ldapRegistry - LDAP User Registry (ldapRegistry)

Configuration properties for the LDAP user registry.

NameTypeDefaultDescription
idstringA unique configuration ID.
hoststringAddress of the LDAP server in the form of an IP address or a domain name service (DNS) name.
portintPort number of the LDAP server.
baseDNstringBase distinguished name (DN) of the directory service, which indicates the starting point for LDAP searches in the directory service.
ldapType
  • IBM SecureWay Directory Server
  • Microsoft Active Directory
  • Novell eDirectory
  • IBM Lotus Domino
  • Netscape Directory Server
  • Custom
  • Sun Java System Directory Server
  • IBM Tivoli Directory Server
Type of LDAP server to which a connection is established.
IBM SecureWay Directory Server
Configure the LDAP registry to use IBM SecureWay Directory Server.
Microsoft Active Directory
Configure the LDAP registry to use Microsoft Active Directory.
Novell eDirectory
Configure the LDAP registry to use Novell eDirectory.
IBM Lotus Domino
Configure the LDAP registry to use IBM Lotus Domino.
Netscape Directory Server
Configure the LDAP registry to use Netscape Directory Server.
Custom
Configure the LDAP registry to use a custom LDAP server.
Sun Java System Directory Server
Configure the LDAP registry to use Sun Java System Directory Server.
IBM Tivoli Directory Server
%ldapType.ibm_dir_server
realmstringLdapRegistryThe realm name that represents the user registry.
bindDNstringDistinguished name (DN) for the application server, which is used to bind to the directory service.
bindPasswordReversably encoded password (string)Password for the bind DN. The value can be stored in clear text or encoded form. It is recommended that you encode the password. To do so, use the securityUtility tool with the encode option.
ignoreCasebooleantruePerform a case-insensitive authentication check.
recursiveSearchbooleanfalsePerforms a nested group search. Select this option only if the LDAP server does not support recursive server-side searches.
reuseConnectionbooleantrueRequests the application server to reuse the LDAP server connection.
sslEnabledbooleanfalseIndicates whether an SSL connection should be made to the LDAP server.
sslRefA reference to top level ssl element (string).ID of the SSL configuration to be used to connect to the SSL-enabled LDAP server.
searchTimeoutA period of time with millisecond precision1mMaximum time for an LDAP server to respond before a request is canceled. This is equivalent to a read timeout once the connection is established. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
connectTimeoutA period of time with millisecond precision1mMaximum time for establishing a connection to the LDAP server. The program logs an error message if the specified time expires. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
certificateMapMode
  • EXACT_DN
  • CERTIFICATE_FILTER
Specifies whether to map x.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER. Specify CERTIFICATE_FILTER to use the specified certificate filter for the mapping.
EXACT_DN
The program attempts the login by mapping the PrincipalName value in the X.509 certificate to the exact distinguished name (DN) in the repository. If a matching entity is found, the login is successful. If a matching entity is not found, the login fails, and the program returns an error that states that the entity is not found.
CERTIFICATE_FILTER
The program attempts the login by using the certificate filter mapping property for the LDAP filter. If a single matching entity is found, the login is successful. If no matching entity is found, the login fails, and the program returns an error. If more than one matching entity is found, the login fails because the result is an ambiguous match, and the program returns an error.
certificateFilterstringSpecifies the filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP registry. For example, the filter can be specified as: uid=${SubjectCN}.
activedFiltersRefA reference to top level activedLdapFilterProperties element (string).Specifies the list of Microsoft Active Directory LDAP filters.
customFiltersRefA reference to top level customLdapFilterProperties element (string).Specifies the list of Custom LDAP filters.
domino50FiltersRefA reference to top level domino50LdapFilterProperties element (string).Specifies the list of IBM Lotus Domino LDAP filters.
edirectoryFiltersRefA reference to top level edirectoryLdapFilterProperties element (string).Specifies the list of Novell eDirectory LDAP filters.
idsFiltersRefA reference to top level idsLdapFilterProperties element (string).Specifies the list of IBM Tivoli Directory Server LDAP filters.
iplanetFiltersRefA reference to top level iplanetLdapFilterProperties element (string).Specifies the list of Sun Java System Directory Server LDAP filters.
netscapeFiltersRefA reference to top level netscapeLdapFilterProperties element (string).Specifies the list of Netscape Directory Server LDAP filters.
securewayFiltersRefA reference to top level securewayLdapFilterProperties element (string).Specifies the list of IBM SecureWay Directory Server LDAP filters.
referral
  • ignore
  • follow
ignoreSpecify the behavior for LDAP referrals. The default behavior is to ignore referrals.
ignore
Ignore LDAP referrals.
follow
Follow LDAP referrals.
returnToPrimaryServerbooleantrueA boolean value that indicates if the search should be done against the Primary Server.

failoverServers

List of LDAP failover servers.

NameTypeDefaultDescription
idstringA unique configuration ID.
namestringConfiguration properties for LDAP failover servers. Specify it as a backup server for the primary LDAP servers. For example, <failoverServers name="failoverLdapServers"><server host="myfullyqualifiedhostname1" port="389"/><server host="myfullyqualifiedhostname2" port="389"/></failoverServers>.

failoverServers > server

Configuration properties for LDAP failover server.

NameTypeDefaultDescription
idstringA unique configuration ID.
hoststringLDAP server host name, which can be either an IP address or a domain name service (DNS) name.
portintLDAP failover server port.

activedFilters

Specifies the list of Microsoft Active Directory LDAP filters.

NameTypeDefaultDescription
userFilterstring(&(sAMAccountName=%v)(objectcategory=user))An LDAP filter clause for searching the user registry for users.
groupFilterstring(&(cn=%v)(objectcategory=group))An LDAP filter clause for searching the user registry for groups.
userIdMapstringuser:sAMAccountNameAn LDAP filter that maps the name of a user to an LDAP entry.
groupIdMapstring*:cnAn LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMapstringmemberOf:memberAn LDAP filter that identifies user to group memberships.

customFilters

Specifies the list of Custom LDAP filters.

NameTypeDefaultDescription
userFilterstring(&(uid=%v)(objectclass=ePerson))An LDAP filter clause for searching the user registry for users.
groupFilterstring(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))An LDAP filter clause for searching the user registry for groups.
userIdMapstring*:uidAn LDAP filter that maps the name of a user to an LDAP entry.
groupIdMapstring*:cnAn LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMapstringibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMemberAn LDAP filter that identifies user to group memberships.

domino50Filters

Specifies the list of IBM Lotus Domino LDAP filters.

NameTypeDefaultDescription
userFilterstring(&(uid=%v)(objectclass=Person))An LDAP filter clause for searching the user registry for users.
groupFilterstring(&(cn=%v)(objectclass=dominoGroup))An LDAP filter clause for searching the user registry for groups.
userIdMapstringperson:uidAn LDAP filter that maps the name of a user to an LDAP entry.
groupIdMapstring*:cnAn LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMapstringdominoGroup:memberAn LDAP filter that identifies user to group memberships.

edirectoryFilters

Specifies the list of Novell eDirectory LDAP filters.

NameTypeDefaultDescription
userFilterstring(&(cn=%v)(objectclass=Person))An LDAP filter clause for searching the user registry for users.
groupFilterstring(&(cn=%v)(objectclass=groupOfNames))An LDAP filter clause for searching the user registry for groups.
userIdMapstringperson:cnAn LDAP filter that maps the name of a user to an LDAP entry.
groupIdMapstring*:cnAn LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMapstringgroupOfNames:memberAn LDAP filter that identifies user to group memberships.

idsFilters

Specifies the list of IBM Tivoli Directory Server LDAP filters.

NameTypeDefaultDescription
userFilterstring(&(uid=%v)(objectclass=ePerson))An LDAP filter clause for searching the user registry for users.
groupFilterstring(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))An LDAP filter clause for searching the user registry for groups.
userIdMapstring*:uidAn LDAP filter that maps the name of a user to an LDAP entry.
groupIdMapstring*:cnAn LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMapstringibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMemberAn LDAP filter that identifies user to group memberships.

iplanetFilters

Specifies the list of Sun Java System Directory Server LDAP filters.

NameTypeDefaultDescription
userFilterstring(&(uid=%v)(objectclass=inetOrgPerson))An LDAP filter clause for searching the user registry for users.
groupFilterstring(&(cn=%v)(objectclass=ldapsubentry))An LDAP filter clause for searching the user registry for groups.
userIdMapstringinetOrgPerson:uidAn LDAP filter that maps the name of a user to an LDAP entry.
groupIdMapstring*:cnAn LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMapstringnsRole:nsRoleAn LDAP filter that identifies user to group memberships.

netscapeFilters

Specifies the list of Netscape Directory Server LDAP filters.

NameTypeDefaultDescription
userFilterstring(&(uid=%v)(objectclass=inetOrgPerson))An LDAP filter clause for searching the user registry for users.
groupFilterstring(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))An LDAP filter clause for searching the user registry for groups.
userIdMapstringinetOrgPerson:uidAn LDAP filter that maps the name of a user to an LDAP entry.
groupIdMapstring*:cnAn LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMapstringgroupOfNames:member;groupOfUniqueNames:uniqueMemberAn LDAP filter that identifies user to group memberships.

securewayFilters

Specifies the list of IBM SecureWay Directory Server LDAP filters.

NameTypeDefaultDescription
userFilterstring(&(uid=%v)(objectclass=ePerson))An LDAP filter clause for searching the user registry for users.
groupFilterstring(&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))An LDAP filter clause for searching the user registry for groups.
userIdMapstring*:uidAn LDAP filter that maps the name of a user to an LDAP entry.
groupIdMapstring*:cnAn LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMapstringgroupOfNames:member;groupOfUniqueNames:uniqueMemberAn LDAP filter that identifies user to group memberships.

ldapEntityType

Configure the LDAP object class, search filters, search bases and LDAP relative distinguished name (RDN) for Person, Group and Organizational Unit. For example, the Group entity type can have a search filter such as (&(ObjectCategory=Groupofnames)(ObjectClass=Groupofnames)) and the object class as Groupofnames with search base ou=iGroups,o=ibm,c=us.

NameTypeDefaultDescription
idstringA unique configuration ID.
namestringThe name of the LDAP entity type.
searchFilterstringA custom LDAP search expression used while searching for entity types. For example, searchFilter="(|(ObjectCategory=User)(ObjectClass=User))".

ldapEntityType > objectClass

The object class defined for the given LDAP entity type in the LDAP server. For example, the object class for the group LDAP entity type can be Groupofnames.

ldapEntityType > searchBase

Specify the sub tree of the LDAP server for the search call for the given entity type which will override the base DN in search operations. For example, if the base DN is o=ibm,c=us and the search base for the PersonAccount entity type is defined to be ou=iUsers,o=ibm,c=us, then all search calls for PersonAccout will be made under subtree ou=iUsers,o=ibm,c=us. Multiple search bases can be configured for the same entity type.

groupProperties

The configuration for group membership properties (for example; memberAttribute or membershipAttribute).

groupProperties > memberAttribute

The LDAP member attribute.

NameTypeDefaultDescription
idstringA unique configuration ID.
namestringThe name of the member.
objectClassstringThe object class of the member attribute.
scopestringThe scope of the member attribute.
dummyMemberstringThe name of the dummy member.

groupProperties > membershipAttribute

The configuration for the membership attribute.

NameTypeDefaultDescription
namestringThe name of the membership attribute.
scopestringThe scope of the membership attribute.

groupProperties > dynamicMemberAttribute

The configuration for the dynamic member attribute.

NameTypeDefaultDescription
namestringThe name of the member.
objectClassstringThe name of the object class.

attributeConfiguration

The configuration that maps the LDAP attributes with the user registry schema (for example; Person, PersonAccount or Group) field names.

attributeConfiguration > attribute

Define the user registry schema field names to be mapped to the LDAP attribute.

NameTypeDefaultDescription
idstringA unique configuration ID.
namestringThe name of the LDAP attribute.
propertyNamestringThe user registry schema field name that needs to be mapped with the LDAP attribute.
defaultValuestringThe default value of the attribute.
syntaxstringThe attribute syntax.
entityTypestringThe entity type of the attribute.

attributeConfiguration > externalIdAttribute

Define the name of the LDAP attribute and its properties that needs to be mapped to the user registry externalId attribute.

NameTypeDefaultDescription
idstringA unique configuration ID.
namestringThe name of the LDAP attribute to be used for the user registry externalId attribute.
syntaxstringThe attribute syntax.
entityTypestringThe entity type of the attribute.
autoGeneratebooleanfalseWhen enabled, the externalId attribute value is generated automatically by the user registry instead of using the value that is stored in LDAP. By default it is disabled.

contextPool

Properties of the context pool.

NameTypeDefaultDescription
enabledbooleantrueA boolean value that determines if the context pool is enabled. Disabling it can cause performance degradation.
initialSizeint1An integer value that determines the initial size of the context pool. Set this based on the load on the repository.
maxSizeint0An integer value that defines the maximum context pool size. Set this based on the maximum load on the repository.
timeoutA period of time with millisecond precision0sThe duration after which the context pool times out. An integer that represents the time that an idle context instance can remain in the pool without being closed and removed from the pool. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s) or milliseconds (ms). For example, specify 1 second as 1s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 1.5 minutes. The minimum timeout allowed is 1 second. Millisecond entries are rounded to the nearest second. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
waitTimeA period of time with millisecond precision3sThe duration after which the context pool times out. The time interval that the request waits until the context pool checks again if an idle context instance is available in the pool when the number of context instances reaches the maximum pool size. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
preferredSizeint3The preferred size of the context pool. Set this based on the load on the repository.

ldapCache

Configure the attributes of the cache.

ldapCache > attributesCache

The attribute cache properties configuration.

NameTypeDefaultDescription
enabledbooleantrueA Boolean value to indicate that the property is enabled.
sizeint2000Defines the number of entities that can be stored in the cache. You can increase the size of the cache based on the number of entities that are required to be stored in the cache.
timeoutA period of time with millisecond precision1200sDefines the maximum time that the contents of the LDAP attribute cache are available. When the specified time has elapsed, the LDAP attribute cache is cleared. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
sizeLimitint2000The maximum number of attributes per LDAP entity that will be cached.
serverTTLAttributestringThe time after which a cache entry expires. The subsequent call for this entry will be fetched directly from the server and then placed again in the cache.

ldapCache > searchResultsCache

The configuration for the search results cache.

NameTypeDefaultDescription
enabledbooleantrueA Boolean value to indicate that the property is enabled.
sizeint2000The size of the cache. The number of search results that are stored in the cache. This needs to be configured based on the number of search queries executed on the system and the hardware system resources available.
timeoutA period of time with millisecond precision1200sDefines the maximum time that the contents of the search results cache are available. When the specified time has elapsed, the search results cache is cleared. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
resultsSizeLimitint2000The maximum number of results that can be cached for a single LDAP search.