Lightweight Directory Access Protocol (LDAP)Lightweight Directory Access Protocol (LDAP)Active Directory acting as an LDAP serverJAAS Configuration PropertiesParameter | Description |
enabled | Optional. Whether to load the JAAS configuration. Valid values are true (default) or false. This parameter relates to dynamic configuration and should be set in the dynamic configuration property file. It should not be set in the JAAS configuration, and will have no effect if it is set there. |
alias | Optional. Alias of the LDAP configuration entry. If not specified, it is set to match the url parameter. A valid value is any string of characters. The default is empty. |
url | Required. URL to the LDAP server. If you want to use an SSL connection to the LDAP server, the URL should start with ldaps, and you should provide truststore and/or keystore parameters. The expected format is: ldap://host:port" or ldaps://host:port. If the URL points to IPv6 IP (not domain name), it must be enclosed in square brackets (for example, alias=ldap://[::1]:389). |
domain | Optional. String. Domain name to use for authentication. Applicable if the domain concept is activated for the LDAPLoginModule. This parameter relates only to JAAS and should be set in the jaas.config file as a property of the LDAPLoginModule. It should not be set in the dynamic configuration property file, and will have no effect if it is set there. |
applyDomain | Optional. Whether to apply domain when returning group information for the user. Valid values are true or false (default). This parameter relates only to JAAS and should be set in the jaas.config file as a property of the LDAPLoginModule. It should not be set in the dynamic configuration property file, and will have no effect if it is set there. |
prin | Required if noPrinIsAnonymous is set to false; otherwise, do not specify this parameter. Distinguished name (DN) of the technical user that connects to the LDAP server if anonymous access to the LDAP server is not allowed. |
noPrinIs Anonymous | Optional. When prin is not defined, specifies what credentials are used for LDAP server authentication. Valid values are: true (default). The connection to the LDAP server is done anonymously.false. The real user credentials of the user that connects to the LDAP server are also used for LDAP authentication. The LDAPLoginModule will need the complete DN for the user or activation of the useaf, dnprefix, dnsuffix parameters to be able to construct a proper user DN. |
cred | Required if noPrinIsAnonymous is set to false; otherwise, do not specify this parameter. Password of the technical user that connects to the LDAP server. You use it with the prin parameter. A valid value is any string of characters. |
credHandle | Can use instead of cred. Handles passman storage for technical user passwords. When a login is successful, cred is placed in passman. |
timeout | Maximum time in milliseconds to spend for an LDAP operation. Default is 5000. |
useaf | Optional. Boolean. Whether to use affixes (dnprefix and dnsuffix). Use the affixes for an easier construction of user DNs with less errors. Valid values are true or false (default). |
dnprefix | Optional. String. Prefix to attach to the user name when performing operations on the LDAP server. To use this parameter, set useaf to true. A valid value is any string of characters. |
dnsuffix | Optional. String. Suffix to attach to the user name when performing operations on the LDAP server. To use this parameter, set useaf to true. A valid value is any string of characters. |
usecaching | Optional. Boolean. Whether the LDAP framework caches users and/or groups. Valid values are true (default) or false. |
poolmin | Minimum number of objects to keep in the cache. |
poolmax | Maximum number of objects to keep in the cache. |
mattr | Optional. The LDAPLoginModule uses this parameter when performing member-search operations. The meaning of this parameter depends on the value of memberinfoingroups. If memberinfoingroups is set to true, the mattr parameter points from a group to the users that are members of this group. If memberinfoingroups is set to false, the mattr parameter points from a user entry to the groups that the user is a member of. A valid value is any string of characters. Default is memberOf. |
memberinfoin groups | Optional. Boolean. Whether the login module searches users in a group or groups in a user. You can use it only if the mattr parameter is applied to users or groups. Valid values are true or false (default). |
createGroups | Optional. Boolean. Whether to extract the groups of the logged-in user from the LDAP server. Valid values are true (default) or false. This parameter relates only to JAAS and should be set in the jaas.config file as a property of the LDAPLoginModule. It should not be set in the dynamic configuration property file, and will have no effect if it is set there. |
createGroup Properties | Whether group properties should be populated to SagGroupPrincipal. Valid values are true or false (default). This parameter relates only to JAAS and should be set in the jaas.config file as a property of the LDAPLoginModule. It should not be set in the dynamic configuration property file, and will have no effect if it is set there. |
createUser Properties | Whether user properties should be populated to SagUserPrincipal. Valid values are true or false (default). This parameter relates only to JAAS and should be set in the jaas.config file as a property of the LDAPLoginModule. It should not be set in the dynamic configuration property file, and will have no effect if it is set there. |
uidprop | Optional. LDAP user name attribute. Default is CN. |
gidprop | Optional. LDAP group attribute. A valid value is any string of characters. Default is CN. |
grourootdn | Optional. Location from which to start searches for groups. A valid value is any string of characters. |
groupobjclass | Optional. Specifies that the found object is a group. The login module uses this parameter when searching for groups. Default is group. |
userrootdn | Optional. Location to search for users. A valid value is any string of characters. |
personobjclass | Optional. Specifies that the found object is a person. The login module uses this parameter when searching for users. Default is person. |
truststoreUrl | URL of the truststore to use if an SSL connection is required. |
truststore Password | Password for the truststore if an SSL connection is required. |
truststoreType | Type of truststore to use if an SSL connection is required. |
keystoreUrl | URL of the keystore to use if an SSL connection is required. |
keystore Password | Password for the keystore if an SSL connection is required. |
keystoreType | Type of keystore to use if an SSL connection is required. |
recursive SearchDepth | Amount of time to try when resolving nested groups (that is, a group that is a member of another group). The default is 0, which means no nested groups are resolved. |
useFQDNFor Auth | Optional. Whether to try to log in with the complete name. This is supported only by Microsoft AD. Usually LDAP login module uses the user name or the complete DN of the user to log in. Valid values are true or false (default). If set to true, the LDAPLoginModule tries to login with DOMAIN\user_name and password. This parameter relates only to JAAS and should be set in the jaas.config file as a property of the LDAPLoginModule. It should not be set in the dynamic configuration property file, and will have no effect if it is set there. |