Component | Description |
ldap:// | For the scheme, use either ldap:// or ldaps:// |
admin_user | The name of a user with sufficient rights in Active Directory to perform a search in the domain specified by searchBase. The password for this user must be stored in the Terracotta keychain used by the Terracotta server, using as key the root of the LDAP URI, ldap://admin_user@server_name:server_port , with no trailing slash ("/"). The format of admin_user depends upon how Active Directory is configured. The following forms are supported. Note: References to shiro.ini that follow apply to the form fields in the TMC Active Directory Setup page used to generate the file ${ADMIN_HOME}/.tc/mgmt./shiro.ini. Distinguished Name Template <token> Example: admin shiro.ini: ldapRealm.systemUsername = admin ldapRealm.userDnTemplate = CN={0},CN=Users,DC=example,DC=com ldapRealm.searchFilter = (&(objectClass=*)(CN={0})) keychain entry examples: bin/keychain.sh -O <keychain-file> ldap://admin@ad-server.lan::389 bin/keychain.sh -O <keychain-file> ldap://Admin+User@ad-server.lan::389 The attribute used for uniquely identifying a user (CN above) is installation-specific and should also be used as the searchFilter attribute. userPrincipalName <userPrincipalName> or <sAMAccountName>@<DNS_domain_name> Example: admin@example.com shiro.ini: ldapRealm.systemUsername = admin@example.com ldapRealm.searchFilter = (&(objectClass=*)(userPrincipalName={0})) keychain entry example: bin/keychain.sh -O <keychain-file> ldap://admin%40example.com@ad-server.lan:389 Domain <domain_controller_name>\<sAMAccountName> Example: example_domain\admin shiro.ini: ldapRealm.systemUsername = example_domain\admin ldapRealm.searchFilter = (&(objectClass=*)(sAMAccountName={0})) keychain entry examples: bin/keychain.sh -O <keychain-file> ldap://mydomain%5Cadmin@ad-server.lan:389 displayName <displayName> Example: Admin User shiro.ini: ldapRealm.systemUsername = Admin User ldapRealm.searchFilter = (&(objectClass=*)(displayName={0})) keychain entry examples: bin/keychain.sh -O <keychain-file> ldap://Admin+User@ad-server.lan:389 |
server_address:server_port | The IP address or resolvable fully qualified domain name of the server, and the port for Active Directory. |
searchBase | Specifies the Active Directory domain to be searched. For example, if the Active Directory domain is reggae.jamaica.org, then the format is searchBase=dc=reggae,dc=jamaica,dc=org |
groupBindings | Specifies the mappings between Active Directory groups and Terracotta roles. For example, groupBindings=Domain%20Admins=admin,Users=terracotta maps the Active Directory groups "Domain Admins" and "Users" to the "admin" and "terracotta" Terracotta roles, respectively. To be mapped, the named Active Directory groups must be part of the domain specified in searchBase; all other groups (including those with the specified names) in other domains are ignored. |
searchFilter | Specifies the user search query filter used to check for roles. This needs to match how your Active Directory installation uniquely identifies users. Distinguished Name Template The attribute your userDnTemplate specifies for the value replacement token (CN in the above example) should also be used in the searchFilter: (&(objectClass=*)( sAMAccountName={0})) userPrincipalName (&(objectClass=*)( userPrincipalName={0})) distinguishedName (&(objectClass=*)( distinguishedName={0})) displayName (&(objectClass=*)( displayName={0})) Domain For the domain binding (e.g. <domain_controller_name>\sAMAccountName), the searchFilter must be: (&(objectClass=*)(sAMAccountName={0})) The default searchFilter is (&(objectClass=*)(CN={0})). |