LDAP User Registry

LDAP User Registry

This feature enables support for using an LDAP server as a user registry. Any server that supports LDAP Version 3.0 may be used. Multiple LDAP registries can be configured, and then federated to achieve a single logical registry view.

Enable this feature

To enable the LDAP User Registry feature, add the following element declaration inside the featureManager element in the server.xml file:
<feature>ldapRegistry-3.0</feature>

Developing a feature that depends on this feature

If we are developing a feature that depends on the LDAP User Registry feature, include the following item in the Subsystem-Content header in the feature manifest file for the new feature:
com.ibm.websphere.appserver.ldapRegistry-3.0; type="osgi.subsystem.feature"

Features that this feature enables

Secure Socket Layer

Features that enable this feature

Application Security 1.0

OAuth

Feature configuration elements

We can use the following elements in the server.xml file to configure the LDAP User Registry feature:

activedLdapFilterProperties

administrator-role

group

user

classloading

customLdapFilterProperties

domino50LdapFilterProperties

edirectoryLdapFilterProperties

federatedRepository

primaryRealm

defaultParents

groupDisplayNameMapping

groupSecurityNameMapping

participatingBaseEntry

uniqueGroupIdMapping

uniqueUserIdMapping

userDisplayNameMapping

userSecurityNameMapping

realm

defaultParents

groupDisplayNameMapping

groupSecurityNameMapping

participatingBaseEntry

uniqueGroupIdMapping

uniqueUserIdMapping

userDisplayNameMapping

userSecurityNameMapping

supportedEntityType

defaultParent

name

idsLdapFilterProperties

iplanetLdapFilterProperties

ldapRegistry

activedFilters

attributeConfiguration

attribute

externalIdAttribute

contextPool

customFilters

domino50Filters

edirectoryFilters

failoverServers

server

idsFilters

iplanetFilters

ldapCache

attributesCache

searchResultsCache

netscapeFilters

securewayFilters

library

file

fileset

folder

netscapeLdapFilterProperties

securewayLdapFilterProperties

activedLdapFilterProperties

Default Microsoft Active Directory LDAP filters.

Attribute name Data type Default value Description
groupFilter string (&(cn=%v)(objectcategory=group)) An LDAP filter clause for search the user registry for groups.
groupIdMap string *:cn An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap string memberOf:member An LDAP filter that identifies user to group memberships.
id string A unique configuration ID.
userFilter string (&(sAMAccountName=%v)(objectcategory=user)) An LDAP filter clause for searching the user registry for users.
userIdMap string user:sAMAccountName An LDAP filter that maps the name of a user to an LDAP entry.

administrator-role

A collection of users and/or groups assigned the server administrator role.

administrator-role > group

Description: Group assigned a role.

Required: false

Data type: string

administrator-role > user

Description: User assigned a role.

Required: false

Data type: string

classloading

Global classloading

Attribute name Data type Default value Description
useJarUrls boolean false Whether to use jar: or wsjar: URLs for referencing files in archives

customLdapFilterProperties

Default Custom LDAP filters.

Attribute name Data type Default value Description
groupFilter string (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs))) An LDAP filter clause for search the user registry for groups.
groupIdMap string *:cn An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap string ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember An LDAP filter that identifies user to group memberships.
id string A unique configuration ID.
userFilter string (&(uid=%v)(objectclass=ePerson)) An LDAP filter clause for searching the user registry for users.
userIdMap string *:uid An LDAP filter that maps the name of a user to an LDAP entry.

domino50LdapFilterProperties

Default IBM Lotus Domino LDAP filters.

Attribute name Data type Default value Description
groupFilter string (&(cn=%v)(objectclass=dominoGroup)) An LDAP filter clause for search the user registry for groups.
groupIdMap string *:cn An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap string dominoGroup:member An LDAP filter that identifies user to group memberships.
id string A unique configuration ID.
userFilter string (&(uid=%v)(objectclass=Person)) An LDAP filter clause for searching the user registry for users.
userIdMap string person:uid An LDAP filter that maps the name of a user to an LDAP entry.

edirectoryLdapFilterProperties

List of Novell eDirectory LDAP filters.

Attribute name Data type Default value Description
groupFilter string (&(cn=%v)(objectclass=groupOfNames)) An LDAP filter clause for search the user registry for groups.
groupIdMap string *:cn An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap string groupOfNames:member An LDAP filter that identifies user to group memberships.
id string A unique configuration ID.
userFilter string (&(cn=%v)(objectclass=Person)) An LDAP filter clause for searching the user registry for users.
userIdMap string person:cn An LDAP filter that maps the name of a user to an LDAP entry.

federatedRepository

Configuration for the user registry federation.

Attribute name Data type Default value Description
id string A unique configuration ID.
maxSearchResults int 4500 Maximum number of entries that can be returned in a search.
searchTimeout A period of time with millisecond precision 10m The maximum amount of time, in milliseconds, to process a search. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

federatedRepository > primaryRealm

Description: Primary realm configuration.

Required: false

Data type:

Attribute name Data type Default value Description
allowOpIfRepoDown boolean false Whether to allow operation if a repository is down. The default value is false.
delimiter string / Delimiter used to qualify the realm under which the operation should be executed. For example, userid=test1/myrealm where / is the delimiter and realm name is myrealm.
name string Name of the realm.

federatedRepository > primaryRealm > defaultParents

Description: The default parent mapping for the realm.

Required: false

Data type:

Attribute name Data type Default value Description
name string The name of the entity mapped viz. PersonAccount, Group.
parentUniqueName string The distinguished name under Base distinguished name (DN) in the repository under which all entities of the configured type will be created

federatedRepository > primaryRealm > groupDisplayNameMapping

Description: The input and output property mappings for group display name in an user registry operation.

Required: false

Data type:

Attribute name Data type Default value Description
inputProperty string cn The property that maps to the user registry attribute for input. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.
outputProperty string cn The property that maps to the user registry attribute for output. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.

federatedRepository > primaryRealm > groupSecurityNameMapping

Description: The input and output property mappings for group security name in an user registry operation.

Required: false

Data type:

Attribute name Data type Default value Description
inputProperty string cn The property that maps to the user registry attribute for input. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.
outputProperty string cn The property that maps to the user registry attribute for output. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.

federatedRepository > primaryRealm > participatingBaseEntry

Description: The Base Entry that is part of this realm.

Required: false

Data type:

Attribute name Data type Default value Description
name string The name of the base entry.

federatedRepository > primaryRealm > uniqueGroupIdMapping

Description: The input and output property mappings for unique group id in an user registry operation .

Required: false

Data type:

Attribute name Data type Default value Description
inputProperty string cn The property that maps to the user registry attribute for input. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.
outputProperty string uniqueName The property that maps to the user registry attribute for output. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.

federatedRepository > primaryRealm > uniqueUserIdMapping

Description: The input and output property mappings for unique user id used in an user registry operation.

Required: false

Data type:

Attribute name Data type Default value Description
inputProperty string uniqueName The property that maps to the user registry attribute for input. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.
outputProperty string uniqueName The property that maps to the user registry attribute for output. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.

federatedRepository > primaryRealm > userDisplayNameMapping

Description: The input and output property mappings for user display name in an user registry operation.

Required: false

Data type:

Attribute name Data type Default value Description
inputProperty string principalName The property that maps to the user registry attribute for input. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.
outputProperty string principalName The property that maps to the user registry attribute for output. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.

federatedRepository > primaryRealm > userSecurityNameMapping

Description: The input and output property mappings for user security name in an user registry operation.

Required: false

Data type:

Attribute name Data type Default value Description
inputProperty string principalName The property that maps to the user registry attribute for input. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.
outputProperty string uniqueName The property that maps to the user registry attribute for output. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.

federatedRepository > realm

Description: The reference to the realm.

Required: false

Data type:

Attribute name Data type Default value Description
allowOpIfRepoDown boolean false Whether to allow operation if a repository is down. The default value is false.
delimiter string / Delimiter used to qualify the realm under which the operation should be executed. For example, userid=test1/myrealm where / is the delimiter and realm name is myrealm.
name string Name of the realm.

federatedRepository > realm > defaultParents

Description: The default parent mapping for the realm.

Required: false

Data type:

Attribute name Data type Default value Description
name string The name of the entity mapped viz. PersonAccount, Group.
parentUniqueName string The distinguished name under Base distinguished name (DN) in the repository under which all entities of the configured type will be created

federatedRepository > realm > groupDisplayNameMapping

Description: The input and output property mappings for group display name in an user registry operation.

Required: false

Data type:

Attribute name Data type Default value Description
inputProperty string cn The property that maps to the user registry attribute for input. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.
outputProperty string cn The property that maps to the user registry attribute for output. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.

federatedRepository > realm > groupSecurityNameMapping

Description: The input and output property mappings for group security name in an user registry operation.

Required: false

Data type:

Attribute name Data type Default value Description
inputProperty string cn The property that maps to the user registry attribute for input. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.
outputProperty string cn The property that maps to the user registry attribute for output. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.

federatedRepository > realm > participatingBaseEntry

Description: The Base Entry that is part of this realm.

Required: false

Data type:

Attribute name Data type Default value Description
name string The name of the base entry.

federatedRepository > realm > uniqueGroupIdMapping

Description: The input and output property mappings for unique group id in an user registry operation .

Required: false

Data type:

Attribute name Data type Default value Description
inputProperty string cn The property that maps to the user registry attribute for input. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.
outputProperty string uniqueName The property that maps to the user registry attribute for output. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.

federatedRepository > realm > uniqueUserIdMapping

Description: The input and output property mappings for unique user id used in an user registry operation.

Required: false

Data type:

Attribute name Data type Default value Description
inputProperty string uniqueName The property that maps to the user registry attribute for input. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.
outputProperty string uniqueName The property that maps to the user registry attribute for output. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.

federatedRepository > realm > userDisplayNameMapping

Description: The input and output property mappings for user display name in an user registry operation.

Required: false

Data type:

Attribute name Data type Default value Description
inputProperty string principalName The property that maps to the user registry attribute for input. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.
outputProperty string principalName The property that maps to the user registry attribute for output. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.

federatedRepository > realm > userSecurityNameMapping

Description: The input and output property mappings for user security name in an user registry operation.

Required: false

Data type:

Attribute name Data type Default value Description
inputProperty string principalName The property that maps to the user registry attribute for input. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.
outputProperty string uniqueName The property that maps to the user registry attribute for output. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.

federatedRepository > supportedEntityType

Description: The default parent for an entity type mapping.

Required: false

Data type:

federatedRepository > supportedEntityType > defaultParent

Description: The distinguished name under Base distinguished name (DN) in the repository under which all entities of the configured type will be created

Required: false

Data type: string

federatedRepository > supportedEntityType > name

Description: The name of the entity mapped viz. PersonAccount, Group.

Required: false

Data type: string

idsLdapFilterProperties

Default IBM Tivoli Directory Server LDAP filters.

Attribute name Data type Default value Description
groupFilter string (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs))) An LDAP filter clause for search the user registry for groups.
groupIdMap string *:cn An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap string ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember An LDAP filter that identifies user to group memberships.
id string A unique configuration ID.
userFilter string (&(uid=%v)(objectclass=ePerson)) An LDAP filter clause for searching the user registry for users.
userIdMap string *:uid An LDAP filter that maps the name of a user to an LDAP entry.

iplanetLdapFilterProperties

Default Sun Java System Directory Server LDAP filters.

Attribute name Data type Default value Description
groupFilter string (&(cn=%v)(objectclass=ldapsubentry)) An LDAP filter clause for search the user registry for groups.
groupIdMap string *:cn An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap string nsRole:nsRole An LDAP filter that identifies user to group memberships.
id string A unique configuration ID.
userFilter string (&(uid=%v)(objectclass=inetOrgPerson)) An LDAP filter clause for searching the user registry for users.
userIdMap string inetOrgPerson:uid An LDAP filter that maps the name of a user to an LDAP entry.

ldapRegistry

Configuration properties for the LDAP user registry.

Attribute name Data type Default value Description
activedFiltersRef A reference to top level activedLdapFilterProperties element (string). Default Microsoft Active Directory LDAP filters.
baseDN string Base distinguished name (DN) of the directory service, which indicates the starting point for LDAP searches in the directory service.
bindDN string Distinguished name (DN) for the application server, which is used to bind to the directory service.
bindPassword Reversably encoded password (string) Password for the bind DN. Stored in clear text or encoded form. It is recommended that you encode the password. To do so, use the securityUtility tool with the encode option.
certificateFilter string Filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP registry. For example, the filter can be specified as: uid=${SubjectCN}.
certificateMapMode

EXACT_DN

CERTIFICATE_FILTER

Whether to map x.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER. Specify CERTIFICATE_FILTER to use the specified certificate filter for the mapping.

EXACT_DN

exactDN

CERTIFICATE_FILTER

certFilter

connectTimeout A period of time with millisecond precision 1m Maximum time for establishing a connection to the LDAP server. A error message will be logged if the specified time expires. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
customFiltersRef A reference to top level customLdapFilterProperties element (string). Default Custom LDAP filters.
domino50FiltersRef A reference to top level domino50LdapFilterProperties element (string). Default IBM Lotus Domino LDAP filters.
edirectoryFiltersRef A reference to top level edirectoryLdapFilterProperties element (string). List of Novell eDirectory LDAP filters.
host string Address of the LDAP server in the form of an IP address or a domain name service (DNS) name.
id string A unique configuration ID.
idsFiltersRef A reference to top level idsLdapFilterProperties element (string). Default IBM Tivoli Directory Server LDAP filters.
ignoreCase boolean true Perform a case-insensitive authentication check.
iplanetFiltersRef A reference to top level iplanetLdapFilterProperties element (string). Default Sun Java System Directory Server LDAP filters.
ldapType

Sun Java System Directory Server

Netscape Directory Server

Microsoft Active Directory

IBM Tivoli Directory Server

IBM Lotus Domino

Custom

IBM SecureWay Directory Server

Novell eDirectory

Type of LDAP server to which a connection will be established.

Sun Java System Directory Server

iplanet

Netscape Directory Server

netscape

Microsoft Active Directory

actived

IBM Tivoli Directory Server

ibm_dir_server

IBM Lotus Domino

domino50

Custom

custom

IBM SecureWay Directory Server

secureway

Novell eDirectory

edirectory

netscapeFiltersRef A reference to top level netscapeLdapFilterProperties element (string). Default Netscape Directory Server LDAP filters.
port int Port number of the LDAP server.
realm string LdapRegistry The realm name that represents the user registry.
recursiveSearch boolean false Performs a nested group search. Select this option only if the LDAP server does not support recursive server-side searches.
returnToPrimaryServer boolean true A boolean value that indicates if the search should be done against the Primary Server.
reuseConnection boolean true Requests the application server to reuse the LDAP server connection.
searchTimeout A period of time with millisecond precision 1m Maximum time for an LDAP server to respond before a request is canceled. This is equivalent to a read timeout once the connection is established. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
securewayFiltersRef A reference to top level securewayLdapFilterProperties element (string). Default IBM SecureWay Directory Server LDAP filters.
sslEnabled boolean false Indicates whether an SSL connection should be made to the LDAP server.
sslRef string ID of the SSL configuration to be used to connect to the SSL-enabled LDAP server.

ldapRegistry > activedFilters

Description: Default Microsoft Active Directory LDAP filters.

Required: false

Data type:

Attribute name Data type Default value Description
groupFilter string (&(cn=%v)(objectcategory=group)) An LDAP filter clause for search the user registry for groups.
groupIdMap string *:cn An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap string memberOf:member An LDAP filter that identifies user to group memberships.
userFilter string (&(sAMAccountName=%v)(objectcategory=user)) An LDAP filter clause for searching the user registry for users.
userIdMap string user:sAMAccountName An LDAP filter that maps the name of a user to an LDAP entry.

ldapRegistry > attributeConfiguration

Description: The configuration that maps the LDAP attributes with the user registry schema (for example; Person, PersonAccount or Group) field names.

Required: false

Data type:

ldapRegistry > attributeConfiguration > attribute

Description: Define the user registry schema field names to be mapped to the LDAP attribute.

Required: false

Data type:

Attribute name Data type Default value Description
defaultValue string The default value of the attribute.
entityType string The entity type of the attribute.
name string The name of the LDAP attribute.
propertyName string The user registry schema field name that needs to be mapped with the LDAP attribute.
syntax string The attribute syntax.

ldapRegistry > attributeConfiguration > externalIdAttribute

Description: Define the name of the LDAP attribute and its properties that needs to be mapped to the user registry externalId attribute.

Required: false

Data type:

Attribute name Data type Default value Description
autoGenerate boolean false
When enabled, the externalId attribute value is generated automatically by the user registry instead of using value of the stored in LDAP. By default it is disabled.
entityType string The entity type of the attribute.
name string The name of the LDAP attribute to be used for user registry externalId attribute.
syntax string The attribute syntax.

ldapRegistry > contextPool

Description: Properties of the context pool.

Required: false

Data type:

Attribute name Data type Default value Description
enabled boolean true A boolean value that determines if the context pool is enabled. Disabling it can cause performance degradation.
initialSize int 1 An integer value that determines the initial size of the context pool. Set this based on the load on the repository.
maxSize int 0 An integer value that defines the maximum context pool size. Set this based on maximum load on the repository.
preferredSize int 3 The preferred size of the context pool. Set this based on the load on the repository.
timeout A period of time with millisecond precision 0s The duration after which the context pool times out. An integer that represents the time that an idle context instance can remain in the pool without being closed and removed from the pool. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
waitTime A period of time with millisecond precision 3s The duration after which the context pool times out. The time interval that the request waits until the context pool checks again if an idle context instance is available in the pool when the number of context instances reaches the maximum pool size. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

ldapRegistry > customFilters

Description: Default Custom LDAP filters.

Required: false

Data type:

Attribute name Data type Default value Description
groupFilter string (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs))) An LDAP filter clause for search the user registry for groups.
groupIdMap string *:cn An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap string ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember An LDAP filter that identifies user to group memberships.
userFilter string (&(uid=%v)(objectclass=ePerson)) An LDAP filter clause for searching the user registry for users.
userIdMap string *:uid An LDAP filter that maps the name of a user to an LDAP entry.

ldapRegistry > domino50Filters

Description: Default IBM Lotus Domino LDAP filters.

Required: false

Data type:

Attribute name Data type Default value Description
groupFilter string (&(cn=%v)(objectclass=dominoGroup)) An LDAP filter clause for search the user registry for groups.
groupIdMap string *:cn An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap string dominoGroup:member An LDAP filter that identifies user to group memberships.
userFilter string (&(uid=%v)(objectclass=Person)) An LDAP filter clause for searching the user registry for users.
userIdMap string person:uid An LDAP filter that maps the name of a user to an LDAP entry.

ldapRegistry > edirectoryFilters

Description: List of Novell eDirectory LDAP filters.

Required: false

Data type:

Attribute name Data type Default value Description
groupFilter string (&(cn=%v)(objectclass=groupOfNames)) An LDAP filter clause for search the user registry for groups.
groupIdMap string *:cn An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap string groupOfNames:member An LDAP filter that identifies user to group memberships.
userFilter string (&(cn=%v)(objectclass=Person)) An LDAP filter clause for searching the user registry for users.
userIdMap string person:cn An LDAP filter that maps the name of a user to an LDAP entry.

ldapRegistry > failoverServers

Description: List of LDAP failover servers.

Required: false

Data type:

Attribute name Data type Default value Description
name string Configuration properties for LDAP failover servers. Specify it as a backup server for the primary LDAP servers. For example, <failoverServers name="failoverLdapServers"><server host="myfullyqualifiedhostname1" port="389"/><server host="myfullyqualifiedhostname2" port="389"/></failoverServers>

ldapRegistry > failoverServers > server

Description: Configuration properties for LDAP failover server.

Required: false

Data type:

Attribute name Data type Default value Description
host string LDAP server host name, which can be either an IP address or a domain name service (DNS) name.
port int LDAP failover server port.

ldapRegistry > idsFilters

Description: Default IBM Tivoli Directory Server LDAP filters.

Required: false

Data type:

Attribute name Data type Default value Description
groupFilter string (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs))) An LDAP filter clause for search the user registry for groups.
groupIdMap string *:cn An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap string ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember An LDAP filter that identifies user to group memberships.
userFilter string (&(uid=%v)(objectclass=ePerson)) An LDAP filter clause for searching the user registry for users.
userIdMap string *:uid An LDAP filter that maps the name of a user to an LDAP entry.

ldapRegistry > iplanetFilters

Description: Default Sun Java System Directory Server LDAP filters.

Required: false

Data type:

Attribute name Data type Default value Description
groupFilter string (&(cn=%v)(objectclass=ldapsubentry)) An LDAP filter clause for search the user registry for groups.
groupIdMap string *:cn An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap string nsRole:nsRole An LDAP filter that identifies user to group memberships.
userFilter string (&(uid=%v)(objectclass=inetOrgPerson)) An LDAP filter clause for searching the user registry for users.
userIdMap string inetOrgPerson:uid An LDAP filter that maps the name of a user to an LDAP entry.

ldapRegistry > ldapCache

Description: Configure the attributes of the cache.

Required: false

Data type:

ldapRegistry > ldapCache > attributesCache

Description: The attribute cache properties configuration.

Required: false

Data type:

Attribute name Data type Default value Description
enabled boolean true A Boolean value to indicate that the property is enabled.
serverTTLAttribute string The time after which a cache entry expires. The subsequent call for this entry will be fetched directly from the server and then placed again in the cache.
size int 2000 Defines the number of entities that can be stored in the cache. We can increase the size of the cache based on the number of entities required to be stored in the cache.
sizeLimit int 2000 The size limit for the cache.
timeout A period of time with millisecond precision 1200ms Defines the maximum time that the contents of the LDAP attribute cache are available. When the specified time has elapsed, the LDAP attribute cache is cleared. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

ldapRegistry > ldapCache > searchResultsCache

Description: The configuration for the search results cache.

Required: false

Data type:

Attribute name Data type Default value Description
enabled boolean true A Boolean value to indicate that the property is enabled.
resultsSizeLimit int The maximum number of results that can be returned in the search.
size int 2000 The size of the cache. The number of search results stored in the cache. This needs to be configured based on number of search queries executed on the system and the hardware system resources available.
timeout A period of time with millisecond precision 1200ms Defines the maximum time that the contents of the search results cache are available. When the specified time has elapsed, the search results cache is cleared. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

ldapRegistry > netscapeFilters

Description: Default Netscape Directory Server LDAP filters.

Required: false

Data type:

Attribute name Data type Default value Description
groupFilter string (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))) An LDAP filter clause for search the user registry for groups.
groupIdMap string *:cn An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap string groupOfNames:member;groupOfUniqueNames:uniqueMember An LDAP filter that identifies user to group memberships.
userFilter string (&(uid=%v)(objectclass=inetOrgPerson)) An LDAP filter clause for searching the user registry for users.
userIdMap string inetOrgPerson:uid An LDAP filter that maps the name of a user to an LDAP entry.

ldapRegistry > securewayFilters

Description: Default IBM SecureWay Directory Server LDAP filters.

Required: false

Data type:

Attribute name Data type Default value Description
groupFilter string (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))) An LDAP filter clause for search the user registry for groups.
groupIdMap string *:cn An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap string groupOfNames:member;groupOfUniqueNames:uniqueMember An LDAP filter that identifies user to group memberships.
userFilter string (&(uid=%v)(objectclass=ePerson)) An LDAP filter clause for searching the user registry for users.
userIdMap string *:uid An LDAP filter that maps the name of a user to an LDAP entry.

library

Shared Library

Attribute name Data type Default value Description
apiTypeVisibility string spec,ibm-api,api The types of API package this library's class loader will be able to see, as a comma-separated list of any combination of the following: spec, ibm-api, api, third-party.
description string Description of shared library for administrators
filesetRef List of references to top level fileset elements (comma-separated string). Id of referenced Fileset
id string A unique configuration ID.
name string Name of shared library for administrators

library > file

Description: Id of referenced File

Required: false

Data type:

Attribute name Data type Default value Description
name Path to a file Fully qualified filename

library > fileset

Description: Id of referenced Fileset

Required: false

Data type:

Attribute name Data type Default value Description
caseSensitive boolean true Boolean to indicate whether or not the search should be case sensitive (default: true).
dir Path to a directory ${server.config.dir} The base directory to search for files.
excludes string The comma or space separated list of file name patterns to exclude from the search results, by default no files are excluded.
includes string * The comma or space separated list of file name patterns to include in the search results (default: *).
scanInterval A period of time with millisecond precision 0 Scanning interval to check the fileset for changes as a long with a time unit suffix h-hour, m-minute, s-second, ms-millisecond (e.g. 2ms or 5s). Disabled (scanInterval=0) by default. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

library > folder

Description: Id of referenced folder

Required: false

Data type:

Attribute name Data type Default value Description
dir Path to a directory Directory or folder to be included in the library classpath for locating resource files

netscapeLdapFilterProperties

Default Netscape Directory Server LDAP filters.

Attribute name Data type Default value Description
groupFilter string (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))) An LDAP filter clause for search the user registry for groups.
groupIdMap string *:cn An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap string groupOfNames:member;groupOfUniqueNames:uniqueMember An LDAP filter that identifies user to group memberships.
id string A unique configuration ID.
userFilter string (&(uid=%v)(objectclass=inetOrgPerson)) An LDAP filter clause for searching the user registry for users.
userIdMap string inetOrgPerson:uid An LDAP filter that maps the name of a user to an LDAP entry.

securewayLdapFilterProperties

Default IBM SecureWay Directory Server LDAP filters.

Attribute name Data type Default value Description
groupFilter string (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))) An LDAP filter clause for search the user registry for groups.
groupIdMap string *:cn An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap string groupOfNames:member;groupOfUniqueNames:uniqueMember An LDAP filter that identifies user to group memberships.
id string A unique configuration ID.
userFilter string (&(uid=%v)(objectclass=ePerson)) An LDAP filter clause for searching the user registry for users.
userIdMap string *:uid An LDAP filter that maps the name of a user to an LDAP entry.

Attribute name	Data type	Default value	Description
groupFilter	string	(&(cn=%v)(objectcategory=group))	An LDAP filter clause for search the user registry for groups.
groupIdMap	string	*:cn	An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap	string	memberOf:member	An LDAP filter that identifies user to group memberships.
id	string		A unique configuration ID.
userFilter	string	(&(sAMAccountName=%v)(objectcategory=user))	An LDAP filter clause for searching the user registry for users.
userIdMap	string	user:sAMAccountName	An LDAP filter that maps the name of a user to an LDAP entry.

Attribute name	Data type	Default value	Description
groupFilter	string	(&(cn=%v)(\|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))	An LDAP filter clause for search the user registry for groups.
groupIdMap	string	*:cn	An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap	string	ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfNames:member;groupOfUniqueNames:uniqueMember	An LDAP filter that identifies user to group memberships.
id	string		A unique configuration ID.
userFilter	string	(&(uid=%v)(objectclass=ePerson))	An LDAP filter clause for searching the user registry for users.
userIdMap	string	*:uid	An LDAP filter that maps the name of a user to an LDAP entry.

Attribute name	Data type	Default value	Description
groupFilter	string	(&(cn=%v)(objectclass=dominoGroup))	An LDAP filter clause for search the user registry for groups.
groupIdMap	string	*:cn	An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap	string	dominoGroup:member	An LDAP filter that identifies user to group memberships.
id	string		A unique configuration ID.
userFilter	string	(&(uid=%v)(objectclass=Person))	An LDAP filter clause for searching the user registry for users.
userIdMap	string	person:uid	An LDAP filter that maps the name of a user to an LDAP entry.

Attribute name	Data type	Default value	Description
groupFilter	string	(&(cn=%v)(objectclass=groupOfNames))	An LDAP filter clause for search the user registry for groups.
groupIdMap	string	*:cn	An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap	string	groupOfNames:member	An LDAP filter that identifies user to group memberships.
id	string		A unique configuration ID.
userFilter	string	(&(cn=%v)(objectclass=Person))	An LDAP filter clause for searching the user registry for users.
userIdMap	string	person:cn	An LDAP filter that maps the name of a user to an LDAP entry.

Attribute name	Data type	Default value	Description
id	string		A unique configuration ID.
maxSearchResults	int	4500	Maximum number of entries that can be returned in a search.
searchTimeout	A period of time with millisecond precision	10m	The maximum amount of time, in milliseconds, to process a search. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

Attribute name	Data type	Default value	Description
allowOpIfRepoDown	boolean	false	Whether to allow operation if a repository is down. The default value is false.
delimiter	string	/	Delimiter used to qualify the realm under which the operation should be executed. For example, userid=test1/myrealm where / is the delimiter and realm name is myrealm.
name	string		Name of the realm.

Attribute name	Data type	Default value	Description
name	string		The name of the entity mapped viz. PersonAccount, Group.
parentUniqueName	string		The distinguished name under Base distinguished name (DN) in the repository under which all entities of the configured type will be created

Attribute name	Data type	Default value	Description
inputProperty	string	cn	The property that maps to the user registry attribute for input. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.
outputProperty	string	cn	The property that maps to the user registry attribute for output. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.

Attribute name	Data type	Default value	Description
inputProperty	string	uniqueName	The property that maps to the user registry attribute for input. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.
outputProperty	string	uniqueName	The property that maps to the user registry attribute for output. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.

Attribute name	Data type	Default value	Description
inputProperty	string	principalName	The property that maps to the user registry attribute for input. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.
outputProperty	string	principalName	The property that maps to the user registry attribute for output. The valid values are: uniqueId, uniqueName, externalId, externalName and the attributes of PersonAccount and Group entity types.

Attribute name	Data type	Default value	Description
groupFilter	string	(&(cn=%v)(objectclass=ldapsubentry))	An LDAP filter clause for search the user registry for groups.
groupIdMap	string	*:cn	An LDAP filter that maps the name of a group to an LDAP entry.
groupMemberIdMap	string	nsRole:nsRole	An LDAP filter that identifies user to group memberships.
id	string		A unique configuration ID.
userFilter	string	(&(uid=%v)(objectclass=inetOrgPerson))	An LDAP filter clause for searching the user registry for users.
userIdMap	string	inetOrgPerson:uid	An LDAP filter that maps the name of a user to an LDAP entry.

Attribute name	Data type	Default value	Description
activedFiltersRef	A reference to top level activedLdapFilterProperties element (string).		Default Microsoft Active Directory LDAP filters.
baseDN	string		Base distinguished name (DN) of the directory service, which indicates the starting point for LDAP searches in the directory service.
bindDN	string		Distinguished name (DN) for the application server, which is used to bind to the directory service.
bindPassword	Reversably encoded password (string)		Password for the bind DN. Stored in clear text or encoded form. It is recommended that you encode the password. To do so, use the securityUtility tool with the encode option.
certificateFilter	string		Filter certificate mapping property for the LDAP filter. The filter is used to map attributes in the client certificate to entries in the LDAP registry. For example, the filter can be specified as: uid=${SubjectCN}.
certificateMapMode	EXACT_DN CERTIFICATE_FILTER		Whether to map x.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER. Specify CERTIFICATE_FILTER to use the specified certificate filter for the mapping. EXACT_DN exactDN CERTIFICATE_FILTER certFilter
connectTimeout	A period of time with millisecond precision	1m	Maximum time for establishing a connection to the LDAP server. A error message will be logged if the specified time expires. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
customFiltersRef	A reference to top level customLdapFilterProperties element (string).		Default Custom LDAP filters.
domino50FiltersRef	A reference to top level domino50LdapFilterProperties element (string).		Default IBM Lotus Domino LDAP filters.
edirectoryFiltersRef	A reference to top level edirectoryLdapFilterProperties element (string).		List of Novell eDirectory LDAP filters.
host	string		Address of the LDAP server in the form of an IP address or a domain name service (DNS) name.
id	string		A unique configuration ID.
idsFiltersRef	A reference to top level idsLdapFilterProperties element (string).		Default IBM Tivoli Directory Server LDAP filters.
ignoreCase	boolean	true	Perform a case-insensitive authentication check.
iplanetFiltersRef	A reference to top level iplanetLdapFilterProperties element (string).		Default Sun Java System Directory Server LDAP filters.
ldapType	Sun Java System Directory Server Netscape Directory Server Microsoft Active Directory IBM Tivoli Directory Server IBM Lotus Domino Custom IBM SecureWay Directory Server Novell eDirectory		Type of LDAP server to which a connection will be established. Sun Java System Directory Server iplanet Netscape Directory Server netscape Microsoft Active Directory actived IBM Tivoli Directory Server ibm_dir_server IBM Lotus Domino domino50 Custom custom IBM SecureWay Directory Server secureway Novell eDirectory edirectory
netscapeFiltersRef	A reference to top level netscapeLdapFilterProperties element (string).		Default Netscape Directory Server LDAP filters.
port	int		Port number of the LDAP server.
realm	string	LdapRegistry	The realm name that represents the user registry.
recursiveSearch	boolean	false	Performs a nested group search. Select this option only if the LDAP server does not support recursive server-side searches.
returnToPrimaryServer	boolean	true	A boolean value that indicates if the search should be done against the Primary Server.
reuseConnection	boolean	true	Requests the application server to reuse the LDAP server connection.
searchTimeout	A period of time with millisecond precision	1m	Maximum time for an LDAP server to respond before a request is canceled. This is equivalent to a read timeout once the connection is established. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
securewayFiltersRef	A reference to top level securewayLdapFilterProperties element (string).		Default IBM SecureWay Directory Server LDAP filters.
sslEnabled	boolean	false	Indicates whether an SSL connection should be made to the LDAP server.
sslRef	string		ID of the SSL configuration to be used to connect to the SSL-enabled LDAP server.

Attribute name	Data type	Description
defaultValue	string	The default value of the attribute.
entityType	string	The entity type of the attribute.
name	string	The name of the LDAP attribute.
propertyName	string	The user registry schema field name that needs to be mapped with the LDAP attribute.
syntax	string	The attribute syntax.

Attribute name	Data type	Default value	Description
autoGenerate	boolean	false	When enabled, the externalId attribute value is generated automatically by the user registry instead of using value of the stored in LDAP. By default it is disabled.
entityType	string		The entity type of the attribute.
name	string		The name of the LDAP attribute to be used for user registry externalId attribute.
syntax	string		The attribute syntax.

Attribute name	Data type	Default value	Description
enabled	boolean	true	A boolean value that determines if the context pool is enabled. Disabling it can cause performance degradation.
initialSize	int	1	An integer value that determines the initial size of the context pool. Set this based on the load on the repository.
maxSize	int	0	An integer value that defines the maximum context pool size. Set this based on maximum load on the repository.
preferredSize	int	3	The preferred size of the context pool. Set this based on the load on the repository.
timeout	A period of time with millisecond precision	0s	The duration after which the context pool times out. An integer that represents the time that an idle context instance can remain in the pool without being closed and removed from the pool. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
waitTime	A period of time with millisecond precision	3s	The duration after which the context pool times out. The time interval that the request waits until the context pool checks again if an idle context instance is available in the pool when the number of context instances reaches the maximum pool size. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

Attribute name	Data type	Default value	Description
host	string		LDAP server host name, which can be either an IP address or a domain name service (DNS) name.
port	int		LDAP failover server port.

Attribute name	Data type	Default value	Description
apiTypeVisibility	string	spec,ibm-api,api	The types of API package this library's class loader will be able to see, as a comma-separated list of any combination of the following: spec, ibm-api, api, third-party.
description	string		Description of shared library for administrators
filesetRef	List of references to top level fileset elements (comma-separated string).		Id of referenced Fileset
id	string		A unique configuration ID.
name	string		Name of shared library for administrators

Attribute name	Data type	Default value	Description
caseSensitive	boolean	true	Boolean to indicate whether or not the search should be case sensitive (default: true).
dir	Path to a directory	${server.config.dir}	The base directory to search for files.
excludes	string		The comma or space separated list of file name patterns to exclude from the search results, by default no files are excluded.
includes	string	*	The comma or space separated list of file name patterns to include in the search results (default: *).
scanInterval	A period of time with millisecond precision	0	Scanning interval to check the fileset for changes as a long with a time unit suffix h-hour, m-minute, s-second, ms-millisecond (e.g. 2ms or 5s). Disabled (scanInterval=0) by default. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.