LdapModule
Realm Operations
Resource path:
/realm-config/authentication/modules/ldap
Resource version: 1.0
create
Usage
am> create LdapModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "beheraPasswordPolicySupportEnabled" : { "title" : "LDAP Behera Password Policy Support", "description" : "Enables support for modern LDAP password policies<br><br>LDAP Behera Password policies are supported by modern LDAP servers such as OpenDJ. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.", "propertyOrder" : 1500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "secondaryLdapServer" : { "title" : "Secondary LDAP Server", "description" : "Use this list to set the secondary (failover) LDAP server used for authentication.<br><br>If the primary LDAP server fails, the LDAP authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 200, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "profileAttributeMappings" : { "title" : "User Creation Attributes", "description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>", "propertyOrder" : 1300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "connectionHeartbeatTimeUnit" : { "title" : "LDAP Connection Heartbeat Time Unit", "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" }, "userBindPassword" : { "title" : "Bind User Password", "description" : "The password of the administration account.", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "userBindDN" : { "title" : "Bind User DN", "description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "primaryLdapServer" : { "title" : "Primary LDAP Server", "description" : "Use this list to set the primary LDAP server used for authentication. <br><br>The LDAP authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "searchScope" : { "title" : "Search Scope", "description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>", "propertyOrder" : 900, "required" : true, "type" : "string", "exampleValue" : "" }, "minimumPasswordLength" : { "title" : "Minimum Password Length", "description" : "Enforced when the user is resetting their password as part of the authentication.<br><br>If the user needs to reset their password as part of the authentication process, the authentication module can enforce a minimum password length. This is separate from any password length controls from the underlying LDAP server. If the external LDAP server password policy is enforcing password length, set this value to 0 to avoid confusion.", "propertyOrder" : 1400, "required" : true, "type" : "string", "exampleValue" : "" }, "stopLdapbindAfterInmemoryLockedEnabled" : { "title" : "Stop LDAP Binds after in-memory lockout", "description" : "If enabled, further bind requests will not be sent to LDAP Server when the user is locked-out using in-memory Account Lockout. ", "propertyOrder" : 2100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "operationTimeout" : { "title" : "LDAP operations timeout", "description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.", "propertyOrder" : 1900, "required" : true, "type" : "integer", "exampleValue" : "" }, "userSearchFilter" : { "title" : "User Search Filter", "description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "returnUserDN" : { "title" : "Return User DN to DataStore", "description" : "Controls whether the DN or the username is returned as the authentication principal.", "propertyOrder" : 1200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "userSearchStartDN" : { "title" : "DN to Start User Search", "description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "connectionHeartbeatInterval" : { "title" : "LDAP Connection Heartbeat Interval", "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.", "propertyOrder" : 1700, "required" : true, "type" : "integer", "exampleValue" : "" }, "openam-auth-ldap-connection-mode" : { "title" : "LDAP Connection Mode", "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "userSearchAttributes" : { "title" : "Attributes Used to Search for a User to be Authenticated", "description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>", "propertyOrder" : 700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "userProfileRetrievalAttribute" : { "title" : "Attribute Used to Retrieve User Profile", "description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ", "propertyOrder" : 2000, "required" : true, "type" : "integer", "exampleValue" : "" }, "trustAllServerCertificates" : { "title" : "Trust All Server Certificates", "description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process", "propertyOrder" : 1600, "required" : true, "type" : "boolean", "exampleValue" : "" } } }
delete
Usage
am> delete LdapModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action LdapModule --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action LdapModule --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action LdapModule --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query LdapModule --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read LdapModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update LdapModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "beheraPasswordPolicySupportEnabled" : { "title" : "LDAP Behera Password Policy Support", "description" : "Enables support for modern LDAP password policies<br><br>LDAP Behera Password policies are supported by modern LDAP servers such as OpenDJ. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.", "propertyOrder" : 1500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "secondaryLdapServer" : { "title" : "Secondary LDAP Server", "description" : "Use this list to set the secondary (failover) LDAP server used for authentication.<br><br>If the primary LDAP server fails, the LDAP authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 200, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "profileAttributeMappings" : { "title" : "User Creation Attributes", "description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>", "propertyOrder" : 1300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "connectionHeartbeatTimeUnit" : { "title" : "LDAP Connection Heartbeat Time Unit", "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" }, "userBindPassword" : { "title" : "Bind User Password", "description" : "The password of the administration account.", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "userBindDN" : { "title" : "Bind User DN", "description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "primaryLdapServer" : { "title" : "Primary LDAP Server", "description" : "Use this list to set the primary LDAP server used for authentication. <br><br>The LDAP authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "searchScope" : { "title" : "Search Scope", "description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>", "propertyOrder" : 900, "required" : true, "type" : "string", "exampleValue" : "" }, "minimumPasswordLength" : { "title" : "Minimum Password Length", "description" : "Enforced when the user is resetting their password as part of the authentication.<br><br>If the user needs to reset their password as part of the authentication process, the authentication module can enforce a minimum password length. This is separate from any password length controls from the underlying LDAP server. If the external LDAP server password policy is enforcing password length, set this value to 0 to avoid confusion.", "propertyOrder" : 1400, "required" : true, "type" : "string", "exampleValue" : "" }, "stopLdapbindAfterInmemoryLockedEnabled" : { "title" : "Stop LDAP Binds after in-memory lockout", "description" : "If enabled, further bind requests will not be sent to LDAP Server when the user is locked-out using in-memory Account Lockout. ", "propertyOrder" : 2100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "operationTimeout" : { "title" : "LDAP operations timeout", "description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.", "propertyOrder" : 1900, "required" : true, "type" : "integer", "exampleValue" : "" }, "userSearchFilter" : { "title" : "User Search Filter", "description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "returnUserDN" : { "title" : "Return User DN to DataStore", "description" : "Controls whether the DN or the username is returned as the authentication principal.", "propertyOrder" : 1200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "userSearchStartDN" : { "title" : "DN to Start User Search", "description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "connectionHeartbeatInterval" : { "title" : "LDAP Connection Heartbeat Interval", "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.", "propertyOrder" : 1700, "required" : true, "type" : "integer", "exampleValue" : "" }, "openam-auth-ldap-connection-mode" : { "title" : "LDAP Connection Mode", "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "userSearchAttributes" : { "title" : "Attributes Used to Search for a User to be Authenticated", "description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>", "propertyOrder" : 700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "userProfileRetrievalAttribute" : { "title" : "Attribute Used to Retrieve User Profile", "description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ", "propertyOrder" : 2000, "required" : true, "type" : "integer", "exampleValue" : "" }, "trustAllServerCertificates" : { "title" : "Trust All Server Certificates", "description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process", "propertyOrder" : 1600, "required" : true, "type" : "boolean", "exampleValue" : "" } } }
Global Operations
Resource path:
/global-config/authentication/modules/ldap
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action LdapModule --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action LdapModule --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action LdapModule --global --actionName nextdescendents
update
Usage
am> update LdapModule --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaults" : { "properties" : { "userBindDN" : { "title" : "Bind User DN", "description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.", "propertyOrder" : 400, "required" : true, "type" : "string", "exampleValue" : "" }, "userSearchStartDN" : { "title" : "DN to Start User Search", "description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "stopLdapbindAfterInmemoryLockedEnabled" : { "title" : "Stop LDAP Binds after in-memory lockout", "description" : "If enabled, further bind requests will not be sent to LDAP Server when the user is locked-out using in-memory Account Lockout. ", "propertyOrder" : 2100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "minimumPasswordLength" : { "title" : "Minimum Password Length", "description" : "Enforced when the user is resetting their password as part of the authentication.<br><br>If the user needs to reset their password as part of the authentication process, the authentication module can enforce a minimum password length. This is separate from any password length controls from the underlying LDAP server. If the external LDAP server password policy is enforcing password length, set this value to 0 to avoid confusion.", "propertyOrder" : 1400, "required" : true, "type" : "string", "exampleValue" : "" }, "userSearchFilter" : { "title" : "User Search Filter", "description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>", "propertyOrder" : 800, "required" : true, "type" : "string", "exampleValue" : "" }, "userSearchAttributes" : { "title" : "Attributes Used to Search for a User to be Authenticated", "description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>", "propertyOrder" : 700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "beheraPasswordPolicySupportEnabled" : { "title" : "LDAP Behera Password Policy Support", "description" : "Enables support for modern LDAP password policies<br><br>LDAP Behera Password policies are supported by modern LDAP servers such as OpenDJ. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.", "propertyOrder" : 1500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "userProfileRetrievalAttribute" : { "title" : "Attribute Used to Retrieve User Profile", "description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "trustAllServerCertificates" : { "title" : "Trust All Server Certificates", "description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process", "propertyOrder" : 1600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "primaryLdapServer" : { "title" : "Primary LDAP Server", "description" : "Use this list to set the primary LDAP server used for authentication. <br><br>The LDAP authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 100, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "openam-auth-ldap-connection-mode" : { "title" : "LDAP Connection Mode", "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.", "propertyOrder" : 1000, "required" : true, "type" : "string", "exampleValue" : "" }, "secondaryLdapServer" : { "title" : "Secondary LDAP Server", "description" : "Use this list to set the secondary (failover) LDAP server used for authentication.<br><br>If the primary LDAP server fails, the LDAP authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.", "propertyOrder" : 200, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "searchScope" : { "title" : "Search Scope", "description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>", "propertyOrder" : 900, "required" : true, "type" : "string", "exampleValue" : "" }, "profileAttributeMappings" : { "title" : "User Creation Attributes", "description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>", "propertyOrder" : 1300, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ", "propertyOrder" : 2000, "required" : true, "type" : "integer", "exampleValue" : "" }, "userBindPassword" : { "title" : "Bind User Password", "description" : "The password of the administration account.", "propertyOrder" : 500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "returnUserDN" : { "title" : "Return User DN to DataStore", "description" : "Controls whether the DN or the username is returned as the authentication principal.", "propertyOrder" : 1200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "connectionHeartbeatTimeUnit" : { "title" : "LDAP Connection Heartbeat Time Unit", "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" }, "connectionHeartbeatInterval" : { "title" : "LDAP Connection Heartbeat Interval", "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.", "propertyOrder" : 1700, "required" : true, "type" : "integer", "exampleValue" : "" }, "operationTimeout" : { "title" : "LDAP operations timeout", "description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.", "propertyOrder" : 1900, "required" : true, "type" : "integer", "exampleValue" : "" } }, "type" : "object", "title" : "Realm Defaults" } } }