Amster

LDAPDecision

Realm Operations

Resource path:

/realm-config/authentication/authenticationtrees/nodes/LdapDecisionNode

Resource version: 2.0

create

Usage

am> create LDAPDecision --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "trustAllServerCertificates" : {
      "title" : "Trust All Server Certificates",
      "description" : "When enabled, blindly trust server certificates, including self-signed test certificates. <br><br><em>Note:</em> Use this feature with care as it bypasses the normal certificate verification process.",
      "propertyOrder" : 1500,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "returnUserDn" : {
      "title" : "Return User DN to DataStore",
      "description" : "When enabled, the node returns the DN rather than the User ID.",
      "propertyOrder" : 1100,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "accountSearchBaseDn" : {
      "title" : "DN to Start User Search",
      "description" : "Specify the DN from which to start the user search.<br><br>More specific DNs, such as <code>ou=sales,dc=example,dc=com</code>, result in better search performance.If multiple entries exist in the store with identical attribute values, ensure this property is specific enough to return only one entry.",
      "propertyOrder" : 300,
      "items" : {
        "type" : "string"
      },
      "minItems" : 1,
      "type" : "array",
      "exampleValue" : ""
    },
    "beheraEnabled" : {
      "title" : "LDAP Behera Password Policy Support",
      "description" : "Enables support for modern LDAP password policies. <br><br>LDAP Behera Password policies are supported by modern LDAP servers such as DS. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
      "propertyOrder" : 1400,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "userSearchFilter" : {
      "title" : "User Search Filter",
      "description" : "Specifies an additional filter to append to user searches. <br><br>For example, searching for <code>mail</code> and specifying a User Search Filter of <code>(objectClass=inetOrgPerson)</code>, causes AM to use <code>(&amp;(mail=<replaceable>address</replaceable>)(objectClass=inetOrgPerson))</code> as the resulting search filter, where <replaceable>address</replaceable> is the mail address provided by the user.",
      "propertyOrder" : 800,
      "type" : "string",
      "exampleValue" : ""
    },
    "searchFilterAttributes" : {
      "title" : "Attributes Used to Search for a User to be Authenticated",
      "description" : "Specifies the attributes used to match an entry in the directory server to the credentials provided by the user. <br><br>The default value of <code>uid</code> will form the following search filter of <code>uid=user</code>. Specifying multiple values such as <code>uid</code> and <code>cn</code> causes the node to create a search filter of <code>(|(uid=user)(cn=user))</code>. <br><br>Multiple attribute values allow the user to authenticate with any one of the values. For example, if you have both <code>uid</code> and <code>mail</code>, then Barbara Jensen can authenticate with either <code>bjensen</code> or <code>bjensen@example.com</code>.",
      "propertyOrder" : 700,
      "items" : {
        "type" : "string"
      },
      "minItems" : 1,
      "type" : "array",
      "exampleValue" : ""
    },
    "userProfileAttribute" : {
      "title" : "Attribute Used to Retrieve User Profile",
      "description" : "Specifies the attribute used to retrieve the profile of a user from the directory server. <br><br>The user search will have already happened, as specified by the Attributes Used to Search for a User to be Authenticated and User Search Filter properties.",
      "propertyOrder" : 600,
      "type" : "string",
      "exampleValue" : ""
    },
    "heartbeatInterval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often AM should send a heartbeat request to the directory server to ensure that the connection does not remain idle. <br><br>Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to <code>0</code> or to a negative number. Set the units for the interval in the LDAP Connection Heartbeat Time Unit property.",
      "propertyOrder" : 1600,
      "type" : "integer",
      "exampleValue" : ""
    },
    "userCreationAttrs" : {
      "title" : "User Creation Attributes",
      "description" : "This list lets you map (external) attribute names from the LDAP directory server to (internal) attribute names used by AM. <br><br>The format of this property is: <br><code>local attr1|external attr1</code>",
      "propertyOrder" : 1200,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "adminDn" : {
      "title" : "Bind User DN",
      "description" : "Specify the user DN used to bind to the LDAP user data store. <br><br><em>Note:</em> Do not use <code>cn=Directory Manager</code> in production systems.If mTLS is enabled, this attribute is ignored.",
      "propertyOrder" : 400,
      "type" : "string",
      "exampleValue" : ""
    },
    "secondaryServers" : {
      "title" : "Secondary LDAP Server",
      "description" : "Specify one or more secondary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>Secondary servers are used when none of the primary servers are available.<br><br>For example, <code>directory_services_backup.example.com</code>.",
      "propertyOrder" : 200,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "mtlsSecretLabel" : {
      "title" : "mTLS Secret Label Identifier",
      "description" : "Identifier used to create a secret label for mapping to the mTLS certificate in the secret store. <br>AM uses this label to create a specific secret label for this node. The secret label takes the form <code>am.authentication.nodes.ldap.decision.mtls.{{identifier}}.cert</code> where {{identifier}} is the value of mTLS Secret Label Identifier. The label can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}.",
      "propertyOrder" : 1066,
      "type" : "string",
      "exampleValue" : ""
    },
    "affinityLevel" : {
      "title" : "LDAP Affinity Level",
      "description" : "Level of affinity used to balance requests across LDAP servers. The options are: no affinity, affinity for BIND requests only, affinity for all requests.",
      "propertyOrder" : 2000,
      "type" : "string",
      "exampleValue" : ""
    },
    "mixedCaseForPasswordChangeMessages" : {
      "title" : "Use mixed case for password change messages",
      "description" : "Defines whether password change messages returned are in mixed (sentence) case or uppercase. Default: false",
      "propertyOrder" : 1900,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "heartbeatTimeUnit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Specifies the time unit corresponding to LDAP Connection Heartbeat Interval.<br><br> Default: Seconds",
      "propertyOrder" : 1700,
      "type" : "string",
      "exampleValue" : ""
    },
    "mtlsEnabled" : {
      "title" : "mTLS Enabled",
      "description" : "Enables mTLS (mutual TLS) between AM and this store. When mTLS is enabled:<ul><li>Set connection mode to <code>LDAPS</code>. <li>The values for <code>Bind User DN</code> and <code>Bind User Password</code> are ignored.</li><li>You must provide an <code>mTLS Secret Label Identifier</code>.</li></ul>Instructions for setting up certificates and keystore mappings are in the product documentation.",
      "propertyOrder" : 1033,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "adminPassword" : {
      "title" : "Bind User Password",
      "description" : "Specify the password of the account used to bind to the LDAP user data store.If mTLS is enabled, this attribute is ignored.",
      "propertyOrder" : 500,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "ldapConnectionMode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Specifies whether to use SSL or StartTLS to connect to the LDAP user data store.  <br><br>AM must be able to trust the certificates used.",
      "propertyOrder" : 1000,
      "type" : "string",
      "exampleValue" : ""
    },
    "ldapOperationsTimeout" : {
      "title" : "LDAP Operations Timeout",
      "description" : "Defines the timeout in milliseconds that ${am.abbr} should wait for a response from the directory server.<br><br> Default: <code>0</code> (No timeout).",
      "propertyOrder" : 1800,
      "type" : "integer",
      "exampleValue" : ""
    },
    "primaryServers" : {
      "title" : "Primary LDAP Server",
      "description" : "Specify one or more primary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>For example, <code>directory_services.example.com:389</code>.",
      "propertyOrder" : 100,
      "items" : {
        "type" : "string"
      },
      "minItems" : 1,
      "type" : "array",
      "exampleValue" : ""
    },
    "minimumPasswordLength" : {
      "title" : "Minimum Password Length",
      "description" : "Specifies the minimum acceptable password length.",
      "propertyOrder" : 1300,
      "type" : "integer",
      "exampleValue" : ""
    },
    "searchScope" : {
      "title" : "Search Scope",
      "description" : "Specifies the extent of searching for users in the directory server. <br><br>Scope <code>OBJECT</code> means search only the entry specified as the DN to Start User Search, whereas <code>ONELEVEL</code> means search only the entries that are directly children of that object. <code>SUBTREE</code> means search the entry specified and every entry under it.",
      "propertyOrder" : 900,
      "type" : "string",
      "exampleValue" : ""
    }
  },
  "required" : [ "trustAllServerCertificates", "returnUserDn", "accountSearchBaseDn", "beheraEnabled", "searchFilterAttributes", "userProfileAttribute", "heartbeatInterval", "userCreationAttrs", "secondaryServers", "affinityLevel", "mixedCaseForPasswordChangeMessages", "heartbeatTimeUnit", "mtlsEnabled", "ldapConnectionMode", "ldapOperationsTimeout", "primaryServers", "minimumPasswordLength", "searchScope" ]
}

delete

Usage

am> delete LDAPDecision --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action LDAPDecision --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action LDAPDecision --realm Realm --actionName getCreatableTypes

listOutcomes

List the available outcomes for the node type.

Usage

am> action LDAPDecision --realm Realm --body body --actionName listOutcomes

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action LDAPDecision --realm Realm --actionName nextdescendents

query

Get the full list of instances of this collection. This query only supports _queryFilter=true filter.

Usage

am> query LDAPDecision --realm Realm --filter filter

Parameters

--filter

A CREST formatted query filter, where "true" will query all.

read

Usage

am> read LDAPDecision --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

update

Usage

am> update LDAPDecision --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "trustAllServerCertificates" : {
      "title" : "Trust All Server Certificates",
      "description" : "When enabled, blindly trust server certificates, including self-signed test certificates. <br><br><em>Note:</em> Use this feature with care as it bypasses the normal certificate verification process.",
      "propertyOrder" : 1500,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "returnUserDn" : {
      "title" : "Return User DN to DataStore",
      "description" : "When enabled, the node returns the DN rather than the User ID.",
      "propertyOrder" : 1100,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "accountSearchBaseDn" : {
      "title" : "DN to Start User Search",
      "description" : "Specify the DN from which to start the user search.<br><br>More specific DNs, such as <code>ou=sales,dc=example,dc=com</code>, result in better search performance.If multiple entries exist in the store with identical attribute values, ensure this property is specific enough to return only one entry.",
      "propertyOrder" : 300,
      "items" : {
        "type" : "string"
      },
      "minItems" : 1,
      "type" : "array",
      "exampleValue" : ""
    },
    "beheraEnabled" : {
      "title" : "LDAP Behera Password Policy Support",
      "description" : "Enables support for modern LDAP password policies. <br><br>LDAP Behera Password policies are supported by modern LDAP servers such as DS. If this functionality is disabled then only the older Netscape VCHU password policy standard will be enforced.",
      "propertyOrder" : 1400,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "userSearchFilter" : {
      "title" : "User Search Filter",
      "description" : "Specifies an additional filter to append to user searches. <br><br>For example, searching for <code>mail</code> and specifying a User Search Filter of <code>(objectClass=inetOrgPerson)</code>, causes AM to use <code>(&amp;(mail=<replaceable>address</replaceable>)(objectClass=inetOrgPerson))</code> as the resulting search filter, where <replaceable>address</replaceable> is the mail address provided by the user.",
      "propertyOrder" : 800,
      "type" : "string",
      "exampleValue" : ""
    },
    "searchFilterAttributes" : {
      "title" : "Attributes Used to Search for a User to be Authenticated",
      "description" : "Specifies the attributes used to match an entry in the directory server to the credentials provided by the user. <br><br>The default value of <code>uid</code> will form the following search filter of <code>uid=user</code>. Specifying multiple values such as <code>uid</code> and <code>cn</code> causes the node to create a search filter of <code>(|(uid=user)(cn=user))</code>. <br><br>Multiple attribute values allow the user to authenticate with any one of the values. For example, if you have both <code>uid</code> and <code>mail</code>, then Barbara Jensen can authenticate with either <code>bjensen</code> or <code>bjensen@example.com</code>.",
      "propertyOrder" : 700,
      "items" : {
        "type" : "string"
      },
      "minItems" : 1,
      "type" : "array",
      "exampleValue" : ""
    },
    "userProfileAttribute" : {
      "title" : "Attribute Used to Retrieve User Profile",
      "description" : "Specifies the attribute used to retrieve the profile of a user from the directory server. <br><br>The user search will have already happened, as specified by the Attributes Used to Search for a User to be Authenticated and User Search Filter properties.",
      "propertyOrder" : 600,
      "type" : "string",
      "exampleValue" : ""
    },
    "heartbeatInterval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often AM should send a heartbeat request to the directory server to ensure that the connection does not remain idle. <br><br>Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to <code>0</code> or to a negative number. Set the units for the interval in the LDAP Connection Heartbeat Time Unit property.",
      "propertyOrder" : 1600,
      "type" : "integer",
      "exampleValue" : ""
    },
    "userCreationAttrs" : {
      "title" : "User Creation Attributes",
      "description" : "This list lets you map (external) attribute names from the LDAP directory server to (internal) attribute names used by AM. <br><br>The format of this property is: <br><code>local attr1|external attr1</code>",
      "propertyOrder" : 1200,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "adminDn" : {
      "title" : "Bind User DN",
      "description" : "Specify the user DN used to bind to the LDAP user data store. <br><br><em>Note:</em> Do not use <code>cn=Directory Manager</code> in production systems.If mTLS is enabled, this attribute is ignored.",
      "propertyOrder" : 400,
      "type" : "string",
      "exampleValue" : ""
    },
    "secondaryServers" : {
      "title" : "Secondary LDAP Server",
      "description" : "Specify one or more secondary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>Secondary servers are used when none of the primary servers are available.<br><br>For example, <code>directory_services_backup.example.com</code>.",
      "propertyOrder" : 200,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "mtlsSecretLabel" : {
      "title" : "mTLS Secret Label Identifier",
      "description" : "Identifier used to create a secret label for mapping to the mTLS certificate in the secret store. <br>AM uses this label to create a specific secret label for this node. The secret label takes the form <code>am.authentication.nodes.ldap.decision.mtls.{{identifier}}.cert</code> where {{identifier}} is the value of mTLS Secret Label Identifier. The label can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}.",
      "propertyOrder" : 1066,
      "type" : "string",
      "exampleValue" : ""
    },
    "affinityLevel" : {
      "title" : "LDAP Affinity Level",
      "description" : "Level of affinity used to balance requests across LDAP servers. The options are: no affinity, affinity for BIND requests only, affinity for all requests.",
      "propertyOrder" : 2000,
      "type" : "string",
      "exampleValue" : ""
    },
    "mixedCaseForPasswordChangeMessages" : {
      "title" : "Use mixed case for password change messages",
      "description" : "Defines whether password change messages returned are in mixed (sentence) case or uppercase. Default: false",
      "propertyOrder" : 1900,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "heartbeatTimeUnit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Specifies the time unit corresponding to LDAP Connection Heartbeat Interval.<br><br> Default: Seconds",
      "propertyOrder" : 1700,
      "type" : "string",
      "exampleValue" : ""
    },
    "mtlsEnabled" : {
      "title" : "mTLS Enabled",
      "description" : "Enables mTLS (mutual TLS) between AM and this store. When mTLS is enabled:<ul><li>Set connection mode to <code>LDAPS</code>. <li>The values for <code>Bind User DN</code> and <code>Bind User Password</code> are ignored.</li><li>You must provide an <code>mTLS Secret Label Identifier</code>.</li></ul>Instructions for setting up certificates and keystore mappings are in the product documentation.",
      "propertyOrder" : 1033,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "adminPassword" : {
      "title" : "Bind User Password",
      "description" : "Specify the password of the account used to bind to the LDAP user data store.If mTLS is enabled, this attribute is ignored.",
      "propertyOrder" : 500,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "ldapConnectionMode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Specifies whether to use SSL or StartTLS to connect to the LDAP user data store.  <br><br>AM must be able to trust the certificates used.",
      "propertyOrder" : 1000,
      "type" : "string",
      "exampleValue" : ""
    },
    "ldapOperationsTimeout" : {
      "title" : "LDAP Operations Timeout",
      "description" : "Defines the timeout in milliseconds that ${am.abbr} should wait for a response from the directory server.<br><br> Default: <code>0</code> (No timeout).",
      "propertyOrder" : 1800,
      "type" : "integer",
      "exampleValue" : ""
    },
    "primaryServers" : {
      "title" : "Primary LDAP Server",
      "description" : "Specify one or more primary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>For example, <code>directory_services.example.com:389</code>.",
      "propertyOrder" : 100,
      "items" : {
        "type" : "string"
      },
      "minItems" : 1,
      "type" : "array",
      "exampleValue" : ""
    },
    "minimumPasswordLength" : {
      "title" : "Minimum Password Length",
      "description" : "Specifies the minimum acceptable password length.",
      "propertyOrder" : 1300,
      "type" : "integer",
      "exampleValue" : ""
    },
    "searchScope" : {
      "title" : "Search Scope",
      "description" : "Specifies the extent of searching for users in the directory server. <br><br>Scope <code>OBJECT</code> means search only the entry specified as the DN to Start User Search, whereas <code>ONELEVEL</code> means search only the entries that are directly children of that object. <code>SUBTREE</code> means search the entry specified and every entry under it.",
      "propertyOrder" : 900,
      "type" : "string",
      "exampleValue" : ""
    }
  },
  "required" : [ "trustAllServerCertificates", "returnUserDn", "accountSearchBaseDn", "beheraEnabled", "searchFilterAttributes", "userProfileAttribute", "heartbeatInterval", "userCreationAttrs", "secondaryServers", "affinityLevel", "mixedCaseForPasswordChangeMessages", "heartbeatTimeUnit", "mtlsEnabled", "ldapConnectionMode", "ldapOperationsTimeout", "primaryServers", "minimumPasswordLength", "searchScope" ]
}