This document provides sample IAF related attribute files for commonly used authentication scenarios.
The sample attribute files are organized as follows:
IAF Attribute File for Active Directory (ADSI) Authentication
IAF Attribute File for Internal User Repository Authentication
IAF Attribute File for Active Directory Using LDAP Interface Authentication
Replace the content of the attribute file you want to configure with the sample code below:
Note:
Provide information about your environment by configuring setting in
the following attributes (in the SSX ADSI
section):
SERVERHOST
and
ADSIFORESTDN
.
**************************************************************** * Attribute file for IAF server. **************************************************************** * IAFnnn DEFAULTS = BROKER BROKER-ID = IAFnnn RUN-MODE = IAF TRANSPORT = TCP-SSL AUTOLOGON = YES CALLABLE-RPC-SERVICES = NO CLIENT-NONACT = 99 ICU-CONVERSION = NO DYNAMIC-MEMORY-MANAGEMENT = YES NUM-WORKER = 5 TRACE-LEVEL = 0 DEFAULTS = IAF ** IAF Service parameters: ************************************************* IAF_LISTENADDRESS = localhost * the IAF servers own name, will be copied * into each IAF Token (future use) IAFVALIDTIME = 300 * default time the tokens are valid (in secs) * LOCALCODEPAGE = * default code page: ISO-8859-1, rsp. IBM-037 * used as input to * MultiByteToWideChar/WideCharToMultiByte * on Windows and * iconv on Unix ** IAF Delegation: * IAFVERIFYDELEGATEDUSER = * YES/NO, default: YES * verify if delegated userid really exists * IAFDELEGATEDAUTHUSER = * technical user id * IAFDELEGATEDAUTHDOMAIN = * domain of technical user * IAFDELEGATEDAUTHPASS = * encrypted password of technical user * IAFDELEGATEDCERTPATH = * file name to decrypt techn. user password * IAFDELEGATEDAUTHTIMEJITTER = * allow +/- secs. difference between * SSX program and IAF server ** SSX configuration patameters: ******************************************* ***************************** SSX Common *********************************** AUTHTYPE = ADSI * Native authentication type (OS, INTERNAL, LDAP, ADSI) VALIDTIME = 0 * how long (secs) should user remain in cache * 0=disabled DENYTIME = 60 * deny access for 60 secs after * <denycont> false authentications DENYCOUNT = 0 * 0=deactivate, else no. of invalid auths * before waiting <denytime> secs. MAXCACHEDUSERS = 100 * no. of successful auth'ed users * LOGFILE = LOG_FILE_PATH * log file path * LOGLEVEL = 6 * 0 - 6: set log level * DEFAULTDOMAIN = defaultDomain * The default domain name ***************************** SSX OS *************************************** * AUTHDPATH = DAEMON_PATH * Unix only! Explicit path of the privileged * daemon process. * UNIXADDMACHINENAME = true/false * Machine name is added before users and groups i.e. * machine_name\user. * DEFAULTGROUP = default_group * Any group can be used. Specify a default group name * here that should be returned with any of the group * results which are returned by repository manager. * WINNOIMPERSONISATION = true/false * that specifies whether any data access should be made * under the impersonated userid of the logged in user * (false), or whether all access are made under the * account of the running process (true) ***************************** SSX INTERNAL *************************************** * INTERNALREPOSITORY = INTERNAL_REPO_PATH * path for the file with internal users ***************************** SSX LDAP *************************************** * SERVERHOST = localhost * where takes place the auths * SERVERPORT = 389 * port of server ** AUTHTYPE=LDAP only: * LDAPSERVERTYPE = OpenLDAP * use some predefined fields with * "ActiveDirectory", "OpenLdap"(default), * "SunOneDirectory", "Tivoli", * "Novell" or "ApacheDS" * LDAPPERSONBINDDN = "ou=people,dc=myorg,dc=com" * node where to find the users * LDAPGROUPBINDDN = "ou=groups,dc=myorg,dc=com" * node where to find the groups * LDAPUSERIDFIELD = cn * name of the user id field * LDAPGROUPIDFIELD = cn * name of the group id field * LDAPPERSONOBJECTCLASS = "top,person" * user object class * LDAPGROUPOBJECTCLASS = "top,groups" * group object class * LDAPPERSONGRPATTR = memberOf * Property name of a user entry that points * from a user entry to the group that the user * is member of. * LDAPGROUPUSRATTR = member * Property name of a group entry which points from the * group to the users (members). * LDAPALLOWDOMAINASBASEBINDDN = true * If this boolean field is “true” or “1”, the parameter * “domainname” will be interpreted as a BaseBindDN *(example: “ou=People,dc=myorg,dc=com”. Note that if * no explicit domain * LDAPCONNECTIONPEROPERATION = true * whether the LDAP connection should be created and closed * per method call (true), or whether the connection should * stay open until the user handle is closed * LDAPPERSONPROPERTYATTR = "cn,displayName,description,mail,telephoneNumber, * Defines the property names that can be accessed for a user * entry. The value is a comma separated list, which contains * the property name. When all of the specified properties do * not exist or are binary properties any user result list * will be empty. * LDAPGROUPPROPERTYATTR = "cn,description" * Defines the property names that can be accessed for a group * entry. The value is a comma separated list, which contains * the property name. When all of the specified properties do * not exist or are binary properties any group result list will * be empty. * LDAPSSLCONNECTION = true * the denoted ldap connection (serverHost and serverPort) is a * secured (over SSL/TLS) connection to an LDAP server * FOLLOWREFERRALS = false * Whether the SSX must follow referrals or not. true/false * REFSERVERBINDINGTYPE = same_creds * What kind of binding during referral following. * same_creds – use same credential for authentication to * the next LDAP server. no_creds use anonymous binding to the * next server * REFERRALHOPSCNT = 1 * Count of the referral hops. If this parameter is not specified * the count is unlimited ***************************** SSX ADSI *************************************** SERVERHOST = <server_host> * where takes place the auths * SERVERPORT = 389 * port of server LDAPSERVERTYPE = ActiveDirectory ADSIFORESTDN = "DC=ad,DC=<organization>" * name of ADS forest * CAREFUL: do not mix with domain name * ADSIPERSONBASEBINDDN = "dc=myusers,dc=com" * Specifies a BindDN that is used to access * a user. Note that this is only useful when * all users that are accessed are found under * in the same node * ADSIGROUPBASEBINDDN = "dc=mygroups,dc=com" * Specifies a BindDN that is used to access * a group. Note that this is only useful when * all groups that are accessed are found under * in the same node. DEFAULTS = TCP PORT = 11971 DEFAULTS = SSL PORT = 11958 VERIFY-CLIENT = NO KEY-FILE = "..\..\Etc\IAFAppKey.pem" KEY-PASSWD = IAFAppKey KEY-STORE = "..\..\Etc\IAFAppCert.pem" ** TRUST-STORE = "..\..\Etc\IAFCaCert.pem" *
Replace the content of the attribute file you want to configure with the sample code below:
**************************************************************** * Attribute file for IAF server. **************************************************************** * IAFnnn DEFAULTS = BROKER BROKER-ID = IAFnnn RUN-MODE = IAF TRANSPORT = TCP-SSL AUTOLOGON = YES CALLABLE-RPC-SERVICES = NO CLIENT-NONACT = 99 ICU-CONVERSION = NO DYNAMIC-MEMORY-MANAGEMENT = YES NUM-WORKER = 5 TRACE-LEVEL = 0 DEFAULTS = IAF ** IAF Service parameters: ************************************************* IAF_LISTENADDRESS = localhost * the IAF servers own name, will be copied * into each IAF Token (future use) IAFVALIDTIME = 300 * default time the tokens are valid (in secs) * LOCALCODEPAGE = * default code page: ISO-8859-1, rsp. IBM-037 * used as input to * MultiByteToWideChar/WideCharToMultiByte * on Windows and * iconv on Unix ** IAF Delegation: * IAFVERIFYDELEGATEDUSER = * YES/NO, default: YES * verify if delegated userid really exists * IAFDELEGATEDAUTHUSER = * technical user id * IAFDELEGATEDAUTHDOMAIN = * domain of technical user * IAFDELEGATEDAUTHPASS = * encrypted password of technical user * IAFDELEGATEDCERTPATH = * file name to decrypt techn. user password * IAFDELEGATEDAUTHTIMEJITTER = * allow +/- secs. difference between * SSX program and IAF server ** SSX configuration patameters: ******************************************* ***************************** SSX Common *********************************** AUTHTYPE = INTERNAL * Native authentication type (OS, INTERNAL, LDAP, ADSI) VALIDTIME = 0 * how long (secs) should user remain in cache * 0=disabled DENYTIME = 60 * deny access for 60 secs after * <denycont> false authentications DENYCOUNT = 0 * 0=deactivate, else no. of invalid auths * before waiting <denytime> secs. MAXCACHEDUSERS = 100 * no. of successful auth'ed users * LOGFILE = LOG_FILE_PATH * log file path * LOGLEVEL = 6 * 0 - 6: set log level * DEFAULTDOMAIN = defaultDomain * The default domain name ***************************** SSX OS *************************************** * AUTHDPATH = DAEMON_PATH * Unix only! Explicit path of the privileged * daemon process. * UNIXADDMACHINENAME = true/false * Machine name is added before users and groups i.e. * machine_name\user. * DEFAULTGROUP = default_group * Any group can be used. Specify a default group name * here that should be returned with any of the group * results which are returned by repository manager. * WINNOIMPERSONISATION = true/false * that specifies whether any data access should be made * under the impersonated userid of the logged in user * (false), or whether all access are made under the * account of the running process (true) ***************************** SSX INTERNAL *************************************** INTERNALREPOSITORY = ".\ssx_user.properties" * path for the file with internal users ***************************** SSX LDAP *************************************** * SERVERHOST = localhost * where takes place the auths * SERVERPORT = 389 * port of server ** AUTHTYPE=LDAP only: * LDAPSERVERTYPE = OpenLDAP * use some predefined fields with * "ActiveDirectory", "OpenLdap"(default), * "SunOneDirectory", "Tivoli", * "Novell" or "ApacheDS" * LDAPPERSONBINDDN = "ou=people,dc=myorg,dc=com" * node where to find the users * LDAPGROUPBINDDN = "ou=groups,dc=myorg,dc=com" * node where to find the groups * LDAPUSERIDFIELD = cn * name of the user id field * LDAPGROUPIDFIELD = cn * name of the group id field * LDAPPERSONOBJECTCLASS = "top,person" * user object class * LDAPGROUPOBJECTCLASS = "top,groups" * group object class * LDAPPERSONGRPATTR = memberOf * Property name of a user entry that points * from a user entry to the group that the user * is member of. * LDAPGROUPUSRATTR = member * Property name of a group entry which points from the * group to the users (members). * LDAPALLOWDOMAINASBASEBINDDN = true * If this boolean field is “true” or “1”, the parameter * “domainname” will be interpreted as a BaseBindDN *(example: “ou=People,dc=myorg,dc=com”. Note that if * no explicit domain * LDAPCONNECTIONPEROPERATION = true * whether the LDAP connection should be created and closed * per method call (true), or whether the connection should * stay open until the user handle is closed * LDAPPERSONPROPERTYATTR = "cn,displayName,description,mail,telephoneNumber, * Defines the property names that can be accessed for a user * entry. The value is a comma separated list, which contains * the property name. When all of the specified properties do * not exist or are binary properties any user result list * will be empty. * LDAPGROUPPROPERTYATTR = "cn,description" * Defines the property names that can be accessed for a group * entry. The value is a comma separated list, which contains * the property name. When all of the specified properties do * not exist or are binary properties any group result list will * be empty. * LDAPSSLCONNECTION = true * the denoted ldap connection (serverHost and serverPort) is a * secured (over SSL/TLS) connection to an LDAP server * FOLLOWREFERRALS = false * Whether the SSX must follow referrals or not. true/false * REFSERVERBINDINGTYPE = same_creds * What kind of binding during referral following. * same_creds – use same credential for authentication to * the next LDAP server. no_creds use anonymous binding to the * next server * REFERRALHOPSCNT = 1 * Count of the referral hops. If this parameter is not specified * the count is unlimited ***************************** SSX ADSI *************************************** SERVERHOST = eur.ad.sag * where takes place the auths * SERVERPORT = 389 * port of server LDAPSERVERTYPE = ActiveDirectory ADSIFORESTDN = "DC=ad,DC=sag" * name of ADS forest * CAREFUL: do not mix with domain name * ADSIPERSONBASEBINDDN = "dc=myusers,dc=com" * Specifies a BindDN that is used to access * a user. Note that this is only useful when * all users that are accessed are found under * in the same node * ADSIGROUPBASEBINDDN = "dc=mygroups,dc=com" * Specifies a BindDN that is used to access * a group. Note that this is only useful when * all groups that are accessed are found under * in the same node. DEFAULTS = TCP PORT = 11971 DEFAULTS = SSL PORT = 11958 VERIFY-CLIENT = NO KEY-FILE = "..\..\Etc\IAFAppKey.pem" KEY-PASSWD = IAFAppKey KEY-STORE = "..\..\Etc\IAFAppCert.pem" ** TRUST-STORE = "..\..\Etc\IAFCaCert.pem" *
Replace the content of the attribute file you want to configure with the sample code below:
Note:
Provide information about your environment by configuring setting in
the following attributes (in the SSX LDAP
section):
SERVERHOST
,
LDAPPERSONBINDDN
and
LDAPGROUPBINDDN
.
**************************************************************** * Attribute file for IAF server. **************************************************************** * IAFnnn DEFAULTS = BROKER BROKER-ID = IAFnnn RUN-MODE = IAF TRANSPORT = TCP-SSL AUTOLOGON = YES CALLABLE-RPC-SERVICES = NO CLIENT-NONACT = 99 ICU-CONVERSION = NO DYNAMIC-MEMORY-MANAGEMENT = YES NUM-WORKER = 5 TRACE-LEVEL = 0 DEFAULTS = IAF ** IAF Service parameters: ************************************************* IAF_LISTENADDRESS = localhost * the IAF servers own name, will be copied * into each IAF Token (future use) IAFVALIDTIME = 300 * default time the tokens are valid (in secs) * LOCALCODEPAGE = * default code page: ISO-8859-1, rsp. IBM-037 * used as input to * MultiByteToWideChar/WideCharToMultiByte * on Windows and * iconv on Unix ** IAF Delegation: * IAFVERIFYDELEGATEDUSER = * YES/NO, default: YES * verify if delegated userid really exists * IAFDELEGATEDAUTHUSER = * technical user id * IAFDELEGATEDAUTHDOMAIN = * domain of technical user * IAFDELEGATEDAUTHPASS = * encrypted password of technical user * IAFDELEGATEDCERTPATH = * file name to decrypt techn. user password * IAFDELEGATEDAUTHTIMEJITTER = * allow +/- secs. difference between * SSX program and IAF server ** SSX configuration patameters: ******************************************* ***************************** SSX Common *********************************** AUTHTYPE = LDAP * Native authentication type (OS, INTERNAL, LDAP, ADSI) VALIDTIME = 0 * how long (secs) should user remain in cache * 0=disabled DENYTIME = 60 * deny access for 60 secs after * <denycont> false authentications DENYCOUNT = 0 * 0=deactivate, else no. of invalid auths * before waiting <denytime> secs. MAXCACHEDUSERS = 100 * no. of successful auth'ed users * LOGFILE = LOG_FILE_PATH * log file path * LOGLEVEL = 6 * 0 - 6: set log level * DEFAULTDOMAIN = defaultDomain * The default domain name ***************************** SSX OS *************************************** * AUTHDPATH = DAEMON_PATH * Unix only! Explicit path of the privileged * daemon process. * UNIXADDMACHINENAME = true/false * Machine name is added before users and groups i.e. * machine_name\user. * DEFAULTGROUP = default_group * Any group can be used. Specify a default group name * here that should be returned with any of the group * results which are returned by repository manager. * WINNOIMPERSONISATION = true/false * that specifies whether any data access should be made * under the impersonated userid of the logged in user * (false), or whether all access are made under the * account of the running process (true) ***************************** SSX INTERNAL *************************************** * INTERNALREPOSITORY = INTERNAL_REPO_PATH * path for the file with internal users ***************************** SSX LDAP *************************************** SERVERHOST = <server_host> * where takes place the auths SERVERPORT = 389 * port of server ** AUTHTYPE=LDAP only: LDAPSERVERTYPE = OpenLDAP * use some predefined fields with * "ActiveDirectory", "OpenLdap"(default), * "SunOneDirectory", "Tivoli", * "Novell" or "ApacheDS" LDAPPERSONBINDDN = "ou=users,ou=<organization>,o=<organization>" * node where to find the users LDAPGROUPBINDDN = "ou=groups,ou=<organization>,o=<organization>" * node where to find the groups LDAPUSERIDFIELD = uid * name of the user id field LDAPGROUPIDFIELD = cn * name of the group id field LDAPPERSONOBJECTCLASS = "top,person,organizationalPerson,inetOrgPerson" * user object class LDAPGROUPOBJECTCLASS = "top,groupOfUniqueNames" * group object class * LDAPPERSONGRPATTR = memberOf * Property name of a user entry that points * from a user entry to the group that the user * is member of. LDAPGROUPUSRATTR = uniqueMember * Property name of a group entry which points from the * group to the users (members). * LDAPALLOWDOMAINASBASEBINDDN = true * If this boolean field is “true” or “1”, the parameter * “domainname” will be interpreted as a BaseBindDN *(example: “ou=People,dc=myorg,dc=com”. Note that if * no explicit domain * LDAPCONNECTIONPEROPERATION = true * whether the LDAP connection should be created and closed * per method call (true), or whether the connection should * stay open until the user handle is closed * LDAPPERSONPROPERTYATTR = "cn,displayName,description,mail,telephoneNumber, * Defines the property names that can be accessed for a user * entry. The value is a comma separated list, which contains * the property name. When all of the specified properties do * not exist or are binary properties any user result list * will be empty. LDAPGROUPPROPERTYATTR = objectClass * Defines the property names that can be accessed for a group * entry. The value is a comma separated list, which contains * the property name. When all of the specified properties do * not exist or are binary properties any group result list will * be empty. * LDAPSSLCONNECTION = true * the denoted ldap connection (serverHost and serverPort) is a * secured (over SSL/TLS) connection to an LDAP server FOLLOWREFERRALS = false * Whether the SSX must follow referrals or not. true/false * REFSERVERBINDINGTYPE = same_creds * What kind of binding during referral following. * same_creds – use same credential for authentication to * the next LDAP server. no_creds use anonymous binding to the * next server * REFERRALHOPSCNT = 1 * Count of the referral hops. If this parameter is not specified * the count is unlimited RESOLVEGROUPS = rd ***************************** SSX ADSI *************************************** * SERVERHOST = localhost * where takes place the auths * SERVERPORT = 389 * port of server * ADSIFORESTDN = "dc=myorg,dc=com" * name of ADS forest * CAREFUL: do not mix with domain name * ADSIPERSONBASEBINDDN = "dc=myusers,dc=com" * Specifies a BindDN that is used to access * a user. Note that this is only useful when * all users that are accessed are found under * in the same node * ADSIGROUPBASEBINDDN = "dc=mygroups,dc=com" * Specifies a BindDN that is used to access * a group. Note that this is only useful when * all groups that are accessed are found under * in the same node. DEFAULTS = TCP PORT = 11971 DEFAULTS = SSL PORT = 11958 VERIFY-CLIENT = NO KEY-FILE = "..\..\Etc\IAFAppKey.pem" KEY-PASSWD = IAFAppKey KEY-STORE = "..\..\Etc\IAFAppCert.pem" ** TRUST-STORE = "..\..\Etc\IAFCaCert.pem" *
Replace the content of the attribute file you want to configure with the sample code below:
Note:
Provide information about your environment by configuring setting in
the following attributes (in the SSX LDAP
section):
SERVERHOST
,
LDAPPERSONBINDDN
and
LDAPGROUPBINDDN
.
**************************************************************** * Attribute file for IAF server. **************************************************************** * IAFnnn DEFAULTS = BROKER BROKER-ID = IAFnnn RUN-MODE = IAF TRANSPORT = TCP-SSL AUTOLOGON = YES CALLABLE-RPC-SERVICES = NO CLIENT-NONACT = 99 ICU-CONVERSION = NO DYNAMIC-MEMORY-MANAGEMENT = YES NUM-WORKER = 5 TRACE-LEVEL = 0 DEFAULTS = IAF ** IAF Service parameters: ************************************************* IAF_LISTENADDRESS = localhost * the IAF servers own name, will be copied * into each IAF Token (future use) IAFVALIDTIME = 300 * default time the tokens are valid (in secs) * LOCALCODEPAGE = * default code page: ISO-8859-1, rsp. IBM-037 * used as input to * MultiByteToWideChar/WideCharToMultiByte * on Windows and * iconv on Unix ** IAF Delegation: * IAFVERIFYDELEGATEDUSER = * YES/NO, default: YES * verify if delegated userid really exists * IAFDELEGATEDAUTHUSER = * technical user id * IAFDELEGATEDAUTHDOMAIN = * domain of technical user * IAFDELEGATEDAUTHPASS = * encrypted password of technical user * IAFDELEGATEDCERTPATH = * file name to decrypt techn. user password * IAFDELEGATEDAUTHTIMEJITTER = * allow +/- secs. difference between * SSX program and IAF server ** SSX configuration patameters: ******************************************* ***************************** SSX Common *********************************** AUTHTYPE = LDAP * Native authentication type (OS, INTERNAL, LDAP, ADSI) VALIDTIME = 0 * how long (secs) should user remain in cache * 0=disabled DENYTIME = 60 * deny access for 60 secs after * <denycont> false authentications DENYCOUNT = 0 * 0=deactivate, else no. of invalid auths * before waiting <denytime> secs. MAXCACHEDUSERS = 100 * no. of successful auth'ed users * LOGFILE = LOG_FILE_PATH * log file path * LOGLEVEL = 6 * 0 - 6: set log level * DEFAULTDOMAIN = defaultDomain * The default domain name ***************************** SSX OS *************************************** * AUTHDPATH = DAEMON_PATH * Unix only! Explicit path of the privileged * daemon process. * UNIXADDMACHINENAME = true/false * Machine name is added before users and groups i.e. * machine_name\user. * DEFAULTGROUP = default_group * Any group can be used. Specify a default group name * here that should be returned with any of the group * results which are returned by repository manager. * WINNOIMPERSONISATION = true/false * that specifies whether any data access should be made * under the impersonated userid of the logged in user * (false), or whether all access are made under the * account of the running process (true) ***************************** SSX INTERNAL *************************************** * INTERNALREPOSITORY = INTERNAL_REPO_PATH * path for the file with internal users ***************************** SSX LDAP *************************************** SERVERHOST = <server_host> * where takes place the auths SERVERPORT = 389 * port of server ** AUTHTYPE=LDAP only: LDAPSERVERTYPE = ActiveDirectory * use some predefined fields with * "ActiveDirectory", "OpenLdap"(default), * "SunOneDirectory", "Tivoli", * "Novell" or "ApacheDS" LDAPPERSONBINDDN = "dc=eur,dc=ad,dc=<organization>" * node where to find the users LDAPGROUPBINDDN = "DC=ad,DC=<organization>" * node where to find the groups LDAPUSERIDFIELD = cn * name of the user id field LDAPGROUPIDFIELD = cn * name of the group id field LDAPPERSONOBJECTCLASS = "top,person,organizationalPerson,user" * user object class LDAPGROUPOBJECTCLASS = "top,group" * group object class LDAPPERSONGRPATTR = memberOf * Property name of a user entry that points * from a user entry to the group that the user * is member of. * LDAPGROUPUSRATTR = member * Property name of a group entry which points from the * group to the users (members). LDAPALLOWDOMAINASBASEBINDDN = true * If this boolean field is “true” or “1”, the parameter * “domainname” will be interpreted as a BaseBindDN *(example: “ou=People,dc=myorg,dc=com”. Note that if * no explicit domain * LDAPCONNECTIONPEROPERATION = true * whether the LDAP connection should be created and closed * per method call (true), or whether the connection should * stay open until the user handle is closed * LDAPPERSONPROPERTYATTR = "cn,displayName,description,mail,telephoneNumber, * Defines the property names that can be accessed for a user * entry. The value is a comma separated list, which contains * the property name. When all of the specified properties do * not exist or are binary properties any user result list * will be empty. LDAPGROUPPROPERTYATTR = member * Defines the property names that can be accessed for a group * entry. The value is a comma separated list, which contains * the property name. When all of the specified properties do * not exist or are binary properties any group result list will * be empty. * LDAPSSLCONNECTION = true * the denoted ldap connection (serverHost and serverPort) is a * secured (over SSL/TLS) connection to an LDAP server FOLLOWREFERRALS = false * Whether the SSX must follow referrals or not. true/false * REFSERVERBINDINGTYPE = same_creds * What kind of binding during referral following. * same_creds – use same credential for authentication to * the next LDAP server. no_creds use anonymous binding to the * next server * REFERRALHOPSCNT = 1 * Count of the referral hops. If this parameter is not specified * the count is unlimited ***************************** SSX ADSI *************************************** * SERVERHOST = localhost * where takes place the auths * SERVERPORT = 389 * port of server * ADSIFORESTDN = "dc=myorg,dc=com" * name of ADS forest * CAREFUL: do not mix with domain name * ADSIPERSONBASEBINDDN = "dc=myusers,dc=com" * Specifies a BindDN that is used to access * a user. Note that this is only useful when * all users that are accessed are found under * in the same node * ADSIGROUPBASEBINDDN = "dc=mygroups,dc=com" * Specifies a BindDN that is used to access * a group. Note that this is only useful when * all groups that are accessed are found under * in the same node. DEFAULTS = TCP PORT = 11971 DEFAULTS = SSL PORT = 11958 VERIFY-CLIENT = NO KEY-FILE = "..\..\Etc\IAFAppKey.pem" KEY-PASSWD = IAFAppKey KEY-STORE = "..\..\Etc\IAFAppCert.pem" ** TRUST-STORE = "..\..\Etc\IAFCaCert.pem" *
Replace the content of the attribute file you want to configure with the sample code below:
**************************************************************** * Attribute file for IAF server. **************************************************************** * IAFnnn DEFAULTS = BROKER BROKER-ID = IAFnnn RUN-MODE = IAF TRANSPORT = TCP-SSL AUTOLOGON = YES CALLABLE-RPC-SERVICES = NO CLIENT-NONACT = 99 ICU-CONVERSION = NO DYNAMIC-MEMORY-MANAGEMENT = YES NUM-WORKER = 5 TRACE-LEVEL = 0 DEFAULTS = IAF ** IAF Service parameters: ************************************************* IAF_LISTENADDRESS = localhost * the IAF servers own name, will be copied * into each IAF Token (future use) IAFVALIDTIME = 300 * default time the tokens are valid (in secs) * LOCALCODEPAGE = * default code page: ISO-8859-1, rsp. IBM-037 * used as input to * MultiByteToWideChar/WideCharToMultiByte * on Windows and * iconv on Unix ** IAF Delegation: * IAFVERIFYDELEGATEDUSER = * YES/NO, default: YES * verify if delegated userid really exists * IAFDELEGATEDAUTHUSER = * technical user id * IAFDELEGATEDAUTHDOMAIN = * domain of technical user * IAFDELEGATEDAUTHPASS = * encrypted password of technical user * IAFDELEGATEDCERTPATH = * file name to decrypt techn. user password * IAFDELEGATEDAUTHTIMEJITTER = * allow +/- secs. difference between * SSX program and IAF server ** SSX configuration patameters: ******************************************* ***************************** SSX Common *********************************** AUTHTYPE = OS * Native authentication type (OS, INTERNAL, LDAP, ADSI) VALIDTIME = 0 * how long (secs) should user remain in cache * 0=disabled DENYTIME = 60 * deny access for 60 secs after * <denycont> false authentications DENYCOUNT = 0 * 0=deactivate, else no. of invalid auths * before waiting <denytime> secs. MAXCACHEDUSERS = 100 * no. of successful auth'ed users * LOGFILE = LOG_FILE_PATH * log file path * LOGLEVEL = 6 * 0 - 6: set log level * DEFAULTDOMAIN = defaultDomain * The default domain name ***************************** SSX OS *************************************** * AUTHDPATH = DAEMON_PATH * Unix only! Explicit path of the privileged * daemon process. * UNIXADDMACHINENAME = true/false * Machine name is added before users and groups i.e. * machine_name\user. * DEFAULTGROUP = default_group * Any group can be used. Specify a default group name * here that should be returned with any of the group * results which are returned by repository manager. * WINNOIMPERSONISATION = true/false * that specifies whether any data access should be made * under the impersonated userid of the logged in user * (false), or whether all access are made under the * account of the running process (true) ***************************** SSX INTERNAL *************************************** * INTERNALREPOSITORY = INTERNAL_REPO_PATH * path for the file with internal users ***************************** SSX LDAP *************************************** * SERVERHOST = localhost * where takes place the auths * SERVERPORT = 389 * port of server ** AUTHTYPE=LDAP only: * LDAPSERVERTYPE = OpenLDAP * use some predefined fields with * "ActiveDirectory", "OpenLdap"(default), * "SunOneDirectory", "Tivoli", * "Novell" or "ApacheDS" * LDAPPERSONBINDDN = "ou=people,dc=myorg,dc=com" * node where to find the users * LDAPGROUPBINDDN = "ou=groups,dc=myorg,dc=com" * node where to find the groups * LDAPUSERIDFIELD = cn * name of the user id field * LDAPGROUPIDFIELD = cn * name of the group id field * LDAPPERSONOBJECTCLASS = "top,person" * user object class * LDAPGROUPOBJECTCLASS = "top,groups" * group object class * LDAPPERSONGRPATTR = memberOf * Property name of a user entry that points * from a user entry to the group that the user * is member of. * LDAPGROUPUSRATTR = member * Property name of a group entry which points from the * group to the users (members). * LDAPALLOWDOMAINASBASEBINDDN = true * If this boolean field is “true” or “1”, the parameter * “domainname” will be interpreted as a BaseBindDN *(example: “ou=People,dc=myorg,dc=com”. Note that if * no explicit domain * LDAPCONNECTIONPEROPERATION = true * whether the LDAP connection should be created and closed * per method call (true), or whether the connection should * stay open until the user handle is closed * LDAPPERSONPROPERTYATTR = "cn,displayName,description,mail,telephoneNumber, * Defines the property names that can be accessed for a user * entry. The value is a comma separated list, which contains * the property name. When all of the specified properties do * not exist or are binary properties any user result list * will be empty. * LDAPGROUPPROPERTYATTR = "cn,description" * Defines the property names that can be accessed for a group * entry. The value is a comma separated list, which contains * the property name. When all of the specified properties do * not exist or are binary properties any group result list will * be empty. * LDAPSSLCONNECTION = true * the denoted ldap connection (serverHost and serverPort) is a * secured (over SSL/TLS) connection to an LDAP server * FOLLOWREFERRALS = false * Whether the SSX must follow referrals or not. true/false * REFSERVERBINDINGTYPE = same_creds * What kind of binding during referral following. * same_creds – use same credential for authentication to * the next LDAP server. no_creds use anonymous binding to the * next server * REFERRALHOPSCNT = 1 * Count of the referral hops. If this parameter is not specified * the count is unlimited * RESOLVEGROUPS = rd * Resolve goups algorithm ru, rd, cp ***************************** SSX ADSI *************************************** * SERVERHOST = localhost * where takes place the auths * SERVERPORT = 389 * port of server * ADSIFORESTDN = "dc=myorg,dc=com" * name of ADS forest * CAREFUL: do not mix with domain name * ADSIPERSONBASEBINDDN = "dc=myusers,dc=com" * Specifies a BindDN that is used to access * a user. Note that this is only useful when * all users that are accessed are found under * in the same node * ADSIGROUPBASEBINDDN = "dc=mygroups,dc=com" * Specifies a BindDN that is used to access * a group. Note that this is only useful when * all groups that are accessed are found under * in the same node. DEFAULTS = TCP PORT = 11971 DEFAULTS = SSL PORT = 11958 VERIFY-CLIENT = NO KEY-FILE = "..\..\Etc\IAFAppKey.pem" KEY-PASSWD = IAFAppKey KEY-STORE = "..\..\Etc\IAFAppCert.pem" ** TRUST-STORE = "..\..\Etc\IAFCaCert.pem" *