You can use the parameters provided here to configure the
LDAP Connector. All parameters are not available or visible in all
modes.
- LDAP URL
- The LDAP URL for the connection (ldap://host:port).
- Login username
- The distinguished name used for authentication to the server.
- Login password
- The credentials (password).
- Search Base
- The search base to be used. Specify a distinguished name. Some
directories enable you to specify a blank string which defaults to
whatever the server is configured to do. Other directory services
require this to be a valid distinguished name in the directory. The
default value is "<o=orgname>".
- Search Filter
- The search filter to be used when iterating the directory. This
parameter is only used in Iterator mode, but is visible in all modes
to help with schema discovery.
The button marked "..."
to the right of the Search Filter field presents
a Link Criteria dialog where you can fill out a link criteria form
and generate the LDAP search filter.
Use the Add button
to add more rows to build your selection criteria. The Match
Any checkbox will generate an OR expression rather than
the default AND expression. Note that this is a one-way helper. Anything
you already have in the configuration will be replaced by the generated
expression.
- Search Scope
- This parameter is not used if the Connector is in AddOnly mode.
The possible values are:
- subtree
- Return entries on all levels from search base and below.
- onelevel
- Only return entries that are immediately below search base.
- baselevel
- Only return the entry specified by the search base.
The default value is subtree.
- Size Limit
- A search or iteration must return no more than this number of
Entries. 0 = no limit.
- Time Limit
- Searching for Entries must take no more than this number of seconds. 0
= no limit.
- Page Size
- If specified, the LDAP Connector tries to use paged mode search.
Paged mode causes the directory server to return a specific number
of entries (called pages) instead of all entries in one chunk. Not
all directory servers support this option. The default value is 0,
which indicates that paged mode is disabled.
- Sort Attribute
- A parameter to specify server side sorting. Does not work with
Netscape/iPlanet 4.2.
Note: Increases the strain on the server.
- Authentication Method
- Type of LDAP authentication. Can be one of the following:
- Anonymous - If this authentication method is set then the
server, to which a client is connected, does not know or care who
the client is. The server allows such clients to access data configured
for non-authenticated users. The Connector automatically specifies
this authentication method if no username is supplied. However, if
this type of authentication is chosen and Login username and Login
password are supplied, then the Connector automatically sets the
authentication method to Simple.
- Simple - using Login username and Login password.
Treated as anonymous if Login username and Login password are
not provided. Note that the Connector sends the fully qualified distinguished
name and the client password in cleartext, unless you configure the
Connector to communicate with the LDAP Server using the SSL protocol.
- CRAM-MD5 - This is one of the SASL authentication mechanisms.
On connection, the LDAP Server sends some data to the LDAP client
(that is, this Connector). Then the client sends an encrypted response,
with password, using MD5 encryption. After that, the LDAP Server checks
the password of the client. CRAM-MD5 is supported only by LDAP v3
servers. It is not supported against any supported versions of IBM
Security Directory Server.
- SASL - The client (this Connector) will use a Simple Authentication
and Security Layer (SASL) authentication method when connecting to
the LDAP Server. Operational parameters for this type of authentication
will need to be specified using the Extra Provider Parameters option;
for example, in order to setup a DIGEST-MD5 authentication you will
need to add the following parameter in the Extra Provider Parameters
field:
java.naming.security.authentication:DIGEST-MD5
For
more information on SASL authentication and parameters see: http://java.sun.com/products/jndi/tutorial/ldap/security/sasl.html. Note: Not
all directory servers support all SASL mechanisms and in some cases
do not have them enabled by default. Check the documentation and
configuration options for the directory server you are connecting
to for this information.
- Use SSL
- If this is checked, use Secure Sockets Layer for communication
with the LDAP server.
- Referrals
- Specifies how referrals encountered by the LDAP server are to
be processed. The possible values are:
- follow – Follow referrals automatically
- ignore – Ignore referrals
- throw – Throw a ReferralException when a referral
is encountered. You need to handle this in an error Hook.
- Connector Flags
- Flags to enable specific behavior.
- deleteEmptyStrings
- This flag causes the Connector to remove attributes containing
only an empty string as value before updating the directory. If you
are using an LDAP version 3 server, you must use this flag, as the
value of an attribute cannot be an empty string.
- Extra Provider Parameters
- Additional JNDI provider parameters. The format is one colon separated name:value pair
on each line.
- Return attributes
- List of attributes to return (one attribute per line). If you
leave this empty, all non-operational (user) attributes are returned.
Any operational attributes (such as modifyTimestamp) must still be
listed explicitly in order to be returned.
- Binary Attributes
- A list of attributes that are treated as binary. The format is
one attribute name on each line. If this is not specified, a default
list of attributes is used. The default list is:
- photo
- personalSignature
- audio
- jpegPhoto
- javaSerializedData
- thumbnailPhoto
- thumbnailLogo
- userPassword
- userCertificate
- authorityRevocationList
- certificateRevocationList
- crossCertificatePair
- x500UniqueIdentifier
- objectGUID
- objectSid
Note: An AssemblyLine can have one list of binary attributes
only. If you have several LDAP Connectors in an AssemblyLine, the
last Connector must define the list of binary attributes for all the
LDAP Connectors in this AssemblyLine if you need to change this from
the default.
- Auto Map AD Password
-
Used for adding or updating a user's password in Active Directory
using LDAP. When checked, it maps the LDAP password (a
conn attribute
that must be called
userPassword) to another name (
unicodePwd).
unicodePwd has a special format that the Connector translates
into.
Note: Not needed for ADAM.
- LDAP Trace File
- Trace LDAP BER packets to file; this can be useful for debugging.
- Sort Attribute
- A parameter to specify server side sorting. Does not work with
Netscape/iPlanet 4.2.
Note: This increases the strain on the server.
- Virtual List View Page Size
- Use Virtual List View for iterations. This might be efficient
on some servers, but testing shows that some other servers (for example,
Netscape/iPlanet 4.2) are very slow in this respect. However, it does
provide a workaround to the out-of-memory problem. Also see Virtual List View Control.
- Simulate Rename
- If the server does not support rename, simulate it with delete and add operations.
- Add Attribute (instead of replace)
- This option changes the default behavior of the LDAP Connector
when it modifies an entry.
If this checkbox is checked, the LDAP
Connector sets the constraint DirContext.ADD_ATTRIBUTE. If
this checkbox is not checked, the LDAP Connector sets the constraint DirContext.REPLACE_ATTRIBUTE.
By setting the DirContext.ADD_ATTRIBUTE constraint
for the LDAP connection, you add new values to any attribute that
goes through the AssemblyLine. This might mean that the same value
gets repeatedly added to the entry if not used carefully. This might
also result in an exception if the attribute in question is single-valued.
If DirContext.REPLACE_ATTRIBUTE is set, the behavior is the
same as the old LDAP Connector (default behavior), that is, all values
for the attribute are replaced by whatever might be in the work entry.
- Set Operational Attributes
- Enabling this parameter allows setting and modifying the operational
attributes in IBM Security Directory Server. If the server does not
support rename, simulate it with delete or add operations.
- Comment
- Use this parameter to add your comments.
- Detailed Log
- If this field is checked, additional log messages are generated.