...

Property

Value

ldap.servers

<ip address or hostname:port>

IP address or hostname of the LDAP server, and port number

ldap.ssl

Set to true to use SSL connections against the LDAP server

Default: false

ldap.acceptedcertissuers

List of Root/CA certificates to trust when validating server certificates.

Default: none

ldap.verifysslcert

Set to false to disable SSL server certificate validation - use if your ldap server has untrusted certificates installed.

Warning
Only set this to false if you are 100% certain that is what you want.

Default: true

ldap.connectiontimeout

<timeout in minutes>

Specifies the maximum time in minutes, after which a connection to LDAP will be closed.
A connection that lives for longer that <timeout> minutes will be closed and reopened to avoid problem with longer living connections.

ldap.systemuser

<userid>

Userid of "technical" user which is used to bind to LDAP in order to get permissions to query/update ACLs.

ldap.systempassword

<password>

Password to use when binding to the LDAP server.
The password can optionally be obfuscated or encrypted, by using the command "java dk.itp.security.utils.PasswordUtils" with the original password as parameter.

ldap.basedn

The base DN to use when looking up in the LDAP server. This is the postfix used for all paths in the LDAP

ldap.useridName

<attribute name>

Name of the attribute used when searching for a user – default is "uid".

ldap.usersRDN

<RDN name>

Name of the RDN (LDAP group) where users are stored.

Default is "ou=People".

ldap.userattributes

<List of attributes – separated with comma or semicolon>

List of LDAP attributes to read when fetching a user from the LDAP server – can be left blank to signify all non-operational attributes. The LDAP RFC states that an LDAP server should only return "normal" attributes unless they are specifically named, so this is a way of querying operational attributes for a user.

If you change it from the default, make sure that you do include the default ones in the new configuration property, or they will not be retrieved from LDAP.

Default is "cn,uid,sn,initials,userpassword,memberof,ibm-allGroups,mail,userPrincipalName".

ldap.stripdnfromuser

<true | false> - Default is false

If set to true, the full DN will be stripped from the – so instead of the userid being

uid=somebody, ou=people, dc=ceptor, c=io
It will be converted to just the value of the ldap.useridName attribute, in this case somebody.

This option affects both the userid when logging the user in for the authentication plugin, and the members of groups retrieved by the authorization plugin.

ldap.userObjectClass

Name of LDAP object class containing user records.

Default is "person"

ldap.groupObjectClass

Name of LDAP object class containing group records.

Default is "group"

ldap.groupMemberAttributeName

<Name of member attribute> - default is "member" (Note: requires minimum Ceptor v6.4.1)

Allows you to change the member attribute name that is used when looking up group memberships in AD, if the memberOf attribute is not used on the user, of if it does not exist on a user record.

In Active Directory, set this value to: "member:1.2.840.113556.1.4.1941:" to read all nested group memberships.

ldap.group.name.is.cn

<true | false> - Default is false

When reading LDAP group names, by default the name stored i the full unique name, the full DN of the group - e.g. CN=Administrators, OU=Groups, OU=organisation, OU=com - if this attribute is set, only the CN is kept and the rest is stripped.

ldap.attrsToStore

Attributes matching this pattern will be stored in the session as state variables.

This allows you to read arbitrary attributes from LDAP and store them in the session - that could be a users email address, phone number or any other attribute available in LDAP.

Handling passwords that require changes

...

Property

Value

ldap.totp.attribute.name

<Attribute name>

Name of the LDAP attribute containing the encrypted TOTP secret.

Default is "secretary"

Warning
If using Active Directory, the default schema has restrictions on this attribute contents - so you need to select another that is able to hold a regular string value, such as the *carLicense* attribute.

ldap.mobile.attribute.name

Name of the LDAP attribute containing the users mobile phone number.

Default is "mobile"

ldap.otp.retries

Number of retries allowed when validating OTP code.

Default is 3

ldap.sms.text

String containing the text sent to the user when sending a generated OTP value.

%s will be replaced with the OTP value, and %n can be used as newline.

Default: "PIN:%n%s"

ldap.totpsecret.encryptionkey

Filename of a file containing the AES key used to encrypt the users TOTP secret in the LDAP server. Note that this file can be generated by PasswordUtils - see Encrypting or Obfuscating Passwords for more information.

Default: none

ldap.attrsToStore

Attributes matching this pattern will be stored in the session as state variables.

This allows you to read arbitrary attributes from LDAP and store them in the session - that could be a users email address, phone number or any other attribute available in LDAP.

Email related settings

ldap.otp.email.subject

Specify the subject of the email sent with the OTP

Code Block
{username} is replaced with the users name {userid} is replaced with the users ID {code} is replaced with the generated One-Time-PIN \n is replaced with linefeed

Default: Ceptor One-Time-Pin

ldap.otp.email.message

Specify the content of the email message to be sent with the OTP

Code Block
{username} is replaced with the users name {userid} is replaced with the users ID {code} is replaced with the generated One-Time-PIN \n is replaced with linefeed

Default: Hello {username}.\n\nYou have requested a one-time-pin code, please use the code {code}.

ldap.email.config.prefix

Configuration prefix for SMTP server settings - if set to "mail", settings start with mail. - e.g. "mail.from", "mail.replyto" etc.
Can be used to switch between different email configurations by e.g. changing to "alternatemail" in which case settings for mailserver is read from "alternatemail.from", "alternatemail.replyto" etc.

Default: mail

mail.smtp.host

<hostname or IP> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property

SMTP hostname

mail.smtp.protocol

<smtp or smtps> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property

SMTP protocol to use - either smtp for plaintext or smtps for encrypted

mail.smtp.port

<smtp or smtps> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property

TCP port for the SMTP server - usually 25 for unencrypted and 465 for encrypted communication

mail.smtp.user

<string> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property

Userid for authentication to the mailserver

mail.smtp.password

<string> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property

Password for authentication to the mailserver - see Encrypting or Obfuscating Passwords

mail.from

<string> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property

Email address to set as "From" email address

mail.replyto

<string> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property

Optional email address for reply-to address

mail.starttls.enable

<Boolean> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property

True for enabling STARTTLS

Default: true

mail.debug

<Boolean> - Note that "mail" can be replaced depending on the value of the ldap.email.config.prefix property

Set to true to enable debugging in which case debug information is written to stdout

Default: false

...

Versions Compared

Old Version 16

New Version Current

Key

Handling passwords that require changes

Page Comparison

Versions Compared

Old Version 16

New Version Current

Key

Handling passwords that require changes