Configuring the LDAP provider

Unwired Accelerator LDAP support includes authentication, attribution, and authorization services. The LDAP provider authenticates users when they log in using credentials that can be validated on the LDAP server.

Table A-1 defines the options that you can use to configure the authentication provider. Enable any of the options by adding the option name and value to csi.xml. You must add new option definitions within the authenticationProvider definition; that is, between the following two lines:

<config:authenticationProvider    name=”com.sybase.security.ldap.LDAPLoginModule”>
...
</config:authenticationProvider>

**Table A-1: LDAP configuration options**
Configuration option	Default value	Description
AllowSelfRegistrationAndManagement	true	Controls whether or not this LDAP configuration will permit self-registration and self-management requests through a configured LDAP attributer.
AuthenticationFilter	Most LDAP servers: (&(uid={uid}) (objectclass=personal) Microsoft Active Directory: (&(userPrincipalName={uid}) (objectclass=user))	Filter to use when authenticating users. When performing a user name/password-based authentication, this filter is used to determine the LDAP entry that matches the supplied user name. The string “{uid}” in the filter is replaced with the user name. The second default value is designed for Microsoft Active Directory. This allows users to authenticate using their e-mail address. To allow users to authenticate using the Windows user name, set this filter to: `"(&(sAMAccountName={uid})(objectclass=user))"`
AuthenticationMethod	simple	Authentication method to use for all LDAP authentication requests. The supported methods are: “simple” – clear text authentication. “DIGEST-MD5” – more secure, hashed password authentication. Passwords must be stored in plain text on your LDAP server, and you must use JRE 1.4 or later.
AuthenticationScope	onelevel	Set this option to either “onelevel” or “subtree.” If set to “onelevel,” only the AuthenticationSearchBase is searched for user records; if set to “subtree,” the AuthenticationSearchBase and its subtree are searched.
AuthenticationSearchBase		The location of user records. If not specified, the DefaultSearchBase is used.
BindDN	None	The DN to which to bind when creating the initial LDAP connection. This DN must identify a user who has “read” capability on all records that are accessed when users authenticate using the login module. This property also defines the credentials that are used to perform anonymous attribution operations when LDAP authentication has not occurred. If you do not specify this property, anonymous binding is used, which works on most servers.
BindPassword		The password to which to bind when creating the initial LDAP connection. Specify a bind password only when the BindDN property is specified.
CertificateAttributes		Comma-separated list of attributes in the certificate used to authenticate the user instead of the certificate binary.
CertificateAuthenticationFilter	Most LDAP servers: &({certattr}={0})(objectclass=person)) Microsoft Active Directory: (&({certattr}={0}(objectclass=user))	The filter used when authenticating a certificate user. The filter determines the LDAP entry that matches the supplied certificate encoded form. If the certificate attribute mapping is not defined, {cerattr} is replaced with the LDAP certificate attribute name (userCertificate) and {0} is replaced with the encoded certificate binary. If certificate attribute mapping is defined and the certificate contains a specified attribute, its value replaces {0} and the corresponding LDAP attribute name defined in the mapping replaces {certattr}.
DefaultSearchBase	None	The search base used if no other LDAP search base is specified for authentication, roles, or attribution. Use either of the following two syntax options, and verify that the syntax you choose matches what is configured on the LDAP server: dc=<domain_name>,dc=<top_level_domain>o=<company_name>,c=<country_code> For example, for a machine in the Sybase organization, the previous two syntax options map to: dc=sybase,dc=com o=Sybase,c=us
DigestMD5AuthenticationFormat	DN	The DIGEST-MD5 bind authentication identity format. The value is set to Username for OpenLDAP server.
EnableCertificateAuthentication	false	Enables or disables certificate authentication in addition to the user name/password authentication.
InitialContextFactory	com.sun.jndi.ldap.LdapCtxFactory	Specifies the JNDI provider to use. If you are using a Sun Java VM version 1.3 or later, the default value should work. If you are using an IBM or other third-party VM, adjust this value accordingly.
ldapAttributes		Comma-separated list of attributes that map to the certificate attributes specified to be used to select the LDAP entry that matches the value in the certificate.
ProviderURL	ldap://localhost:389	The URL to connect to the LDAP server. The default value should work if the LDAP server is located on the same machine as the portal and listens on port 389. The format of this parameter is ldap://<hostname>:<port>.
Referral	ignore	Specifies how to handle a referral. The valid values are “follow,” “ignore,” and “throw.”
RoleFilter	SunONE: (&(objectclass=ldapsubentry) (objectclass=nsroledefinition)) Netscape Directory Server: (\|(objectclass=groupofnames) (objectclass=groupofuniquenames)) Microsoft Active Directory: (\|(objectclass=groupofnames) (objectclass=group))	The role filter, which when used with the RoleSearchBase and RoleScope, returns the complete list of roles from the LDAP server.
RoleMemberAttributes	Netscape Directory Server: member,uniquemember	A comma-delimited list of one or more role attributes that define the DNs for users who have the role. The DNs are used to determine which roles the user has. You may want to set RoleMemberAttributes if you use LDAP groups as placeholders for roles. The default value applies only to Netscape Directory Server; other servers do not have a default value.
RoleNameAttribute	cn	The attribute that identifies the common names of roles. If a role name value is “dn,” the role name is assumed to be the full DN of the role.
RoleScope	onelevel	Can be set to either onelevel or subtree. If set to onelevel, only the RoleSearchBase is used to search for roles; if set to subtree, the RoleSearchBase and its subtree are searched.
RoleSearchBase		The search base used to retrieve a list of roles. If not specified, the DefaultSearchBase is used.
SelfRegistrationSearchBase		The search base used to retrieve the list of self-registered users. If not specified, the DefaultSearchBase is used.
SecurityProtocol		Specifies the protocol to use when connecting to the LDAP server. If you are using the SSL protocol, set the SecurityProtocol to “ssl” instead of “ldap” in the URL. Active Directory requires the use of the SSL protocol when setting the value for the password attribute. This occurs when creating a user or updating the password of an existing user.
ServerType	None	The type of LDAP server you are connecting to. Supported server types are: “msad2k” – Microsoft Active Directory. For Windows 2000—see “Limitations of Microsoft Active Directory LDAP servers”. “nsds4” – Netscape Directory Server 4.x. “sunone5” – SunONE Directory Server 5.x or iPlanet 5.x. “openldap” – OpenLDAP Directory Server 2.x. ServerType does not require a value, but if one is provided, it establishes default values for the following configuration properties: AuthenticationFilter RoleFilter RoleMembershipAttributes UserRoleMembershipAttributes MD5AuthenticationFormat UseUserAccountControlAttribute
UnmappedAttributePrefix	LDAP	Prefix assigned to unmapped LDAP attributes when moving them into the CSI attribute namespace. A period (.) is appended to the specified value, followed by the LDAP attribute name. For example, the employeeNumber attribute will be converted to LDAP.employeeNumber. Specify a blank value for map LDAP attributes directly into the CSI attribute namespace with no prefix.
UseUserAccountControl Attribute	false true when ServerType is set to msad2k	Specifies that the UserAccountControl attribute should be used for detecting disabled user accounts, account expiration, password expiration, and so on. Microsoft Active Directory uses this attribute to store the above information.
UseUserCredentials ToBind	false	Enables the LDAP attributer to use the stored user credentials to bind to the LDAP server for self-update operations. If this is set to true, the login module configuration should be such that the user credentials are saved and available to the LDAP attributer.
UserFreeformRole MembershipAttributes		The “free-form” role membership attribute list. Users who have attributes in this comma-delimited list are automatically granted access to roles whose names match the attribute value. For example, if the value of this property is “department” and the user’s LDAP record has the values “sales” and “consulting” for the department attribute, then the user is granted roles whose names are “sales” and “consulting.” If you are using a SunONE Directory Server 5, set up the above example as follows: From the LDAP Administration console’s Generic Editor, add a multi-value attribute called `department` for the user. Highlight “department,” click Add Value, and enter `sales`. Click Add Value again, and enter `consulting`.
UserRoleMembership Attributes	SunONE: nsRoleDN Microsoft Active Directory: memberOf	Defines a user attribute to store the list of role DNs for all the roles a user has been granted. These role DNs are cross-referenced against the roles retrieved using the RoleSearchBase and RoleFilter to get a complete list of a user’s roles. For servers other than SunONE and Microsoft Active Directory, there is no default value.