LDAP
These properties are required when com.unraveldata.login.mode=ldap.
Property/Description | Set by user | Unit | Default |
|---|---|---|---|
com.unraveldata.ldap.ids A colon-separated list of LDAP servers (internal IDs). In case this property is not defined then the default value is considered. | ColSL | default_ldap_id | |
com.unraveldata.ldap.default.id The default LDAP server from the com.unraveldata.ldap.ids list. If this property is not defined, the first LDAP server from com.unraveldata.ldap.ids is used. | string | ||
com.unraveldata.login.groupFilter COMMA-separated list of LDAP Group names (short name not full DNs). If you wish to have LDAP admins, you must define at least one group of admins. See Role TypesConfiguring Role-based Access Control (RBAC) Example: secs-lab-admins,secs-lab-users | CSL | ||
com.unraveldata.login.userFilter COMMA-separated list of LDAP usernames (just short names, not full DNs). | String | - |
The following LDAP properties can be specified in two ways:
Generic: When you have to provide the same value across all LDAP servers, you can use the Generic method.
LDAP specific: When you have to provide a different value for a specific LDAP server you can do so by specifying the property with the LDAP ID, which is the name of the LDAP server.
Note
<ldap_id> value is a value from com.unraveldata.ldap.ids list.
For example:
com.unraveldata.ldap.ids=unraveldata.com,adobenet.com,example.com com.unraveldata.ldap.default.id=unraveldata.com com.unraveldata.ldap.base.dn=DC=unraveldata,DC=com com.unraveldata.ldap.adobenet.com.base.dn=DC=adobenet,DC=com
In this example:
List of LDAP servers: unraveldata.com,adobenet.com,example.com
Generic method of specifying BaseDN: DC=unraveldata,DC=com
LDAP specific method of specifying BaseDN for LDAP server - adobenet.com: DC=adobenet,DC=com
Generic | LDAP specific | Property/Description | Set by user | Unit | Default |
|---|---|---|---|---|---|
com.unraveldata.ldap.base.dn | com.unraveldata.ldap.<ldap_id>.base.dn | LDAP base DN; use your rootDN value if a custom LDAP query is applied. Needed for Open LDAP. See also com.unraveldata.ldap.user.dn.pattern below as an alternative. | string | - | |
com.unraveldata.ldap.bind.dn | com.unraveldata.ldap.<ldap_id>.bind.dn | LDAP bind DN is a login of an LDAP user that can access Base DN. Used only with Base DN. | string | - | |
com.unraveldata.ldap.bind.pw | com.unraveldata.ldap.<ldap_id>.bind.pw | Password for the user-defined as Bind DN | string | - | |
com.unraveldata.ldap.group.class | com.unraveldata.ldap.<ldap_id>.group.class | LDAP attribute name on the group entry that is to be used in LDAP group searches. | string | group | |
com.unraveldata.ldap.group.dn.pattern | com.unraveldata.ldap.<ldap_id>.group.dn.pattern | A COLON-separated list of patterns to use to find DNs for group entities in this directory. Use %s where the actual group name is to be substituted for. Each pattern should be fully qualified. | string | - | |
com.unraveldata.ldap.group.member.attr | com.unraveldata.ldap.<ldap_id>.group.member.attr | LDAP attribute name on the user entry that references a group that the user belongs to. Default is 'member'. | string | member | |
com.unraveldata.ldap.group.search.methods | com.unraveldata.ldap.<ldap_id>.group.search.methods | The lookup function list and order definitions of LDAP groups. Allowed values are OID, member-of, and member. These can be specified in any order. | string | OID, member-of, member | |
com.unraveldata.ldap.uid.attr | com.unraveldata.ldap.<ldap_id>.uid.attr | LDAP attribute name whose values are unique in this LDAP server. Default is "uid"; not used when the custom query is specified. | string | uid | |
com.unraveldata.ldap.mail.attr | com.unraveldata.ldap.<ldap_id>.mail.attr | The mail attribute name in the LDAP response that Unravel server uses to extract the LDAP user's email address. If not configured, Unravel server uses the attribute name "mail". | string | ||
com.unraveldata.ldap.real.uid.attr | com.unraveldata.ldap.<ldap_id>.real.uid.attr | Enables a secondary LDAP lookup. When the AD object does not have the available email string, Unravel needs to do a second lookup to retrieve the user's email address. This email address is used by AutoActions when sending an email to the apps old. | string | - | |
com.unraveldata.ldap.user.dn.pattern | com.unraveldata.ldap.<ldap_id>.user.dn.pattern | A COLON-separated list of patterns to use to find DNs for users in this directory. Use %s where the actual group name is to be substituted for. This is used as a list of baseDNs and baseDN is ignored if this is set. | string | - | |
com.unraveldata.ldap.sAMAccountName.enabled | com.unraveldata.ldap.<ldap_id>.sAMAccountName.enabled | Whether LDAP search attribute sAMAccountName will be used in users search filter or not | boolean | true | |
com.unraveldata.ldap.group.query.filter | com.unraveldata.ldap.<ldap_id>.group.query.filter | Valid LDAP filter regex that can be added to your group query with a '&' operator. For example: (CN=test-group*) | - | - | |
com.unraveldata.ldap.url | com.unraveldata.ldap.<ldap_id>.url | The URL for the LDAP server. The standard port is used if unspecified. For example: ldap://host | string | - | |
com.unraveldata.ldap.custom.query.filter | com.unraveldata.ldap.<ldap_id>.custom.query.filter | A full LDAP query that the LDAP Authentication Provider uses to execute against the LDAP server. If this query returns a null result set, the LDAP Provider fails the authentication request, succeeds if the user is part of the resultset. If this property is set, filtering and group properties are ignored. | string | - | |
com.unraveldata.ldap.domain | com.unraveldata.ldap<ldap_id>.domain | Contains real domain name. | string | - |