An authentication policy for users whose credentials are managed by a remote LDAP directory service.
Authentication attempts will be redirected to the remote LDAP directory service based on a combination of the criteria specified in this policy and the content of the user's entry in this directory server.
Basic Properties
cached-password-storage-scheme
Synopsis | Specifies the name of a password storage scheme which should be used for encoding cached passwords. |
Description | Changing the password storage scheme will cause all existing cached passwords to be discarded. |
Default Value | None |
Allowed Values | The name of an existing Password Storage Scheme. The referenced password storage schemes must be enabled. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
cached-password-ttl
Synopsis | Specifies the maximum length of time that a locally cached password may be used for authentication before it is refreshed from the remote LDAP service. |
Description | This property represents a cache timeout. Increasing the timeout period decreases the frequency that bind operations are delegated to the remote LDAP service, but increases the risk of users authenticating using stale passwords. Note that authentication attempts which fail because the provided password does not match the locally cached password will always be retried against the remote LDAP service. |
Default Value | 8 hours
|
Allowed Values | A duration. Lower limit: 0 seconds. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
connection-timeout
Synopsis | Specifies the timeout used when connecting to remote LDAP directory servers, performing SSL negotiation, and for individual search and bind requests. |
Description | If the timeout expires then the current operation will be aborted and retried against another LDAP server if one is available. |
Default Value | 3 seconds
|
Allowed Values | A duration. Lower limit: 0 milliseconds. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
mapped-attribute
Synopsis | Specifies one or more attributes in the user's entry whose value(s) will determine the bind DN used when authenticating to the remote LDAP directory service. This property is mandatory when using the "mapped-bind" or "mapped-search" mapping policies. |
Description | At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. At least one of the named attributes must exist in a user's local entry in order for authentication to proceed. When multiple attributes or values are found in the user's entry then the behavior is determined by the mapping policy. |
Default Value | None |
Allowed Values | The name of an attribute type defined in the LDAP schema. |
Multi-valued | Yes |
Required | No |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
mapped-search-base-dn
Synopsis | Specifies the set of base DNs below which to search for users in the remote LDAP directory service. This property is mandatory when using the "mapped-search" mapping policy. |
Description | If multiple values are given, searches are performed below all specified base DNs. |
Default Value | None |
Allowed Values | A valid DN. |
Multi-valued | Yes |
Required | No |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
mapped-search-bind-dn
Synopsis | Specifies the bind DN which should be used to perform user searches in the remote LDAP directory service. |
Default Value | Searches will be performed anonymously. |
Allowed Values | A valid DN. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
mapped-search-bind-password
Synopsis | Specifies the bind password which should be used to perform user searches in the remote LDAP directory service. |
Default Value | None |
Allowed Values | A string. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
mapped-search-bind-password-environment-variable
Synopsis | Specifies the name of an environment variable containing the bind password which should be used to perform user searches in the remote LDAP directory service. |
Default Value | None |
Allowed Values | A string. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
mapped-search-bind-password-file
Synopsis | Specifies the name of a file containing the bind password which should be used to perform user searches in the remote LDAP directory service. |
Default Value | None |
Allowed Values | A string. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
mapped-search-bind-password-property
Synopsis | Specifies the name of a Java property containing the bind password which should be used to perform user searches in the remote LDAP directory service. |
Default Value | None |
Allowed Values | A string. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
mapped-search-filter-template
Synopsis | If defined, overrides the filter used when searching for the user, substituting %s with the value of the local entry's "mapped-attribute". |
Description | The filter-template may include ZERO or ONE %s substitutions. If multiple mapped-attributes are configured, multiple renditions of this template will be aggregated into one larger filter using an OR (|) operator. An example use-case for this property would be to use a different attribute type on the mapped search. For example, mapped-attribute could be set to "uid" and filter-template to "(samAccountName=%s)". You can also use the filter to restrict search results. For example: "(&(uid=%s)(objectclass=student))" |
Default Value | None |
Allowed Values | A string. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
mapping-policy
Synopsis | Specifies the mapping algorithm for obtaining the bind DN from the user's entry. |
Default Value | unmapped
|
Allowed Values | mapped-bind: Bind to the remote LDAP directory service using a DN obtained from an attribute in the user's entry. This policy will check each attribute named in the "mapped-attribute" property. If more than one attribute or value is present then the first one will be used. mapped-search: Bind to the remote LDAP directory service using the DN of an entry obtained using a search against the remote LDAP directory service. The search filter will comprise of an equality matching filter whose attribute type is the "mapped-attribute" property, and whose assertion value is the attribute value obtained from the user's entry. If more than one attribute or value is present then the filter will be composed of multiple equality filters combined using a logical OR (union). unmapped: Bind to the remote LDAP directory service using the DN of the user's entry in this directory server. |
Multi-valued | No |
Required | Yes |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
primary-remote-ldap-server
Synopsis | Specifies the primary list of remote LDAP servers which should be used for pass through authentication. |
Description | If more than one LDAP server is specified then operations may be distributed across them. If all of the primary LDAP servers are unavailable then operations will fail-over to the set of secondary LDAP servers, if defined. |
Default Value | None |
Allowed Values | A host name followed by a ":" and a port number. |
Multi-valued | Yes |
Required | Yes |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
secondary-remote-ldap-server
Synopsis | Specifies the secondary list of remote LDAP servers which should be used for pass through authentication in the event that the primary LDAP servers are unavailable. |
Description | If more than one LDAP server is specified then operations may be distributed across them. Operations will be rerouted to the primary LDAP servers as soon as they are determined to be available. |
Default Value | No secondary LDAP servers. |
Allowed Values | A host name followed by a ":" and a port number. |
Multi-valued | Yes |
Required | No |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
source-address
Synopsis | If specified, the server will bind to the address before connecting to the remote server. |
Description | The address must be one assigned to an existing network interface. |
Default Value | Let the server decide. |
Allowed Values | An IP address. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
trust-manager-provider
Synopsis | Specifies the name of the trust manager that should be used when negotiating SSL connections with remote LDAP directory servers. |
Default Value | By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted. |
Allowed Values | The name of an existing Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled. |
Multi-valued | No |
Required | No |
Admin Action Required | None Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations. |
Advanced | No |
Read-Only | No |
use-password-caching
Synopsis | Indicates whether passwords should be cached locally within the user's entry. |
Default Value | false
|
Allowed Values | true false |
Multi-valued | No |
Required | Yes |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
use-ssl
Synopsis | Indicates whether the LDAP Pass Through Authentication Policy should use SSL. |
Description | If enabled, the LDAP Pass Through Authentication Policy will use SSL to encrypt communication with the clients. |
Default Value | false
|
Allowed Values | true false |
Multi-valued | No |
Required | No |
Admin Action Required | The object must be disabled and re-enabled for changes to take effect. |
Advanced | No |
Read-Only | No |