LDAP authenticates users in an LDAP server. Use LDAP authentication to enable a single sign-on feature across multiple applications. You must configure properties for Data Archive to use LDAP user authentication.
The
conf.properties
file includes the following LDAP properties:
authenticationMethod
Determines the type of user authentication.
If commented, default is native user authentication. You maintain users in Data Archive.
If uncommented, default is
LDAP
. You maintain users in the LDAP directory service and synchronize users to Data Archive.
ldap.attribute.email
Configures the LDAP email address, AM_USERS.EMAIL_ADDRESS.
Default is
mail
for Active Directory and Sun LDAP.
ldap.attribute.fullName
Configures the ILM full user name, AM_USERS.FULL_NAME.
Default is
displayName
for Active Directory.
Default is
uid
for Sun LDAP.
ldap.attribute.groupclassname
Name of the LDAP directory service object class that you use to group members or security groups.
Default is
group
for Active Directory.
Default is
groupOfUniqueNames
for Sun LDAP.
ldap.attribute.ismemberof
Name of the LDAP directory service attribute that indicates a user is a member of a group.
Default is
memberOf
for Active Directory.
Default is
isMemberOf
for Sun LDAP.
ldap.attribute.member
Configures the LDAP member name.
Default is
member
for Active Directory.
Default is
uniqueMember
for Sun LDAP.
ldap.attribute.organizationName
Configures the LDAP organization name, AM_USERS.ORGANIZATION_NAME. Optional.
No default value. If you do not set this property, the organization name of the user is set to
LDAP User
.
ldap.attribute.userName
Configures the ILM user name, AM_USERS.USER_NAME.
Default is
sAMAccountName
for Active Directory.
Default is
uid
for Sun LDAP.
ldap.pageSize
Restricts the number of entries returned in a single page.
0. Paging is disabled.
Greater than 0. Paging is enabled. Value indicates the number of entries to return in a single page.
ldap.syncRoles
Determines the location where you maintain role assignments for users.
If commented, you maintain role assignments in the users account in Data Archive.
If uncommented, enables role assignment synchronization from the LDAP directory service to user accounts in Data Archive. You maintain role assignments for users in the LDAP directory service. When users log in to Data Archive, Data Archive synchronizes the role assignments from the LDAP directory service and updates the role assignments in the user account in Data Archive.
If you uncomment the property, enter one of the following values:
False. Disables role assignment synchronization.
True. Enables role assignment synchronization.
Default is false.
ldap.useSSL
Determines if you access the LDAP directory service through SSL.
Use one of the following values:
False. Disables SSL authentication.
True. Enables SSL authentication.
Default is false.
ldap.roleNamePrefix
Adds a user-defined custom prefix to the Data Archive-specific LDAP role names. If enabled, only roles with the prefix are considered for LDAP role synchronization and role search.
For example, to add the prefix "GLOBAL_US_ILM-" to the LDAP role name, configure the property as follows:
ldap.roleNamePrefix=GLOBAL_US_ILM-
When you create a custom prefix for LDAP roles, you must create Data Archive-specific LDAP roles using the prefix. For example, "GLOBAL_US_ILM-Administrator" for the Administrator role or "GLOBAL_US_ILM-Legal_Hold_User" for the Legal Hold User role. Data Archive removes the prefix when it compares LDAP roles to Data Archive roles. For example, the LDAP user "GLOBAL_US_ILM-Legal_Hold_User" is assigned the Legal Hold User role in Data Archive.
You can specify multiple custom prefixes. Separate each prefix by a comma.
For example:
ldap.roleNamePrefix=GLOBAL_US_ILM-,GLOBAL_US_DSG-
ldap.useRoleNamePrefixForNestedGroups
Determines if nested group searches consider only groups that begin with the role name prefix.
Use one of the following values:
True. Nested group searches consider only groups that begin with the role name prefix.
False. Nested group searches consider all role names.
Default is true.
ldap.skipReferrals
Restricts LDAP searches of roles assigned to a user to the user's domain component.
Use one of the following values:
True. Restricts LDAP searches of roles assigned to a user to the user's domain component.
False. Disables the restriction.
Default is false.
ldap.ignoreRefErrors
If set to true, Data Archive ignores referral errors in LDAP role searches.