This value (together with adsi-domain-short) allows to create a mapping of short names (specified in the domain parameter) to long (distinguished name) entries.

Example:

Default: None.

ADSI

A semi-colon separated list of domain names, or specific nodes, or both.

This value (together with adsi-domain-dn) allows to create a mapping of short names to long (distinguished name) entries.

Example: euro;usa;euro-developers

Default: None.

ADSI

The name of the ADSI forest here. This value is used numerous times when accessing the ActiveDirectory.

Example: dc=myorg,dc=com

ADSI

The BindDN that is used to access a group.

Default: None.

ADSI

The BindDN that is used to access a user.

Default: None.

ADSI

An alias marks the beginning of a set of directory type configuration parameters. In general, an authtype entry is specified below an alias entry followed by the directory-type specific configuration parameters.

All configurations

The maximum time you want to disable an unresponsive alias.

Default: 120 seconds.

All configurations

The minimum time you want to disable an unresponsive alias.

Default: 30 seconds.

All configurations

The authentication system you want to use for authentication:

Default: None.

All configurations

Specify 1 to temporarily bypass checking user credentials while connecting to the Broker Server.

Default: 0

All configurations

A domain name that Broker must use when no domain name is specified while authenticating a user.

Default: None.

All configurations

A default group name that Broker must use when no group name is specified while authenticating a user.

Default: None.

OS, LDAP

Boolean value.

If this value is "true" or "1", the parameter "domainname" will be interpreted as a BaseBindDN. If defaultdomain is set, this value will be interpreted as BaseBindDN.

Default: None.

LDAP

Boolean value.

If the value is "true" or "1", the parameter "domainname" will be interpreted as a BaseBindDN.

Example: ou=People,dc=myorg,dc=com

Default: None.

LDAP

Distinguished names of LDAP nodes.

This value (together with ldap-domain-short) allows to create a mapping of short names (specified in the domain parameter) to long (distinguished name) entries. Note that the elements are positional and must match in number with the next entry.

Example:

Default: None.

LDAP

colon separated list.

mapping of short names to long (distinguished name) entries.

Example: euro;usa;euro-developers

Default: None.

LDAP

Distinguished Name for LDAP where the groups are to be found (see also ldap-person-base-binddn).

Default: None.

LDAP

Property name that denotes a group entry.

Default: None.

LDAP

All object classes that are required to store a new group entry (comma separated list).

Default: None.

LDAP

Property names that can be accessed for a group entry.

The value is a comma separated list, which contains the property name. Optionally, the property name might be followed by ":w" or ":r", depending on whether the property is writable (w) or only readable (r).

Default: None.

LDAP

Property name of a group entry that points to the members of this group.

Default: None.

LDAP

Property name that denotes the password field of a user entry.

Default: None.

LDAP

Distinguished Name for LDAP where the authentication information is stored. While authenticating, this value will be prefixed with ldap-userid-field when issuing the LDAP authentication call.

Default: None.

LDAP

Property name of a user entry that points to the group that the user is member of.

Default: None.

LDAP

All object classes that are required to store a new user entry (comma separated list).

Default: None.

LDAP

Property names that can be accessed for a user entry.

The value is a comma separated list, which contains the property name. Optionally, the property name might be followed by ":w" or ":r", depending on whether the property is writable (w) or only readable (r).

Default: None.

LDAP

Boolean value that forces the usage of the SASL (type DIGEST-MD5) authentication. This feature ensures that no passwords are transmitted over the wire. But be sure that this feature is supported by the LDAP server.

Default: false

LDAP

LDAP server type. Specifying this value will internally set the appropriate default values.

The available server types are:

Default: OpenLdap

LDAP

Boolean value for enabling or disabling the SSL connection for LDAP.

Default: false OR 0(zero)

LDAP

Boolean value that enforces the usage of a secure (TLS/SSL) line before the data traffic starts.

Default: None.

LDAP

Property name that denotes a user entry.

Example:

The DN: uid=user01,ou=Test,dc=myorg,dc=com requires the value of "uid".

Default: None.

LDAP

An output file for logging.

Default: basicauth.log

All configurations

The log level. This value ranges from 0 (zero) for no logging to 6 (six) for maximum logging.

Default: 1 (Minimum logging)

All configurations

Boolean value.

When no domain is specified and this flag is on, then only the local machine will be checked for user authentication. If this flag is off, then the authentication will include automatically the domain that the machine is currently logged on to.

Default: false OR 0(zero)

OS (Windows only)

When you authenticate a user on Windows 2000 operating system, you use the Security Support Provider Interface (SSPI) method by default. This method has a flaw that if the Guest account is enabled (and has no password), the SSPI authentication returns successfully for any unknown user ID.

Setting this value to "true" or "1" enforces an additional check to verify that the user really does exist and is not automatically mapped to the guest account.

Default: true

OS (Windows 2000 only)

Boolean value.

If this boolean flag is on (“true” or "1"), group membership is also validated against the local (PC) groups, rather than the domain groups.

Default: false OR 0(zero)

OS (Windows only)

Boolean value.

By default, SSPI is used to authenticate a user on Windows 2000 because the more common method "LogonUser()" requires additional rights by the caller. Still, LogonUser() is the preferred way and if the access rights are granted ("Act as part of the operating system"), it is less error prone to use the latter method.

Default: false

OS (Windows 2000 only)

Boolean value that specifies whether any data access should be made under the impersonated user ID of the logged on user (false), or whether every access is made under the account of the running process (true).

Default: false

OS (Windows only)

Name of the computed property that will be read while resolving the group membership and the parameter resolve-groups is set to "ComputedProperty".

Default: None.

LDAP

The method you use to find all the groups that the user is a member of:

Default: RecurseUp

LDAP

Boolean value.

If scan-all-alias=1, Broker Server scans all the aliases configured in the basicauth.cfg file before authenticating a user. In this case, the basic authentication process take a long time.

If scan-all-alias=0, Broker Server scans the aliases configured in the basicauth.cfg file and authenticates user with the first alias that match the user credentials. Broker Server does not scan all the aliases if the user credentials match with one of the aliases.

Default: 0 (false).

All configurations

Name of the server.

Default: None.

LDAP, ADSI

Port number of serverhost.

Default: 389

LDAP, ADSI

The maximum time, in seconds, SSX API will wait for the LDAP alias search status to be returned, before timing out the authentication request from Broker.

Alternately, you can use the SSX_LDAP_TIMEOUT environment variable to configure the time-out value.

Default: 5 seconds

For configuring the alias disable time, see Disabling Basic Authentication Alias.

LDAP