Page History

java.naming.provider.url

required

URL of the LDAP/AD service provider.

Example: ldap://ldap.example.com/

java.naming.security.principal

required, default is the LDAP provider's default

User or program doing the authentication. Use an appropriate DN/CN for your server.  

Example: CN=Administrator,CN=Users,dc=example,dc=com

Originally interchangeable with the now deprecated adminUserDN property but took precedence if both were specified in the file.

java.naming.security.credentials

required

Password or encrypted data such as a digital certificate that the implementation uses to authenticate the client.

Originally interchangeable with the now deprecated adminUserPassword property but took precedence if both were specified in the file.

java.naming.security.authentication

optional, default is none

Authentication mechanism (password encryption) used. Possible values are none, simple or a specific authentication mechanism such as DIGEST-MD5 .

java.naming.referral

optional, default is ignore

Indicates to the service provider how to handle referrals. Valid values are ignore, follow and throw .

If the LDAP/AD service provider receives a referral despite you having set the property to ignore it will throw a PartialResultException to indicate that more results might be coming if the referral was followed. In this case the server does not support the Manage Referral control and supports referral updates in some other way. See: Oracle: Referrals in the JNDI. Windows Active Directory is an example of a directory service which does not support Manage Referral Control.

To deal with the PartialResultException, create a property Configuration > /modules/ldap/config/allowPartialResults and set it to true .

java.naming.factory.initial

optional (but recommended)

The class name of the of the initial context. The class must implement the javax.naming.directory.DirContext interface or LDAP requests from Magnolia will fail.

The default value for java.naming.factory.initial will depend on your container or Java configuration. For example, the default configuration for Apache Tomcat specifies the class org.apache.naming.SelectorContext which does not implement the java.naming.directory.DirContext interface. When running in Tomcat, the class com.sun.jndi.ldap.LdapCtxFactory can be used.

required

Defines the initial connect point to the directory service.

Example: initialSearchAttributes=CN=Users,dc=example,dc=com

Organization
OrganizationUnit
CommonName
Surname
GivenName
uid
dn
mail
Password
Language

required

Name mapping(s) taking the form <property>=<value> , for example

CommonName=cn
mail=mail
Password=pass
Language=language

The properties shown on the left are just a few examples. If necessary, additional (custom) properties may be created to allow smooth mapping of names.

See also: Accessing properties from LDAP

optional 

When searching a user from a wide initialSearchAttribute, a custom filter might come in handy. Be aware that attribute used for resolving LDAP_USER_ID needs to be same as mapped uid attribute (see mappings above).

Example: userSearchFilter=(&(objectClass=user)(sAMAccountName=LDAP_USER_ID))

optional 

Custom filter can be used also when searching all users from a wide initialSearchAttribute.

Example: allUsersSearchFilter=(objectClass=user)

ADUserManager default users search filter is: (&(objectCategory=person)(objectClass=user))

groupResolverClass

required (if roleResolverClass is not used)

The value is a class responsible for resolving groups assigned to a user. The class must implement the info.magnolia.jaas.sp.ldap.resolver.NameResolver interface.

Implementations:

roleResolverClass

required (if groupResolverClass is not used)

A class responsible for resolving roles assigned to a user. The class must implement the info.magnolia.jaas.sp.ldap.resolver.NameResolver interface. Roles cannot be maintained in LDAP, they must be in Magnolia.

Implementations:

• info.magnolia.jaas.sp.ldap.resolver.MagnoliaRoleResolver resolves roles from Magnolia.

optional , default is false

Set ssoSlave=true if this Magnolia instance is a slave server in a single sign-on (SSO) environment.

required (only if ADGroupResolver is used)

The name of the user attrribute which specifies the groups the user is a member of.

Example: userMembershipAttribute=memberOf

required (if OpenLDAPGroupResolver is used)

A filter used to find groups the user is a member of.

Example: groupSearchFilter=(&(objectClass=groupOfNames)(member=MEMBERSHIP_VALUE))

required (if OpenLDAPGroupResolver is used)

The value of the dn attribute to be passed to MEMBERSHIP_VALUE in groupSearchFilter .

Example: groupMembershipAttributeValue=dn

required (only if either OpenLDAPGroupResolver or ADGroupResolver is used)

The name of the group ID attribute in LDAP/AD.

Example: groupIdAttribute=cn

optional (only if either OpenLDAPGroupResolver or ADGroupResolver is used)

A subtree for groups in the LDAP/AD structure if groups are managed in different subtree than the users. If missing then the initialSearchAttributes is used.

Example: groupSearchContext=cn=groups,dc=example,dc=com

optional (only if either OpenLDAPGroupResolver or ADGroupResolver is used), default values are

• for the LDAP resolver: (&(objectClass=groupOfNames)GROUP_IDS_SUBSTITUTION)
• for the AD resolver: (&(objectClass=group)GROUP_IDS_SUBSTITUTION)

A filter for searching groups in LDAP/AD.

required (only if either OpenLDAPGroupResolver or ADGroupResolver is used)

The name of the group attrribute which specifies the members belonging to the group.

Example: groupMembershipAttribute=member