LDAP Properties
The minimum set of properties to specify is:
url
userrootdn
uidprop
personobjclass
If you are using LDAP for authorization, you must also specify:
memberinfoingroups
mattr
and, if you set memberinfoingroups to true, you must also specify:
grouprootdn
gidprop
groupobjclass
Most other properties need only be used if you have specific requirements.
Connection related properties
url - The URL of the LDAP server (e.g ldap://ldapserver:389 or ldaps://ldapserver:636).
keystoreUrl - The URL from which a keystore can be retrieved (e.g. file:///usr/local/ldap/keystore.jks) - used to authenticate to the LDAP server.
keystoreType - The store type of the keystore (e.g. JKS).
keystorePassword - The password to verify the integrity of the keystore.
keyAlias - The alias in the keystore where the certificate and key are stored.
keyPassword - The password to allow access to the specified alias. Defaults to store password.
truststoreUrl - The URL from which a truststore can be retrieved. Used to to validate the certificate presented by the LDAP server during an SSL/TLS handshake.
truststoreType - The store type of the truststore (e.g. JKS).
truststorePassword - The password to verify the integrity of the truststore.
noPrinIsAnonymous - Set to true for LDAP servers that allow anonymous connections.
prin - The username to use to authenticate to the LDAP server.
cred - The password to use to authenticate to the LDAP server.
Note:
If prin and cred are not specified and noPrinIsAnonymous is not set to true, then the username and password of the user attempting to authenticate to the cluster / TMS will be used to authenticate to the LDAP server.
watt.server.ldap.ignore.serverCertificateValidity - If true, then invalid certificates presented by the LDAP server are ignored.
watt.server.ldap.extendedProps - Extra properties to add to the LDAP context. Format: key1=value1;key2=value2
watt.server.ldap.retryCount - How many times to retry a connection if it fails.
watt.server.ldap.retryWait - How many milliseconds to wait between connection retries.
Properties related to how to interact with the LDAP server
timeout - LDAP query timeout in milliseconds.
watt.server.ldap.DNescapeChars - A list of characters that should be escaped.
watt.server.ldap.DNescapePairs - A list of characters that should not be re-escaped.
watt.server.ldap.DNstripQuotes - If false, then quotes that get added when escaping are not striped from DNs.
watt.server.ldap.DNescapeURL - If true, then the start of a DN is escaped. This is useful for referrals when DNs can start with a URL.
watt.server.jndi.searchresult.maxlimit - The maximum number of results to return from an LDAP search. Zero means unlimited.
Properties related to the schema of a user
userrootdn - The DN under which users can be found (e.g. ou=People,dc=example,dc=com).
uidprop - The attribute on a user which contains the primary ID of the user (e.g. uid).
personobjclass - The LDAP schema class for users (e.g. person).
useaf - If true, then the dnprefix and dnsuffix properties should be used.
dnprefix - A string added to the beginning of a username for the LDAP lookup.
dnsuffix - A string added to the end of a username for the LDAP lookup.
Properties related to the schema of a group
grouprootdn - The DN under which groups can be found (e.g. ou=Group,dc=example,dc=com).
gidprop - The attribute on a group which contains the primary ID of the group (e.g. gid).
groupobjclass - The LDAP schema class for groups (e.g. group).
Properties related to how the schema connects users and groups
group - A role automatically given to every user.
memberinfoingroups - If true, then group membership is in the group definitions under the grouprootdn. If false, then group membership is in the user definitions under the userrootdn.
mattr - The attribute on a user that specifies a group to which the user belongs OR the attribute on a group that specifies a user is a member. The semantics depends on the choice of memberinfoingroups.
recursiveSearchDepth - How deep to search for groups that are members of other groups.
Properties that Terracotta supports in addition to other Software AG products
tcdb.roleMap - A mapping from group names on the LDAP server to roles used in Terracotta. Format: group1=tcdbRole1;group2=tcdbRole2
Note:
Multiple LDAP groups can map to the same role.