...
- Authentication
- Create
- Delete
- Get
- Schema
- ScriptOnConnector
- Search
- Sync (only with Sun Directory Server Enterprise Edition/ Oracle DSEE, RedHat 389 and OpenDS / OpenDJ)
- Test
- Update
- Validate
Configuration
The following table lists all the configuration properties you can specify when setting up the LDAP connector:
| Configuration Property | Required | Type | Default Value | Description |
|---|
| host | X | String |
|
| LDAP server on which to connect |
| port |
|
| int | 389 | TCP port on which to connect |
| ssl |
|
| boolean | false | Connect using SSL |
| failover |
| |
| An array of LDAP URLs specifying failover servers. If the connector cannot make a connection to the server specified in the host property, it will try connecting to these failover servers in the specified order. |
| principal |
|
| Distinguished name (DN) of the LDAP entry under to perform provisioning operations |
| credentials |
| |
| Password corresponding to the entry specified in the principal property |
| baseContexts | X | String |
|
| Base context DNs for provisioning operations. The connector ignores any entries outside these base contexts. |
| passwordAttribute |
|
| String | "userPassword" | Name of the LDAP attribute that holds the LDAP entry's password. This attribute is read and modified by password-change operations. |
| accountObjectClasses |
|
| String | { "top",
"person",
"organizationalPerson",
"inetOrgPerson" } | Object classes to which the ACCOUNT object class is mapped. |
| accountUserNameAttributes |
|
| String | { "cn", "uid" } | LDAP attributes to which the authentication user names are mapped. The connector uses this property search for the LDAP entry corresponding to the user name that is passed to an authentication operation. |
| accountSearchFilter |
|
| LDAP search filter for accounts. When searching for accounts, the connector only considers those accounts that match the specified filter. |
| groupMemberAttribute |
|
| String | "uniqueMember" | LDAP attribute that holds the member of LDAP static groups |
| groupObjectClasses |
|
| String | {"top", "groupOfUniqueNames"} | The group class or classes that will be used when creating new group objects in the LDAP tree. |
| groupNameAttributes |
|
| String | {"cn"} | Attribute or attributes which holds the group's name. |
| groupSearchFilter |
| |
| LDAP Filter for Retrieving Groups. |
| maintainLdapGroupMembership |
|
| boolean | false | Maintain LDAP group membership when renaming or deleting entries |
| maintainPosixGroupMembership |
|
| boolean | false | Maintain POSIX group membership when renaming or deleting entries |
| passwordHashAlgorithm |
| |
| Algorithm used to hash passwords. Valid values are "SHA", "SSHA", "MD5", and "SMD5". If you specify "SSHA" or "SMD5", the connector appends a random salt value to the password value before hashing. |
| respectResourcePasswordPolicyChangeAfterReset |
|
| boolean | false | Check for the Password Expired and Password Policy controls when binding |
| useBlocks |
|
| boolean | true | Use a block-based control for search operations, such as the Simple Paged Results or the Virtual List View (VLV) Index controls |
| blockSize |
|
| int | 100 | Block size to use with block-based controls. This property is meaningful only when theuseBlocks property is true. |
| usePagedResultControl |
|
| boolean | false | Use the Simple Paged Results control for search operations.
If false, the connector uses VLV Index control. This property is meaningful only when theuseBlocks property is true. |
| vlvSortAttribute |
|
| String | "uid" | LDAP attribute to use as the sort key when you are using the VLV Index control. This property is meaningful only when the useBlocks property is true and theusePagedResultControl property is false. |
| uidAttribute |
|
| String | "entryUUID" | LDAP attribute to use as the Uid connector attribute value |
| readSchema |
|
| boolean | true | If true, the connector will read the schema from the server. If false, the connector will provide a default schema based on the object classes in the configuration. This property must be true in order to use extended object classes. |
| baseContextsToSynchronize |
|
| Base context DNs to use for synchronization. The connector ignores any changes outside of these base contexts. |
| objectClassesToSynchronize |
|
| String | "inetOrgPerson" | LDAP object classes to synchronize. The connector ignores any changes if it cannot find any of the modified entry's object classes in this property. |
| attributesToSynchronize |
| |
| LDAP attributes to synchronize. The connector ignores changes to any LDAP attributes that are not specified in this property. |
| modifiersNamesToFilterOut |
| |
| Modifier DNs to filter out for synchronization. The connector ignores any changes made by an entry specified in this property. |
| accountSynchronizationFilter |
| |
| LDAP search filter used to filter out accounts from synchronization. The connector ignores changes to any accounts that do not match the filter specified in this property. |
| changeLogBlockSize |
|
| int | 100 | Block size to use when reading changes from the change log |
| changeNumberAttribute |
|
| String | "changeNumber" | LDAP attribute that holds the change number name in change log entries |
| filterWithOrInsteadOfAnd |
|
| boolean | false | Use an and filter instead of an or filter when searching for change log entries |
| removeLogEntryObjectClassFromFilter |
|
| boolean | true | Remove the condition that tests whether the object class of the change log entries ischangeLogEntry from the filter used to search for entries in the change log |
| synchronizePasswords |
|
| boolean | false | Synchronize passwords during synchronization. This property is only supported with Sun |
Directory Server Enterprise Edition| / Oracle DSEE, RedHat 389 and OpenDS / OpenDJ. |
| passwordAttributeToSynchronize |
| |
| LDAP attribute used to synchronize during password synchronization. This property is meaningful only when the synchronizePasswords property is true. |
| passwordDecryptionKey |
| |
| Decryption key used to decrypt passwords during password synchronization. This property is meaningful only when the synchronizePasswords property is true. |
| passwordDecryptionInitializationVector |
|
| Initialization key used when decrypting passwords during password synchronization. This property is meaningful only when the synchronizePasswords property is true. |
| statusManagementClass |
| |
| Java class to be used to enable/disable identities.
Any custom implementation must extend org.identityconnectors.ldap.commons.StatusManagement in order to implement all the required methods to manage enable/disable requests. A couple of convenience implementations are provided: org.connid.bundles.ldap.commons.AttributeStatusManagement (< 1.4.0) / net.tirasa.connid.bundles.ldap.commons.AttributeStatusManagement (>= 1.4.0)
Uses the description attribute for storing Active / Inactive values; this is basically a sample class, meant for subclassing.org.connid.bundles.ldap.commons.NSStatusManagement (< 1.4.0) / net.tirasa.connid.bundles.ldap.commons.NSStatusManagement (>= 1.4.0)
Works on the nsAccountLock attribute; this is ready for usage with RedHat / Fedora 389 and Oracle DSEE.
|
| retrievePasswordsWithSearch |
|
| boolean | false | Whether to retrieve passwords when searching. |
...
Schema
The LDAP connector supports the following objectclasses:
- ACCOUNT objectclass: Mapped to the LDAP objectclasses specified in the accountObjectClasses configuration property. This objectclass has the following attributes:
| Attribute Name | Description |
|---|
| UID | Account unique id. Mapped to the LDAP attribute specified by uidAttribute configuration property. |
| NAME | DN of the LDAP entry. |
| PASSWORD | Account password. |
- GROUP objectclass: Mapped to the LDAP objectclass groupOfUniqueNames. This objectclass has the following attributes:
| Attribute Name | Description |
|---|
| UID | Group unique id. Mapped to the LDAP attribute specified by uidAttribute configuration property. |
| NAME | DN of the LDAP entry. |
...
Note:
The schema contents are not related to the connector's ability to handle LDAP objectclasses and attributes. Although LDAP objectclasses are not exposed as connector objectclasses, the connector can create, modify, etc., objects of any objectclass supported by the LDAP server.