LDAP
These properties are required when com.unraveldata.login.mode=ldap.
Property/Description | Set by user | Unit | Default |
---|---|---|---|
com.unraveldata.ldap.ids A colon-separated list of LDAP servers (internal IDs). In case this property is not defined then the default value is considered. | ColSL | default_ldap_id | |
com.unraveldata.ldap.default.id The default LDAP server from the com.unraveldata.ldap.ids list. If this property is not defined, the first LDAP server from com.unraveldata.ldap.ids is used. | string | ||
com.unraveldata.login.groupFilter COMMA-separated list of LDAP Group names (short name not full DNs). If you wish to have LDAP admins, you must define at least one group of admins. See Configuring Role-based Access Control (RBAC) Example: secs-lab-admins,secs-lab-users | CSL | ||
com.unraveldata.login.userFilter COMMA-separated list of LDAP usernames (just short names, not full DNs). | String | - |
The following LDAP properties can be specified in two ways:
Generic: When you have to provide the same value across all LDAP servers, you can use the Generic method.
LDAP specific: When you have to provide a different value for a specific LDAP server you can do so by specifying the property with the LDAP ID, which is the name of the LDAP server.
Note
<ldap_id> value is a value from com.unraveldata.ldap.ids list.
For example:
com.unraveldata.ldap.ids=unraveldata.com,adobenet.com,example.com com.unraveldata.ldap.default.id=unraveldata.com com.unraveldata.ldap.base.dn=DC=unraveldata,DC=com com.unraveldata.ldap.adobenet.com.base.dn=DC=adobenet,DC=com
In this example:
List of LDAP servers: unraveldata.com,adobenet.com,example.com
Generic method of specifying BaseDN: DC=unraveldata,DC=com
LDAP specific method of specifying BaseDN for LDAP server - adobenet.com: DC=adobenet,DC=com
Generic | LDAP specific | Property/Description | Set by user | Unit | Default |
---|---|---|---|---|---|
com.unraveldata.ldap.base.dn | com.unraveldata.ldap.<ldap_id>.base.dn | LDAP base DN; use your rootDN value if a custom LDAP query is applied. Needed for Open LDAP. See also com.unraveldata.ldap.user.dn.pattern below as an alternative. | string | - | |
com.unraveldata.ldap.bind.dn | com.unraveldata.ldap.<ldap_id>.bind.dn | LDAP bind DN is a login of an LDAP user that can access Base DN. Used only with Base DN. | string | - | |
com.unraveldata.ldap.bind.pw | com.unraveldata.ldap.<ldap_id>.bind.pw | Password for the user-defined as Bind DN | string | - | |
com.unraveldata.ldap.group.class | com.unraveldata.ldap.<ldap_id>.group.class | LDAP attribute name on the group entry that is to be used in LDAP group searches. | string | group | |
com.unraveldata.ldap.group.dn.pattern | com.unraveldata.ldap.<ldap_id>.group.dn.pattern | A COLON-separated list of patterns to use to find DNs for group entities in this directory. Use %s where the actual group name is to be substituted for. Each pattern should be fully qualified. | string | - | |
com.unraveldata.ldap.group.member.attr | com.unraveldata.ldap.<ldap_id>.group.member.attr | LDAP attribute name on the user entry that references a group that the user belongs to. Default is 'member'. | string | member | |
com.unraveldata.ldap.group.search.methods | com.unraveldata.ldap.<ldap_id>.group.search.methods | The lookup function list and order definitions of LDAP groups. Allowed values are OID, member-of, and member. These can be specified in any order. | string | OID, member-of, member | |
com.unraveldata.ldap.uid.attr | com.unraveldata.ldap.<ldap_id>.uid.attr | LDAP attribute name whose values are unique in this LDAP server. Default is "uid"; not used when the custom query is specified. | string | uid | |
com.unraveldata.ldap.mail.attr | com.unraveldata.ldap.<ldap_id>.mail.attr | The mail attribute name in the LDAP response that Unravel server uses to extract the LDAP user's email address. If not configured, Unravel server uses the attribute name "mail". | string | ||
com.unraveldata.ldap.real.uid.attr | com.unraveldata.ldap.<ldap_id>.real.uid.attr | Enables a secondary LDAP lookup. When the AD object does not have the available email string, Unravel needs to do a second lookup to retrieve the user's email address. This email address is used by AutoActions when sending an email to the apps old. | string | - | |
com.unraveldata.ldap.user.dn.pattern | com.unraveldata.ldap.<ldap_id>.user.dn.pattern | A COLON-separated list of patterns to use to find DNs for users in this directory. Use %s where the actual group name is to be substituted for. This is used as a list of baseDNs and baseDN is ignored if this is set. | string | - | |
com.unraveldata.ldap.sAMAccountName.enabled | com.unraveldata.ldap.<ldap_id>.sAMAccountName.enabled | Whether LDAP search attribute sAMAccountName will be used in users search filter or not | boolean | true | |
com.unraveldata.ldap.group.query.filter | com.unraveldata.ldap.<ldap_id>.group.query.filter | Valid LDAP filter regex that can be added to your group query with a '&' operator. For example: (CN=test-group*) | - | - | |
com.unraveldata.ldap.url | com.unraveldata.ldap.<ldap_id>.url | The URL for the LDAP server. The standard port is used if unspecified. For example: ldap://host | string | - | |
com.unraveldata.ldap.custom.query.filter | com.unraveldata.ldap.<ldap_id>.custom.query.filter | A full LDAP query that the LDAP Authentication Provider uses to execute against the LDAP server. If this query returns a null result set, the LDAP Provider fails the authentication request, succeeds if the user is part of the resultset. If this property is set, filtering and group properties are ignored. | string | - | |
com.unraveldata.ldap.domain | com.unraveldata.ldap<ldap_id>.domain | Contains real domain name. | string | - |