname of the LDAP server, and port number

ldap.ssl

<true or false>

Set to true to use SSL connections against the LDAP server

Default: false

ldap.acceptedcertissuers

<List of filenames, separated by comma or semicolon>

List of Root/CA certificates to trust when validating server certificates.

Default: none

ldap.verifysslcert

<true or false>

Set to false to disable SSL server certificate validation - use if your ldap server has untrusted certificates installed.

Warning

Only set this to false if you are 100% certain that is what you want.

Default: true

ldap.connectiontimeout

<timeout in minutes>

Specifies the maximum time in minutes, after which a connection to LDAP will be closed.
A connection that lives for longer that <timeout> minutes will be closed and reopened to avoid problem with longer living connections.

ldap.protocolVersion<2 or 3> - Default 2
Version of the LDAP protocol to use when connecting to the LDAP server.ldap.systemuser

<userid>

Userid of "technical" user which is used to bind to LDAP in order to get permissions to query/update ACLs.

ldap.systempassword

<password>

Password to use when binding to the LDAP server.
The password can optionally be obfuscated or encrypted, by using the command "java dk.itp.security.utils.PasswordUtils" with the original password as parameter.

ldap.basedn

<DN name>

The base DN to use when looking up in the LDAP server. This is the postfix used for all paths in the LDAP

ldap.useridName

<attribute name>

Name of the attribute used when searching for a user – default is "uid".

ldap.usersRDN

<RDN name>

Name of the RDN (LDAP group) where users are stored.

Default is "ou=People".

ldap.userattributes

<List of attributes – separated with comma or semicolon>

List of LDAP attributes to read when fetching a user from the LDAP server – can be left blank to signify all non-operational attributes. The LDAP RFC states that an LDAP server should only return "normal" attributes unless they are specifically named, so this is a way of querying operational attributes for a user.

If you change it from the default, make sure that you do include the default ones in the new configuration property, or they will not be retrieved from LDAP.

Default is "cn,uid,sn,initials,userpassword,memberof,ibm-allGroups,mail,userPrincipalName".

ldap.stripdnfromuser

<true | false> - Default is false

If set to true, the full DN will be stripped from the – so instead of the userid being

uid=somebody, ou=people, dc=ceptor, c=io
It will be converted to just the value of the ldap.useridName attribute, in this case somebody.

This option affects both the userid when logging the user in for the authentication plugin, and the members of groups retrieved by the authorization plugin.

ldap.userObjectClass

<Object class name>

Name of LDAP object class containing user records.

Default is "person"

ldap.groupObjectClass

<Object class name>

Name of LDAP object class containing group records.

Default is "group"

ldap.groupMemberAttributeName

<Name of member attribute> - default is "member" (Note: requires minimum Ceptor v6.4.1)

Allows you to change the member attribute name that is used when looking up group memberships in AD, if the memberOf attribute is not used on the user, of if it does not exist on a user record.

In Active Directory, set this value to: "member:1.2.840.113556.1.4.1941:" to read all nested group memberships.

ldap.group.name.is.cn

<true | false> - Default is false

When reading LDAP group names, by default the name stored i the full unique name, the full DN of the group - e.g. CN=Administrators, OU=Groups, OU=organisation, OU=com - if this attribute is set, only the CN is kept and the rest is stripped.

...