LdapModule

Realm Operations

Resource path: /realm-config/authentication/modules/ldap

Resource version: 1.0

create

Usage:

am> create LdapModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "userSearchStartDN" : {
      "title" : "DN to Start User Search",
      "description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "primaryLdapServer" : {
      "title" : "Primary LDAP Server",
      "description" : "Use this list to set the primary LDAP server used for authentication. <br><br>The LDAP authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "searchScope" : {
      "title" : "Search Scope",
      "description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "returnUserDN" : {
      "title" : "Return User DN to DataStore",
      "description" : "Controls whether the DN or the username is returned as the authentication principal.",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "beheraPasswordPolicySupportEnabled" : {
      "title" : "LDAP Behera Password Policy Support",
      "description" : "Enables support for modern LDAP password policies<br><br>LDAP Behera Password policies are supported by modern LDAP servers such as OpenDJ. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "userSearchAttributes" : {
      "title" : "Attributes Used to Search for a User to be Authenticated",
      "description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
      "propertyOrder" : 700,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "userBindPassword" : {
      "title" : "Bind User Password",
      "description" : "The password of the administration account.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "userBindDN" : {
      "title" : "Bind User DN",
      "description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "minimumPasswordLength" : {
      "title" : "Minimum Password Length",
      "description" : "Enforced when the user is resetting their password as part of the authentication.<br><br>If the user needs to reset their password as part of the authentication process, the authentication module can enforce a minimum password length. This is separate from any password length controls from the underlying LDAP server. If the external LDAP server password policy is enforcing password length, set this value to 0 to avoid confusion.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-auth-ldap-connection-mode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "connectionHeartbeatTimeUnit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
      "propertyOrder" : 1800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "secondaryLdapServer" : {
      "title" : "Secondary LDAP Server",
      "description" : "Use this list to set the secondary (failover) LDAP server used for authentication.<br><br>If the primary LDAP server fails, the LDAP authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 200,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "userProfileRetrievalAttribute" : {
      "title" : "Attribute Used to Retrieve User Profile",
      "description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "operationTimeout" : {
      "title" : "LDAP operations timeout",
      "description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
      "propertyOrder" : 1900,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "profileAttributeMappings" : {
      "title" : "User Creation Attributes",
      "description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
      "propertyOrder" : 1300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "connectionHeartbeatInterval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "userSearchFilter" : {
      "title" : "User Search Filter",
      "description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "trustAllServerCertificates" : {
      "title" : "Trust All Server Certificates",
      "description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    }
  }
}

delete

Usage:

am> delete LdapModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action LdapModule --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action LdapModule --realm Realm --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action LdapModule --realm Realm --actionName nextdescendents

query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query LdapModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

read

Usage:

am> read LdapModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

update

Usage:

am> update LdapModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "userSearchStartDN" : {
      "title" : "DN to Start User Search",
      "description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "primaryLdapServer" : {
      "title" : "Primary LDAP Server",
      "description" : "Use this list to set the primary LDAP server used for authentication. <br><br>The LDAP authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "searchScope" : {
      "title" : "Search Scope",
      "description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "returnUserDN" : {
      "title" : "Return User DN to DataStore",
      "description" : "Controls whether the DN or the username is returned as the authentication principal.",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "beheraPasswordPolicySupportEnabled" : {
      "title" : "LDAP Behera Password Policy Support",
      "description" : "Enables support for modern LDAP password policies<br><br>LDAP Behera Password policies are supported by modern LDAP servers such as OpenDJ. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "userSearchAttributes" : {
      "title" : "Attributes Used to Search for a User to be Authenticated",
      "description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
      "propertyOrder" : 700,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "userBindPassword" : {
      "title" : "Bind User Password",
      "description" : "The password of the administration account.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "userBindDN" : {
      "title" : "Bind User DN",
      "description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "minimumPasswordLength" : {
      "title" : "Minimum Password Length",
      "description" : "Enforced when the user is resetting their password as part of the authentication.<br><br>If the user needs to reset their password as part of the authentication process, the authentication module can enforce a minimum password length. This is separate from any password length controls from the underlying LDAP server. If the external LDAP server password policy is enforcing password length, set this value to 0 to avoid confusion.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-auth-ldap-connection-mode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "connectionHeartbeatTimeUnit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
      "propertyOrder" : 1800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "secondaryLdapServer" : {
      "title" : "Secondary LDAP Server",
      "description" : "Use this list to set the secondary (failover) LDAP server used for authentication.<br><br>If the primary LDAP server fails, the LDAP authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 200,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "userProfileRetrievalAttribute" : {
      "title" : "Attribute Used to Retrieve User Profile",
      "description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "operationTimeout" : {
      "title" : "LDAP operations timeout",
      "description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
      "propertyOrder" : 1900,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "profileAttributeMappings" : {
      "title" : "User Creation Attributes",
      "description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
      "propertyOrder" : 1300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "connectionHeartbeatInterval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "userSearchFilter" : {
      "title" : "User Search Filter",
      "description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "trustAllServerCertificates" : {
      "title" : "Trust All Server Certificates",
      "description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    }
  }
}

Global Operations

Resource path: /global-config/authentication/modules/ldap

Resource version: 1.0

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action LdapModule --global --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action LdapModule --global --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action LdapModule --global --actionName nextdescendents

read

Usage:

am> read LdapModule --global

update

Usage:

am> update LdapModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "minimumPasswordLength" : {
          "title" : "Minimum Password Length",
          "description" : "Enforced when the user is resetting their password as part of the authentication.<br><br>If the user needs to reset their password as part of the authentication process, the authentication module can enforce a minimum password length. This is separate from any password length controls from the underlying LDAP server. If the external LDAP server password policy is enforcing password length, set this value to 0 to avoid confusion.",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "openam-auth-ldap-connection-mode" : {
          "title" : "LDAP Connection Mode",
          "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "searchScope" : {
          "title" : "Search Scope",
          "description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
          "propertyOrder" : 900,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "operationTimeout" : {
          "title" : "LDAP operations timeout",
          "description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
          "propertyOrder" : 1900,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "userBindDN" : {
          "title" : "Bind User DN",
          "description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "userProfileRetrievalAttribute" : {
          "title" : "Attribute Used to Retrieve User Profile",
          "description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "userSearchAttributes" : {
          "title" : "Attributes Used to Search for a User to be Authenticated",
          "description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
          "propertyOrder" : 700,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "returnUserDN" : {
          "title" : "Return User DN to DataStore",
          "description" : "Controls whether the DN or the username is returned as the authentication principal.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "profileAttributeMappings" : {
          "title" : "User Creation Attributes",
          "description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
          "propertyOrder" : 1300,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "beheraPasswordPolicySupportEnabled" : {
          "title" : "LDAP Behera Password Policy Support",
          "description" : "Enables support for modern LDAP password policies<br><br>LDAP Behera Password policies are supported by modern LDAP servers such as OpenDJ. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "userBindPassword" : {
          "title" : "Bind User Password",
          "description" : "The password of the administration account.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "trustAllServerCertificates" : {
          "title" : "Trust All Server Certificates",
          "description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
          "propertyOrder" : 2000,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "connectionHeartbeatInterval" : {
          "title" : "LDAP Connection Heartbeat Interval",
          "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "secondaryLdapServer" : {
          "title" : "Secondary LDAP Server",
          "description" : "Use this list to set the secondary (failover) LDAP server used for authentication.<br><br>If the primary LDAP server fails, the LDAP authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
          "propertyOrder" : 200,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "connectionHeartbeatTimeUnit" : {
          "title" : "LDAP Connection Heartbeat Time Unit",
          "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
          "propertyOrder" : 1800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "primaryLdapServer" : {
          "title" : "Primary LDAP Server",
          "description" : "Use this list to set the primary LDAP server used for authentication. <br><br>The LDAP authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
          "propertyOrder" : 100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "userSearchFilter" : {
          "title" : "User Search Filter",
          "description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "userSearchStartDN" : {
          "title" : "DN to Start User Search",
          "description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
          "propertyOrder" : 300,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}
Read a different version of :