LDAP Configuration File

LDAP parameters are set in the LDAP configuration file:

univiewer_server\<nodename>\data\ldap.xml

This file must be manually adapted to display the connection parameters to the LDAP server. Its update is only taken into account when UVMS restarts. It is not updated by a UVMS upgrade.

Several LDAP directories can be used to verify authentication, create a section <instance name> by LDAP directory in ldap.xml.

All the file fields are described below:

Tag

Values

Description

instance name

Mandatory

An instance defines a set of parameters for a directory server. In the case where several instances are defined, the authentication will be tested against the first instance, then the second if authentication failed against the first, the third if authentication failed against the second, etc.

host

localhost (by default)

Hostname of the LDAP directory server

port

Mandatory

Port number of the LDAP directory server. For example, 389 or 636

SSL

NO (by default)
YES

Turns on the ldaps protocol. Refer to section: SSL Configuration for more information.
connectionPool

YES (by default)
NO

The value YES allows UVMS to use a connection cache (standard use by default). Refer to section LDAP Failover mode for more information.

BaseDN

 

This parameter is deprecated.

memberAttribute

Member

Synchronization mode only.
Attribute to link groups and users.

memberAttributeOf

memberOf

Synchronization mode only.
Attribute to link groups and users if the LDAP server supports this type of request. For improved performance, use this field for memberAttribute. If this field must not be used, then it must be empty.

useMemberOfAttribute

NO (by default)
YES

Synchronization mode only.
Indicates if UVMS can use the memberAttributeOf field (value set to Yes) or not. (value set to No): if the LDAP server supports a memberOf request or not.

followReferral

NO (by default)
YES

If LDAP slave servers are declared, the Yes value enables you to look for information on slave servers if the latter is not found on the master server.
The No value enables you to ignore the slave servers.

securityPrincipal

Anonymous (by default)

Service user account (in DN format) used by UVMS to search for users in the LDAP directory. This entry must have search rights on the directory subtree where users are located. Examples:
uid=foo, o=myCompany
CN=Eca,CN=Users,DC=automic,DC=com

clearCredential

YES (by default)
NO

Specifies whether the securityCredential is in clear or encrypted format. (Refer to section: Password Encryption). By default, passwords are not encrypted.

securityCredential

Mandatory

Password of the LDAP entry defined in securityPrincipal.

securityProtocol

plain

The only security protocol accepted is “plain”.

securityAuthentication

simple (by default)

Type of authentication
The DIGEST-MD5 value can be entered to support SASL. Refer to section "SASL Configuration".

usersSearchBase

Mandatory

Distinguished Name of the sub-tree entry containing all the user entries. For example: ou=users,dc=automic,dc=com

For performance reasons, this value is only used during connection (authentication). During group synchronization, each user matching a usersListSearchFilter will be created in UVMS even if it does not match a usersSearchBase or  usersSearchDepth. Those accounts will not be able to connect to UVMS.

usersAttributeId

CN

Synchronization mode only.
Attribute used to create a user. It must be unique. For instance:
LDAP: uid
Active Directory: userPrincipalName

usersListSearchFilter

 

Synchronization mode only.
Filter applied to find all users. For instance: objectclass=Person

usersSearchFilter

Mandatory

Filter applied to find the user from his/her Login.
For example: LDAP: (&(objectclass=Person)(uid=!login!))

or for Active Directory:

(&(objectclass=Person)(samaccountname=!login!))

The !login! variable will be replaced automatically by UVMS with the login provided by the connected user.

usersSearchDepth

SUBTREE_SCOPE (by default), OBJECT_SCOPE, ONELEVEL_SCOPE

Scope of the search

For performance reasons, this value is only used during the connection (authentication). During group synchronization, each user matching a usersListSearchFilter will be created in UVMS even if it does not match usersSearchBase or usersSearchDepth. Those accounts will not be able to connect to UVMS.

groupsSearchBase

 

Synchronization mode only.
DN name of the tree structure which contains all the first level groups. For instance: where=groups,dc=automic,dc=com

groupsAttributeId

CN

Synchronization mode only.
Attribute used to create the group. It must be unique. For instance: CN.

groupsListSearchFilter

 

Synchronization mode only
Filter applied to find all first level groups (for instance, all groups starting with AUTOMIC):

LDAP: (&(objectClass=groupOfNames)(CN=AUTOMIC*))

Active Directory: (&(objectClass=group)(CN=AUTOMIC*))

groupsSearchDepth

SUBTREE_SCOPE (by default), OBJECT_SCOPE ONELEVEL_SCOPE

Synchronization mode only
Search depth

nestedGroups

NO (par défaut)
YES

Synchronization mode only
Supports nested groups (YES) or not (NO). Refer to section "Nested Groups".

nestedGroupsSearch
Base

 

Synchronization mode only
DN name of the tree structure containing all first level groups. For instance: ou=groups, dc=automic, dc=com

nestedGroupsList
SearchFilter

 

Synchronization mode only
Filter applied to find all nested groups. For instance:

LDAP: (objectClass=groupOfNames)

Active Directory: (objectClass=group)

nestedGroupsSearch
Depth

SUBTREE_SCOPE (by default), OBJECT_SCOPE ONELEVEL_SCOPE

Synchronization mode only

Search depth for all nested groups.

Wildcards, if usable, can only be entered at the end of the chain, for instance: "automic*". Special characters need to be represented with different syntax. For example:
For less than(<) &lt;
For greater than(>) &gt;
For quote(") &quot;
For apostrophe(') &apos;
For ampersand (&) &amp;

For details on SecurityCredentials and UserSearchFilter refer to section: Security Credentials and User Search Filter.

Example of a generic LDAP configuration file (Open LDAP for instance)

<?xml version="1.0" encoding="UTF-8"?>

<ldap version="1.0">

   <instance name="LDAP Repository">

      <!-- general configuration -->

      <host></host>

      <port>389</port>

      <SSL>NO</SSL>

      <memberAttribute>member</memberAttribute>

      <memberOfAttribute>memberOf</memberOfAttribute>

      <useMemberOfAttribute>NO</useMemberOfAttribute>

      <followReferral>NO</followReferral>     

      <!-- security -->

      <securityPrincipal></securityPrincipal>

      <clearCredential>YES</clearCredential>

      <securityCredential><![CDATA[]]></securityCredential>

      <securityProtocol>plain</securityProtocol>

      <securityAuthentication>simple</securityAuthentication>

      <!-- users -->

      <usersSearchBase>ou=users,dn=yourdomain,dc=com</usersSearchBase>

      <usersAttributeId>CN</usersAttributeId>

      <usersListSearchFilter><![CDATA[objectClass=person]]></usersListSearchFilter>

      <usersSearchFilter><![CDATA[(&(objectClass=person)(cn=!login!))]]></usersSearchFilter>

      <usersSearchDepth>SUBTREE_SCOPE</usersSearchDepth>

      <!-- groups -->

      <groupsSearchBase>ou=groups,dn=yourdomain,dc=com</groupsSearchBase>

      <groupsAttributeId>CN</groupsAttributeId>

      <groupsListSearchFilter><![CDATA[(&(objectClass=groupOfNames)(CN=AUTOMIC*))]]></groupsListSearchFilter>

      <groupsSearchDepth>SUBTREE_SCOPE</groupsSearchDepth>

      <!-- nested groups -->

      <nestedGroups>NO</nestedGroups>

      <nestedGroupsSearchBase>ou=groups,dn=yourdomain,dc=com</nestedGroupsSearchBase>

      <nestedGroupsListSearchFilter><![CDATA[objectClass=groupOfNames]]></nestedGroupsListSearchFilter>

      <nestedGroupsSearchDepth>SUBTREE_SCOPE</nestedGroupsSearchDepth>

   </instance>

</ldap>

Example of a LDAP configuration file for Active Directory

<?xml version="1.0" encoding="UTF-8"?>

<ldap version="1.0">

   <instance name="Active Direcoty">

      <!-- general configuration -->

      <host></host>

      <port>389</port>

      <SSL>NO</SSL>

      <memberAttribute>member</memberAttribute>

      <memberOfAttribute>memberOf</memberOfAttribute>

      <useMemberOfAttribute>YES</useMemberOfAttribute>

      <followReferral>NO</followReferral>     

      <!-- security -->

      <securityPrincipal></securityPrincipal>

      <clearCredential>YES</clearCredential>

      <securityCredential><![CDATA[]]></securityCredential>

      <securityProtocol>plain</securityProtocol>

      <securityAuthentication>simple</securityAuthentication>

      <!-- users -->

      <usersSearchBase>ou=users,dn=yourdomain,dc=com</usersSearchBase>

      <usersAttributeId>userPrincipalName</usersAttributeId>

      <usersListSearchFilter><![CDATA[objectClass=person]]></usersListSearchFilter>

      <usersSearchFilter><![CDATA[(&(objectClass=person)(userPrincipalName=!login!))]]></usersSearchFilter>

      <usersSearchDepth>SUBTREE_SCOPE</usersSearchDepth>

      <!-- groups -->

      <groupsSearchBase>ou=groups,dn=yourdomain,dc=com</groupsSearchBase>

      <groupsAttributeId>CN</groupsAttributeId>

      <groupsListSearchFilter><![CDATA[(&(objectClass=group)(CN=AUTOMIC*))]]></groupsListSearchFilter>

      <groupsSearchDepth>SUBTREE_SCOPE</groupsSearchDepth>

      <!-- nested groups -->

      <nestedGroups>NO</nestedGroups>

      <nestedGroupsSearchBase>ou=groups,dn=yourdomain,dc=com</nestedGroupsSearchBase>

      <nestedGroupsListSearchFilter><![CDATA[objectClass=group]]></nestedGroupsListSearchFilter>

      <nestedGroupsSearchDepth>SUBTREE_SCOPE</nestedGroupsSearchDepth>

   </instance>

</ldap>