edocs Home > Oracle WebLogic Server Documentation > Administration Console Online Help > LDAP X509 Identity Asserter: Provider Specific

LDAP X509 Identity Asserter: Provider Specific

Configuration Options     Related Tasks     Related Topics

Use this page to define the provider specific configuration of this LDAP X509 identity assertion provider.

Configuration Options

Name Description
Supported Types

The token types supported by this LDAP X509 Identity Assertion provider.

MBean Attribute:
LDAPX509IdentityAsserterMBean.SupportedTypes

Changes take effect after you redeploy the module or restart the server.

Active Types

The token type this LDAP X509 identity assertion provider uses for authentication. Ensure no other identity assertion provider configured in the same security realm has this attribute set to X509.

MBean Attribute:
LDAPX509IdentityAsserterMBean.ActiveTypes

Changes take effect after you redeploy the module or restart the server.

User Filter Attributes

Specifies how to select the LDAP object for the user from the LDAP objects beneath the base LDAP DN defined in the Certificate Mapping attribute. This setting defines how to find the LDAP object from the certificate's Subject DN.

The LDAP object's class must be person. This attribute contains an array of strings, each of which is an attribute that the LDAP object must match.

Typically, the value of this attribute is the LDAP object that matches the value of an attribute in the certificate's Subject DN. For example:

The uid attribute of the LDAP user object matches the Subject DN attribute, if the syntax is:

LDAPATTRNAME=$subj.SUBJECDNATTRNAME

For example: uid=$subj.DN

This option is very similar to the User Name Filter option on LDAP Authentication providers which maps a username to a search filter. The differences are:

  • This option maps a certificate's Subject DN to a filter and the LDAP Authentication provider uses a single string giving the system administrator complete control over the filter.

  • The LDAP X509 Authentication provider adds objectclass=person to the filter and uses an array of strings that are combined.

MBean Attribute:
LDAPX509IdentityAsserterMBean.UserFilterAttributes

Changes take effect after you redeploy the module or restart the server.

User Name Attribute

Specifies the attribute on the LDAP object for the user that contains the user's name.

The user's name should appear in the Subject. This setting defines how to find the user's name. Typically, the setting matches the User Name setting of the LDAP Authentication provider configured for use with this LDAP X509 identity assertion provider.

MBean Attribute:
LDAPX509IdentityAsserterMBean.UsernameAttribute

Changes take effect after you redeploy the module or restart the server.

Certificate Attribute

Specifies the attribute on the LDAP object for the user that contains the user's certificate. This option defines how to find the certificate. Valid values are userCertificate and userCertificate;binary.

  • If you use the LDAP browser to load a certificate into the LDAP directory, an attribute userCertificate of type binary is created. To access the certificate, define this option as userCertificate.

  • If you use ldapmodify to create the Certificate Attribute, a userCertificate;binary is created when the certificate data is loaded in the LDAP directory. To access the certificate, define this option as userCertificate;binary.

MBean Attribute:
LDAPX509IdentityAsserterMBean.CertificateAttribute

Changes take effect after you redeploy the module or restart the server.

Certificate Mapping

Specifies how to construct the base LDAP DN used to locate the LDAP object for the user. This attribute defines how to find the object from the certificate's Subject DN.

Typically, this value is the same as the User Base DN attribute in the LDAP Authentication providers. You may include the fields from the Subject DN in this base DN.

For example: if the Certificate subject is CN=meyer.beasys.com, ou=fred, o=BEASYS, L=SFO, C=US and the mapping is ou=people, ou=$subj.ou, WebLogic Server uses ou=people, ou=fred, o=BEASYS, c=US as the DN when locating the user.

MBean Attribute:
LDAPX509IdentityAsserterMBean.CertificateMapping

Changes take effect after you redeploy the module or restart the server.

Base64 Decoding Required

Determines whether the request header value or cookie value must be Base64 Decoded before sending it to the identity assertion provider. The setting is enabled by default for purposes of backward compatibility, however, most identity assertion providers will disable this attribute.

Host

The host name of the computer on which the LDAP server is running.

MBean Attribute:
LDAPServerMBean.Host

Changes take effect after you redeploy the module or restart the server.

Port

The port number on which the LDAP server is listening.

MBean Attribute:
LDAPServerMBean.Port

Minimum value: 1

Maximum value: 65534

Changes take effect after you redeploy the module or restart the server.

SSLEnabled

Whether the SSL protocol should be used when connecting to the LDAP server.

MBean Attribute:
LDAPServerMBean.SSLEnabled

Changes take effect after you redeploy the module or restart the server.

Principal

The Distinguished Name (DN) of the LDAP user that WebLogic Server should use to connect to the LDAP server.

MBean Attribute:
LDAPServerMBean.Principal

Changes take effect after you redeploy the module or restart the server.

Credential

The credential (usually a password) used to connect to the LDAP server.

If this password has not been set, WebLogic Server generates a password at startup, initializes the attribute, and saves the configuration to the config.xml file. If you want to connect to the embedded LDAP server using an external LDAP browser and the embedded LDAP administrator account (cn=Admin), change this attribute from the generated value.

MBean Attribute:
LDAPServerMBean.Credential

Changes take effect after you redeploy the module or restart the server.

Cache Enabled

Whether a cache is used with the LDAP server

This is a cache of the LDAP requests.

MBean Attribute:
LDAPServerMBean.CacheEnabled

Changes take effect after you redeploy the module or restart the server.

Cache Size

The size of the cache (in kilobytes) that is used with the LDAP server

MBean Attribute:
LDAPServerMBean.CacheSize

Minimum value: 0

Changes take effect after you redeploy the module or restart the server.

Cache TTL

The time-to-live of the cache (in seconds) that is used with the LDAP server

MBean Attribute:
LDAPServerMBean.CacheTTL

Minimum value: 0

Changes take effect after you redeploy the module or restart the server.

Follow Referrals

Specifes that a search for a user or group within the associated LDAP Authentication provider will follow referrals to other LDAP servers or branches within the LDAP directory. By default, this attribute is enabled.

MBean Attribute:
LDAPServerMBean.FollowReferrals

Changes take effect after you redeploy the module or restart the server.

Bind Anonymously On Referrals

By default, the associated LDAP Authentication provider uses the same DN and password used to connect to the LDAP server when following referrals during a search. If you want to connect as an anonymous user, enable this attribute.

MBean Attribute:
LDAPServerMBean.BindAnonymouslyOnReferrals

Changes take effect after you redeploy the module or restart the server.

Results Time Limit

The maximum number of milliseconds for the LDAP server to wait for results before timing out. If this attribute is set to 0, there is not a maximum time limit..

MBean Attribute:
LDAPServerMBean.ResultsTimeLimit

Changes take effect after you redeploy the module or restart the server.

Connect Timeout

The maximum time in seconds to wait for the connection to the LDAP server to be established. If this attribute is set to 0, there is not a maximum time limit.

MBean Attribute:
LDAPServerMBean.ConnectTimeout

Changes take effect after you redeploy the module or restart the server.

Parallel Connect Delay

The delay in seconds when making concurrent attempts to attempt to multiple LDAP servers. If this attribute is set to 0, connection attempts are serialized. An attempt is made to connect to the first server in the list. The next entry in the list is tried only if the attempt to connect to the current host fails. If this attribute is not set and an LDAP server is unavailable, an application may be blocked for a long time. If this attribute is greater than 0, another connection is started after the specified time.

MBean Attribute:
LDAPServerMBean.ParallelConnectDelay

Changes take effect after you redeploy the module or restart the server.

Connection Retry Limit

Specifies the number of times to attempt to connect to the LDAP server if the initial connection failed.

MBean Attribute:
LDAPServerMBean.ConnectionRetryLimit

Changes take effect after you redeploy the module or restart the server.

Related Tasks

Related Topics