Lightweight Directory Access Protocol advanced settings
Use this page to configure advanced Lightweight Directory Access Protocol (LDAP) user registry settings when users and groups reside in an external LDAP directory.
To view this administrative page, click Security > User Registries > LDAP Advanced LDAP settings.
Default values for all the user and group related filters are already completed in the appropriate fields. You can change these values depending on your requirements. These default values are based on the type of LDAP server selected in the LDAP settings panel. If this type changes (for example from NETSCAPE to SECUREWAY) the default filters automatically change. When the default filter values change, the LDAP server type changes to Custom to indicate that custom filters are used. When security is enabled and any of these properties change, go to the Global Security panel and click Apply or OK to validate the changes.
Configuration tab
- User Filter
- Specifies the LDAP user filter that searches the registry for users.
This option is typically used for Security Role to User assignments. It specifies the property by which to look up users in the directory service. For example, to look up users based on their user IDs, specify (ampersand(uid=%v)(objectclass=inetOrgPerson) where ampersand is the ampersand symbol (&). For more information about this syntax, see the LDAP directory service documentation.
Data type: String - Group Filter
- Specifies the LDAP group filter that searches the registry for groups
This option is typically used for Security Role to Group assignments. It specifies the property by which to look up groups in the directory service. For more information about this syntax, see the LDAP directory service documentation.
Data type: String - User ID Map
- Specifies the LDAP filter that maps the short name of a user to an LDAP entry.
Specifies the piece of information that represents users when users appear. For example, to display entries of the type object class = inetOrgPerson by their IDs, specify inetOrgPerson:uid. This field takes multiple objectclass:property pairs delimited by a semicolon (;).
Data type: String - Group ID Map
- Specifies the LDAP filter that maps the short name of a group to an LDAP entry.
Specifies the piece of information that represents groups when groups appear. For example, to display groups by their names, specify *:cn. The asterisk (*) is a wildcard character that searches on any object class in this case. This field takes multiple objectclass:property pairs delimited by a semicolon (;).
Data type: String - Group Member ID Map
- Specifies the LDAP filter which identifies user to group relationships.
For directory types SecureWay, NetScape, and Domino, this field takes multiple objectclass:property pairs, delimited by a semicolon (;). In an objectclass:property pair, the objectclass value is the same objectclass defined in Group Filter, and the property is the member attribute. If the objectclass value does not match the objectclass in Group Filter, authorization might fail if groups are mapped to security roles. For more information about this syntax, see your LDAP directory service documentation.
For IBM Directory Server, iPlanet Directory Server and Active Directory, this field takes multiple (group attribute:member attribute) pairs delimited by a semicolon (;). They are used to find the group memberships of a user by enumerating all the group attributes possessed by a given user. For example, attribute pair (memberof:member) is used by Active Directory, and (ibm-allGroup:member) is used by IBM Directory Server . This field also specifies which property of an objectclass stores the list of members belonging to the group represented by the objectclass. For supported LDAP directory servers, see the InfoCenter article, "Supported directory services."
Data type: String - Certificate Map Mode
- Specifies whether to map X.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER. Specify CERTIFICATE_FILTER to use the specified certificate filter for the mapping.
Data type: String - Certificate Filter
- Specifies whether to use the filter certificate mapping property to specify the LDAP filter, which is used to map attributes in the client certificate to entries in the LDAP registry.
To enable this field, click CERTIFICATE_FILTER for the certificate mapping. If more than one LDAP entry matches the filter specification at run time, then authentication fails because it results in an ambiguous match. The syntax or structure of this filter is: LDAP attribute=${Client certificate attribute} (for example, uid=${SubjectCN}). The left side of the filter specification is an LDAP attribute that depends on the schema that your LDAP server is configured to use. The right side of the filter specification is one of the public attributes in your client certificate. The right side must begin with a dollar sign ($) and open bracket ({) and end with a close bracket (}). Use the following certificate attribute values may be used on the right side of the filter specification. The case of the strings is important:
- ${UniqueKey}
- ${PublicKey}
- ${PublicKey}
- ${Issuer}
- ${NotAfter}
- ${NotBefore}
- ${SerialNumber}
- ${SigAlgName}
- ${SigAlgOID}
- ${SigAlgParams}
- ${SubjectCN}
- ${Version}
Data type: String