+

Search Tips   |   Advanced Search

LDAP repository configuration settings

To configure secure access to an LDAP repository with optional failover servers...

To configure for a specific domain in a multiple security domain environment, click...

When we finish adding or updating the federated repository configuration, to validate the changes...


Repository identifier

Unique identifier for the LDAP repository. This identifier uniquely identifies the repository within the cell, for example: LDAP1.


Directory type

Type of LDAP server to which you connect.

Expand the drop-down list to display a list of LDAP directory types.


Primary host name

Host name of the primary LDAP server. This host name is either an IP address or a domain name service (DNS) name.


Port

LDAP server port.

The default is 389, which is not an SSL connection. Use port 636 for an SSL connection. For some LDAP servers, we can specify a different port for a non-SSL or SSL connection. If we do not know the port to use, contact the LDAP server administrator.

Information Value
Data type: Integer
Default: 389
Range: 389, which is not an SSL connection

636, which is an SSL connection


Failover host name

Host name of the failover LDAP server.

We can specify a secondary directory server to be used in the event that our primary directory server becomes unavailable. After switching to a secondary directory server, the LDAP repository attempts to reconnect to the primary directory server every 15 minutes.


Port

Port of the failover LDAP server.

The default is 389, which is not an SSL connection. Use port 636 for an SSL connection. For some LDAP servers, we can specify a different port for a non-SSL or SSL connection. If we do not know the port to use, contact the LDAP server administrator.

Information Value
Data type: Integer
Range: 389, which is not an SSL connection

636, which is an SSL connection


Support referrals to other LDAP servers

Specifies how referrals that are encountered by the LDAP server are handled.

A referral is an entity used to redirect a client request to another LDAP server. A referral contains the names and locations of other objects. It is sent by the server to indicate that the information that the client requested can be found at another location, possibly at another server or several servers. The default is ignore.

Information Value
Default: ignore
Range:

ignore Referrals are ignored.
follow Referrals are followed automatically.


Support for repository change tracking

Type of support for repository change tracking. The profile manager refers to this value before passing on the request to the corresponding adapter. If the value is none, then that repository is not called to retrieve the changed entities.

none There is no change tracking support for this repository.
native The repository's native change tracking mechanism is used by virtual member manager to return changed entities.


Custom properties

Specifies arbitrary name and value pairs of data. The name is a property key and the value is a string value that can be used to set internal system configuration properties.

Define a new property enables us to configure a setting beyond that which is available in the administrative console.


Bind distinguished name

Distinguished name (DN) for the application server to use when binding to the LDAP repository.

If no name is specified, the application server binds anonymously. In most cases, bind DN and bind password are needed. However, when anonymous bind can satisfy all of the required functions, bind DN and bind password are not needed.


Bind password

Password for the application server to use when binding to the LDAP repository.


Login properties

Property names to use to log into the application server.

This field takes multiple login properties, delimited by a semicolon (;). For example, uid;mail. All login properties are searched during login. If multiple entries or no entries are found, an exception is thrown. For example, if we specify the login properties as uid;mail and the login ID as Bob, the search filter searches for uid=Bob or mail=Bob. When the search returns a single entry, then authentication can proceed. Otherwise, an exception is thrown.

If we define multiple login properties, the first login property is programmatically mapped to the federated repositories principalName property. For example, if we set uid;mail as the login properties, the LDAP attribute uid value is mapped to the federated repositories principalName property. If we define multiple login properties, after login, the first login property is returned as the value of the principalName property. For example, if you pass joe@yourco.com as the principalName value and the login properties are configured as uid;mail, the principalName is returned as joe.


LDAP attribute for Kerberos principal name

LDAP attribute for Kerberos principal name. This field can be modified when Kerberos is configured and it is one of the active or preferred authentication mechanisms.


Certificate mapping

Specifies whether to map X.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER. Specify CERTIFICATE_FILTER to use the specified certificate filter for the mapping.


Certificate filter

Filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP repository.

If more than one LDAP entry matches the filter specification at run time, authentication fails because the result is an ambiguous match. The syntax or structure of this filter is:

LDAP attribute=${Client certificate attribute}

An example of a simple certificate filter is: uid=${SubjectCN}.

We can also specify multiple properties and values as part of the certificate filter. Two examples of complex certificate filters are:

(&(cn=${IssuerCN}) (employeeNumber=${SerialNumber})

(& (issuer=${IssuerDN}) (serial=${SerialNumber}) (subjectdn=${SubjectDN}))

The left side of the filter specification is an LDAP attribute that depends on the schema that the LDAP server is configured to use. The right side of the filter specification is one of the public attributes in the client certificate. We can also use the UniqueKey certificate variable, which consists of the base64-encoding of the MD5 hash of the subject DN and issuer DN. The right side must begin with a dollar sign ($) and open bracket ({) and end with a close bracket (}). Use the following certificate attribute values on the right side of the filter specification. The case of the strings is important:


Require SSL communications

Specifies whether secure socket communication is enabled to the LDAP server.

When enabled, the SSL settings for LDAP are used, if specified.


Centrally managed

That the selection of an SSL configuration is based upon the outbound topology view for the JNDI platform.

Centrally managed configurations support one location to maintain SSL configurations, rather than spreading them across the configuration documents.

Information Value
Default: Enabled
Range: Enabled or Disabled


Use specific SSL alias

SSL configuration alias to use for LDAP outbound SSL communications.

This option overrides the centrally managed configuration for the JNDI platform.

  • Configure LDAP in a federated repository configuration
  • Configure a property extension repository in a federated repository configuration
  • Manage the realm in a federated repository configuration
  • Migrate a stand-alone LDAP repository to a federated repositories LDAP repository configuration