Remote user store properties¶
The following table provides descriptions of the key properties to apply in deployment.toml
file to configure the user store that you need to connect.
Configuration name | Description |
---|---|
type |
Type of the user store you are trying to connect. You can update the type parameter as ldap
if you are using LDAP (Lightweight Directory Access Protocol) and active_directory if you are
using an Active Directory user store. Example: type = "ldap"
|
connection_url |
Connection URL to the user store server. Example: connection_url = "ldap://localhost:389" |
connection_name |
The username used to connect to the user store and perform various operations. This user does not have to be
an administrator in the user store, but this user MUST have permission to read the user list and users' attributes and
to perform search operations on the user store. The value you specify is used as the DN ( Distinguish Name ) attribute
of the user. This property is mandatory. Example: connection_name = "uid=admin,ou=system"
|
connection_password |
Password for the ConnectionName user. Example: connection_password = "password" |
ldap_connection_timeout |
Timeout in making the initial LDAP connection. This is configured in milliseconds.
Example: ldap_connection_timeout = 2000
|
base_dn |
The starting point the directory server uses when searching for users authentication within your Directory.
Example: base_dn = "dc=example,dc=org"
|
user_search_base |
DN of the context or object under which the user entries are stored in the user store. In this case,
it is the "users" container. When the user store searches for users, it will start from this location
of the directory. Example: user_search_base = "ou=Users,dc=example,dc=org"
|
user_name_list_filter |
Filtering criteria for listing all the user entries in the user store. This query or filter is used
when doing search operations on users. In this case, the search operation only provides the objects
created from the specified class. This query is the same as listing out all the available users in
the management console. Example: user_name_list_filter = "(objectClass=user)"
|
user_name_attribute |
The attribute used for uniquely identifying a user entry. Users can be authenticated using their
email address, UID, etc. The name of the attribute is considered as the username.
Example: user_name_attribute = "cn"
|
user_name_search_filter |
Filtering criteria are used to search for a particular user entry.
Example: user_name_search_filter = "(&(objectClass=user)(cn=?))"
|
user_entry_object_class |
The object class is used to construct user entries.
Example: user_entry_object_class = "inetOrgperson"
|
user_id_attribute |
The attribute used for uniquely identifying a user entry. The value of the attribute is considered
as the unique user ID. Example: user_id_attribute = "objectGuid"
|
user_id_search_filter |
Filtering criteria used to search for a particular user entry using the user id attribute.
Example: user_id_search_filter = "(&(objectClass=user)(objectGuid=?))"
|
password_hash_method |
Specifies the Password Hashing Algorithm uses the hash the password before storing in the user store.
Possible values: SHA - Uses SHA digest method. SHA-1, SHA-256 MD5 - Uses MD 5 digest method.
PLAIN_TEXT - Plain text passwords.(Default) Example: password_hash_method = "PLAIN_TEXT"
|
read_groups |
Specifies whether groups should be read from the user store. If this is disabled by setting it to
false, none of the groups in the user store can be read, and the following group configurations are
NOT mandatory: group_search_base, group_name_list_filter, group_name_search_filter, or group_name_attribute.
Example: read_groups = "true"
|
group_search_base |
DN of the context under which group entries are stored in the user store.
Example: group_search_base = "ou=Groups,dc=example,dc=org"
|
group_entry_object_class |
The object class is used to construct group entries.
Example: group_entry_object_class = "groupOfNames"
|
group_name_attribute |
Attribute used for uniquely identifying a group entry. This attribute is to be treated as the group name.
Example: group_name_attribute = "cn"
|
group_name_search_filter |
Filtering criteria used to search for a particular group entry.
Example: group_name_search_filter = "(&(objectClass=groupOfNames)(cn=?))"
|
group_name_list_filter |
Filtering criteria for listing all the group entries in the user store. The group search operation
only returns objects created from this class.
Example: group_name_list_filter = "(objectClass=groupOfNames)"
|
group_id_enabled |
Whether the unique groupid is enabled or not. Example: group_id_enabled = "true" |
group_id_attribute |
The attribute used for uniquely identifying a group entry. The value of the attribute is considered as the unique group ID.
Example: group_id_attribute = "gid"
|
membership_attribute |
Attribute used to define members of groups.
Example: membership_attribute = "member"
|
group_created_date_attribute |
This attribute is to be treated as the group created timestamp.
Example: group_created_date_attribute = "whenCreated"
|
multi_attribute_separator |
This property is used to define a character to separate multiple attributes. This ensures that it
will not appear as part of a claim value. Normally “,” is used to separate multiple attributes, but
you can define ",,," or "..." or a similar character sequence
Example: multi_attribute_separator = ","
|
case_insensitive_user_name |
Enables the case-insensitivity of the user's username. The default value is true for this configuration.
Eg: If a user's username is test, that user can also use the username as TEST. Example: case_insensitive_user_name = "true"
|
immutable_attributes |
This property is used to define a list of attributes that are considered unchangeable attributes in the user store.
This property needs to be configured only for user stores with Read/Write access. Example: immutable_attributes = "whenCreated,whenChanged,location"
|