LDAP Decision node

Verifies that the provided username and password values exist in a specified LDAP user data store, and checks whether they are expired or locked out.

For example, the username and password could be obtained by a combination of the Username Collector node and Password Collector node, or by using the Zero Page Login Collector node.

Outcomes

True: The credentials match those found in the LDAP user data store.
False: The credentials do not match those found in the LDAP user data store.
Locked: The profile associated with the provided credentials is locked.
Cancelled: The user must change their password. When the journey prompts the user to change their password, the user cancels the password change.
Expired: The profile is found, but the password has expired.

The LDAP Decision node requires specific user attributes in the LDAP user data store. These required attributes are present by default in ForgeRock Directory Services. If you are using an alternative identity store, you might need to modify your LDAP schema to use this node.

Properties

Property Usage

Property	Usage
Primary LDAP Server (required)	Specify one or more primary directory servers. Specify each directory server in the following format: `host:port`. For example, `directory_services.example.com:389`.
Secondary LDAP Server	Specify one or more secondary directory servers. Specify each directory server in the following format: `host:port`. Secondary servers are used when none of the primary servers are available. For example, `directory_services_backup.example.com:389`.
DN to Start User Search (required)	Specify the DN from which to start the user search. More specific DNs, such as `ou=sales,dc=example,dc=com`, result in better search performance. If multiple entries exist in the store with identical attribute values, ensure this property is specific enough to return only one entry.
Bind User DN, Bind User Password	Specifies the credentials used to bind to the LDAP user data store.
Attribute Used to Retrieve User Profile (required)	Specifies the attribute used to retrieve the profile of a user from the directory server. The user search will have already happened, as specified by the Attributes Used to Search for a User to be Authenticated and User Search Filter properties.
Attributes Used to Search for a User to be Authenticated (required)	Specifies the attributes used to match an entry in the directory server to the credentials provided by the user. The default value of `uid` forms the search filter `uid=user`. Specifying multiple values such as `uid` and `cn` causes the node to forms the complex search filter `(\|(uid=user)(cn=user))`. Multiple attribute values allow the user to authenticate with any one of the values. For example, if you have both `uid` and `mail`, then Barbara Jensen can authenticate with either `bjensen` or `bjensen@example.com`. Note that if you have specified multiple attribute values, you must also add those attributes to the `Alias Search Attribute Name` property when using account lockout. For more information about this property, refer to User profile.
User Search Filter	Specifies an additional filter to append to user searches. For example, searching for `mail` and specifying a User Search Filter of `(objectClass=inetOrgPerson)`, causes AM to use `(&(mail=address)(objectClass=inetOrgPerson))` as the resulting search filter, where address is the mail address provided by the user.
Search Scope	Specifies the extent of searching for users in the directory server. Scope `OBJECT` means search only the entry specified as the DN to Start User Search, whereas `ONELEVEL` means search only the entries that are directly children of that object. `SUBTREE` means search the entry specified and every entry under it. Default: `SUBTREE`
LDAP Connection Mode	Specifies whether to use SSL or StartTLS to connect to the LDAP user data store. AM must be able to trust the certificates used. Possible values: `LDAP`, `LDAPS`, and `StartTLS` Default: `LDAP`
Return User DN to DataStore	When enabled, the node returns the DN rather than the User ID. From the DN value, AM uses the RDN to search for the user profile. For example, if a returned DN value is `uid=demo,ou=people,dc=openam,dc=example,dc=org`, AM uses `uid=demo` to search the data store. Default: Enabled
User Creation Attributes	This list lets you map (external) attribute names from the LDAP directory server to (internal) attribute names used by AM.
Minimum Password Length	Specifies the minimum acceptable password length. Default: `8`
LDAP Behera Password Policy Support	When enabled, support interoperability with servers that implement the Internet-Draft, Password Policy for LDAP Directories. Default: Enabled
Trust All Server Certificates	When enabled, blindly trust server certificates, including self-signed test certificates. Default: Disabled
LDAP Connection Heartbeat Interval	Specifies how often AM should send a heartbeat request to the directory server to ensure that the connection does not remain idle. Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to `0`. Set the units for the interval in the `LDAP Connection Heartbeat Time Unit` property. Note that setting this property to `0` will only ensure default values apply, and will not disable the heartbeat (keepalive) or load balancer availability checks. Disabling these features can only be configured at the global level. Default: `10`
LDAP Connection Heartbeat Time Unit	Specifies the time unit for `LDAP Connection Heartbeat Interval`. Default: `seconds`
LDAP Operations Timeout	Defines the timeout, in seconds, that AM should wait for a response from the directory server. Default: `0` (means no timeout)
Use mixed case for password change messages	Defines whether password change messages are returned in mixed (sentence) case or transformed to uppercase. By default password reset and password change messages are transformed to upper case. Enable this setting to return messages in sentence case. Default: Disabled

Primary LDAP Server (required)

Specify one or more primary directory servers. Specify each directory server in the following format: host:port.

For example, directory_services.example.com:389.

Secondary LDAP Server

Specify one or more secondary directory servers. Specify each directory server in the following format: host:port.

Secondary servers are used when none of the primary servers are available.

For example, directory_services_backup.example.com:389.

DN to Start User Search (required)

Specify the DN from which to start the user search. More specific DNs, such as ou=sales,dc=example,dc=com, result in better search performance.

If multiple entries exist in the store with identical attribute values, ensure this property is specific enough to return only one entry.

Bind User DN, Bind User Password

Specifies the credentials used to bind to the LDAP user data store.

Attribute Used to Retrieve User Profile (required)

Specifies the attribute used to retrieve the profile of a user from the directory server.

The user search will have already happened, as specified by the Attributes Used to Search for a User to be Authenticated and User Search Filter properties.

Attributes Used to Search for a User to be Authenticated (required)

Specifies the attributes used to match an entry in the directory server to the credentials provided by the user.

The default value of uid forms the search filter uid=user. Specifying multiple values such as uid and cn causes the node to forms the complex search filter (|(uid=user)(cn=user)).

Multiple attribute values allow the user to authenticate with any one of the values. For example, if you have both uid and mail, then Barbara Jensen can authenticate with either bjensen or bjensen@example.com.

Note that if you have specified multiple attribute values, you must also add those attributes to the Alias Search Attribute Name property when using account lockout. For more information about this property, refer to User profile.

User Search Filter

Specifies an additional filter to append to user searches.

For example, searching for mail and specifying a User Search Filter of (objectClass=inetOrgPerson), causes AM to use (&(mail=address)(objectClass=inetOrgPerson)) as the resulting search filter, where address is the mail address provided by the user.

Search Scope

Specifies the extent of searching for users in the directory server.

Scope OBJECT means search only the entry specified as the DN to Start User Search, whereas ONELEVEL means search only the entries that are directly children of that object. SUBTREE means search the entry specified and every entry under it.

Default: SUBTREE

LDAP Connection Mode

Specifies whether to use SSL or StartTLS to connect to the LDAP user data store. AM must be able to trust the certificates used.

Possible values: LDAP, LDAPS, and StartTLS

Default: LDAP

Return User DN to DataStore

When enabled, the node returns the DN rather than the User ID. From the DN value, AM uses the RDN to search for the user profile. For example, if a returned DN value is uid=demo,ou=people,dc=openam,dc=example,dc=org, AM uses uid=demo to search the data store.

Default: Enabled

User Creation Attributes

This list lets you map (external) attribute names from the LDAP directory server to (internal) attribute names used by AM.

Minimum Password Length

Specifies the minimum acceptable password length.

Default: 8

LDAP Behera Password Policy Support

When enabled, support interoperability with servers that implement the Internet-Draft, Password Policy for LDAP Directories.

Default: Enabled

Trust All Server Certificates

When enabled, blindly trust server certificates, including self-signed test certificates.

Default: Disabled

LDAP Connection Heartbeat Interval

Specifies how often AM should send a heartbeat request to the directory server to ensure that the connection does not remain idle.

Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to 0. Set the units for the interval in the LDAP Connection Heartbeat Time Unit property.

Note that setting this property to 0 will only ensure default values apply, and will not disable the heartbeat (keepalive) or load balancer availability checks. Disabling these features can only be configured at the global level.

Default: 10

LDAP Connection Heartbeat Time Unit

Specifies the time unit for LDAP Connection Heartbeat Interval.

Default: seconds

LDAP Operations Timeout

Defines the timeout, in seconds, that AM should wait for a response from the directory server.

Default: 0 (means no timeout)

Use mixed case for password change messages

Defines whether password change messages are returned in mixed (sentence) case or transformed to uppercase.

By default password reset and password change messages are transformed to upper case. Enable this setting to return messages in sentence case.

Default: Disabled

AM 7.3.1

LDAP Decision node

Outcomes

Properties