ADDecision
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/ADDecisionNode/1.0
Resource version: 3.0
create
Usage
am> create ADDecision --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "mtlsSecretLabel" : { "title" : "mTLS Secret Label Identifier", "description" : "Identifier used to create a secret label for mapping to the mTLS certificate in the secret store. <br>AM uses this label to create a specific secret label for this node. The secret label takes the form <code>am.authentication.nodes.ad.decision.mtls.{{identifier}}.cert</code> where {{identifier}} is the value of mTLS Secret Label Identifier. The label can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}.", "propertyOrder" : 1066, "type" : "string", "exampleValue" : "" }, "accountSearchBaseDn" : { "title" : "DN to Start User Search", "description" : "Specify the DN from which to start the user search.<br><br>More specific DNs, such as <code>ou=sales,dc=example,dc=com</code>, result in better search performance.If multiple entries exist in the store with identical attribute values, ensure this property is specific enough to return only one entry.", "propertyOrder" : 300, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "returnUserDn" : { "title" : "Return User DN to DataStore", "description" : "When enabled, the node returns the DN rather than the User ID.", "propertyOrder" : 1100, "type" : "boolean", "exampleValue" : "" }, "adminPassword" : { "title" : "Bind User Password", "description" : "Specify the password of the account used to bind to the LDAP user data store.If mTLS is enabled, this attribute is ignored.", "propertyOrder" : 500, "type" : "string", "format" : "password", "exampleValue" : "" }, "userSearchFilter" : { "title" : "User Search Filter", "description" : "Specifies an additional filter to append to user searches. <br><br>For example, searching for <code>mail</code> and specifying a User Search Filter of <code>(objectClass=inetOrgPerson)</code>, causes AM to use <code>(&(mail=<replaceable>address</replaceable>)(objectClass=inetOrgPerson))</code> as the resulting search filter, where <replaceable>address</replaceable> is the mail address provided by the user.", "propertyOrder" : 800, "type" : "string", "exampleValue" : "" }, "heartbeatInterval" : { "title" : "LDAP Connection Heartbeat Interval", "description" : "Specifies how often AM should send a heartbeat request to the directory server to ensure that the connection does not remain idle. <br><br>Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to <code>0</code> or to a negative number. Set the units for the interval in the LDAP Connection Heartbeat Time Unit property.", "propertyOrder" : 1600, "type" : "integer", "exampleValue" : "" }, "mixedCaseForPasswordChangeMessages" : { "title" : "Use mixed case for password change messages", "description" : "Defines whether password change messages returned are in mixed (sentence) case or uppercase. Default: false", "propertyOrder" : 1900, "type" : "boolean", "exampleValue" : "" }, "userProfileAttribute" : { "title" : "Attribute Used to Retrieve User Profile", "description" : "Specifies the attribute used to retrieve the profile of a user from the directory server. <br><br>The user search will have already happened, as specified by the Attributes Used to Search for a User to be Authenticated and User Search Filter properties.", "propertyOrder" : 600, "type" : "string", "exampleValue" : "" }, "searchScope" : { "title" : "Search Scope", "description" : "Specifies the extent of searching for users in the directory server. <br><br>Scope <code>OBJECT</code> means search only the entry specified as the DN to Start User Search, whereas <code>ONELEVEL</code> means search only the entries that are directly children of that object. <code>SUBTREE</code> means search the entry specified and every entry under it.", "propertyOrder" : 900, "type" : "string", "exampleValue" : "" }, "affinityLevel" : { "title" : "LDAP Affinity Level", "description" : "Level of affinity used to balance requests across LDAP servers. The options are: no affinity, affinity for BIND requests only, affinity for all requests.", "propertyOrder" : 2000, "type" : "string", "exampleValue" : "" }, "ldapOperationsTimeout" : { "title" : "LDAP Operations Timeout", "description" : "Defines the timeout in milliseconds that ${am.abbr} should wait for a response from the directory server.<br><br> Default: <code>0</code> (No timeout).", "propertyOrder" : 1800, "type" : "integer", "exampleValue" : "" }, "minimumPasswordLength" : { "title" : "Minimum Password Length", "description" : "Specifies the minimum acceptable password length.", "propertyOrder" : 1300, "type" : "integer", "exampleValue" : "" }, "heartbeatTimeUnit" : { "title" : "LDAP Connection Heartbeat Time Unit", "description" : "Specifies the time unit corresponding to LDAP Connection Heartbeat Interval.<br><br> Default: Seconds", "propertyOrder" : 1700, "type" : "string", "exampleValue" : "" }, "secondaryServers" : { "title" : "Secondary LDAP Server", "description" : "Specify one or more secondary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>Secondary servers are used when none of the primary servers are available.<br><br>For example, <code>directory_services_backup.example.com</code>.", "propertyOrder" : 200, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "ldapConnectionMode" : { "title" : "LDAP Connection Mode", "description" : "Specifies whether to use SSL or StartTLS to connect to the LDAP user data store. <br><br>AM must be able to trust the certificates used.", "propertyOrder" : 1000, "type" : "string", "exampleValue" : "" }, "trustAllServerCertificates" : { "title" : "Trust All Server Certificates", "description" : "When enabled, blindly trust server certificates, including self-signed test certificates. <br><br><em>Note:</em> Use this feature with care as it bypasses the normal certificate verification process.", "propertyOrder" : 1500, "type" : "boolean", "exampleValue" : "" }, "primaryServers" : { "title" : "Primary LDAP Server", "description" : "Specify one or more primary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>For example, <code>directory_services.example.com:389</code>.", "propertyOrder" : 100, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "searchFilterAttributes" : { "title" : "Attributes Used to Search for a User to be Authenticated", "description" : "Specifies the attributes used to match an entry in the directory server to the credentials provided by the user. <br><br>The default value of <code>uid</code> will form the following search filter of <code>uid=user</code>. Specifying multiple values such as <code>uid</code> and <code>cn</code> causes the node to create a search filter of <code>(|(uid=user)(cn=user))</code>. <br><br>Multiple attribute values allow the user to authenticate with any one of the values. For example, if you have both <code>uid</code> and <code>mail</code>, then Barbara Jensen can authenticate with either <code>bjensen</code> or <code>bjensen@example.com</code>.", "propertyOrder" : 700, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "userCreationAttrs" : { "title" : "User Creation Attributes", "description" : "This list lets you map (external) attribute names from the LDAP directory server to (internal) attribute names used by AM. <br><br>The format of this property is: <br><code>local attr1|external attr1</code>", "propertyOrder" : 1200, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "adminDn" : { "title" : "Bind User DN", "description" : "Specify the user DN used to bind to the LDAP user data store. <br><br><em>Note:</em> Do not use <code>cn=Directory Manager</code> in production systems.If mTLS is enabled, this attribute is ignored.", "propertyOrder" : 400, "type" : "string", "exampleValue" : "" }, "returnAccountLockedMessage" : { "title" : "Return Account Locked Message", "description" : "When disabled the node will return a generic authentication failure message when the user account is locked. When enabled the node will return a specific account locked message whether the correct password was provided or not.", "propertyOrder" : 1099, "type" : "boolean", "exampleValue" : "" }, "mtlsEnabled" : { "title" : "mTLS Enabled", "description" : "Enables mTLS (mutual TLS) between AM and this store. When mTLS is enabled:<ul><li>Set connection mode to <code>LDAPS</code>. <li>The values for <code>Bind User DN</code> and <code>Bind User Password</code> are ignored.</li><li>You must provide an <code>mTLS Secret Label Identifier</code>.</li></ul>Instructions for setting up certificates and keystore mappings are in the product documentation.", "propertyOrder" : 1033, "type" : "boolean", "exampleValue" : "" } }, "required" : [ "accountSearchBaseDn", "returnUserDn", "heartbeatInterval", "mixedCaseForPasswordChangeMessages", "userProfileAttribute", "searchScope", "affinityLevel", "ldapOperationsTimeout", "minimumPasswordLength", "heartbeatTimeUnit", "secondaryServers", "ldapConnectionMode", "trustAllServerCertificates", "primaryServers", "searchFilterAttributes", "userCreationAttrs", "returnAccountLockedMessage", "mtlsEnabled" ] }
delete
Usage
am> delete ADDecision --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getType
List information related to the node such as a name, description, tags and metadata.
Usage
am> action ADDecision --realm Realm --actionName getType
getUpgradedConfig
Get the upgraded configuration for the node type.
Usage
am> action ADDecision --realm Realm --body body --actionName getUpgradedConfig --targetVersion targetVersion
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "The current configuration of the node type." } - --targetVersion
-
=== listOutcomes
List the available outcomes for the node type.
Usage
am> action ADDecision --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "description" : "Some configuration of the node. This does not need to be complete against the configuration schema.", "type" : "object", "title" : "Node configuration" }
query
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
Usage
am> query ADDecision --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read ADDecision --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update ADDecision --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "mtlsSecretLabel" : { "title" : "mTLS Secret Label Identifier", "description" : "Identifier used to create a secret label for mapping to the mTLS certificate in the secret store. <br>AM uses this label to create a specific secret label for this node. The secret label takes the form <code>am.authentication.nodes.ad.decision.mtls.{{identifier}}.cert</code> where {{identifier}} is the value of mTLS Secret Label Identifier. The label can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}.", "propertyOrder" : 1066, "type" : "string", "exampleValue" : "" }, "accountSearchBaseDn" : { "title" : "DN to Start User Search", "description" : "Specify the DN from which to start the user search.<br><br>More specific DNs, such as <code>ou=sales,dc=example,dc=com</code>, result in better search performance.If multiple entries exist in the store with identical attribute values, ensure this property is specific enough to return only one entry.", "propertyOrder" : 300, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "returnUserDn" : { "title" : "Return User DN to DataStore", "description" : "When enabled, the node returns the DN rather than the User ID.", "propertyOrder" : 1100, "type" : "boolean", "exampleValue" : "" }, "adminPassword" : { "title" : "Bind User Password", "description" : "Specify the password of the account used to bind to the LDAP user data store.If mTLS is enabled, this attribute is ignored.", "propertyOrder" : 500, "type" : "string", "format" : "password", "exampleValue" : "" }, "userSearchFilter" : { "title" : "User Search Filter", "description" : "Specifies an additional filter to append to user searches. <br><br>For example, searching for <code>mail</code> and specifying a User Search Filter of <code>(objectClass=inetOrgPerson)</code>, causes AM to use <code>(&(mail=<replaceable>address</replaceable>)(objectClass=inetOrgPerson))</code> as the resulting search filter, where <replaceable>address</replaceable> is the mail address provided by the user.", "propertyOrder" : 800, "type" : "string", "exampleValue" : "" }, "heartbeatInterval" : { "title" : "LDAP Connection Heartbeat Interval", "description" : "Specifies how often AM should send a heartbeat request to the directory server to ensure that the connection does not remain idle. <br><br>Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to <code>0</code> or to a negative number. Set the units for the interval in the LDAP Connection Heartbeat Time Unit property.", "propertyOrder" : 1600, "type" : "integer", "exampleValue" : "" }, "mixedCaseForPasswordChangeMessages" : { "title" : "Use mixed case for password change messages", "description" : "Defines whether password change messages returned are in mixed (sentence) case or uppercase. Default: false", "propertyOrder" : 1900, "type" : "boolean", "exampleValue" : "" }, "userProfileAttribute" : { "title" : "Attribute Used to Retrieve User Profile", "description" : "Specifies the attribute used to retrieve the profile of a user from the directory server. <br><br>The user search will have already happened, as specified by the Attributes Used to Search for a User to be Authenticated and User Search Filter properties.", "propertyOrder" : 600, "type" : "string", "exampleValue" : "" }, "searchScope" : { "title" : "Search Scope", "description" : "Specifies the extent of searching for users in the directory server. <br><br>Scope <code>OBJECT</code> means search only the entry specified as the DN to Start User Search, whereas <code>ONELEVEL</code> means search only the entries that are directly children of that object. <code>SUBTREE</code> means search the entry specified and every entry under it.", "propertyOrder" : 900, "type" : "string", "exampleValue" : "" }, "affinityLevel" : { "title" : "LDAP Affinity Level", "description" : "Level of affinity used to balance requests across LDAP servers. The options are: no affinity, affinity for BIND requests only, affinity for all requests.", "propertyOrder" : 2000, "type" : "string", "exampleValue" : "" }, "ldapOperationsTimeout" : { "title" : "LDAP Operations Timeout", "description" : "Defines the timeout in milliseconds that ${am.abbr} should wait for a response from the directory server.<br><br> Default: <code>0</code> (No timeout).", "propertyOrder" : 1800, "type" : "integer", "exampleValue" : "" }, "minimumPasswordLength" : { "title" : "Minimum Password Length", "description" : "Specifies the minimum acceptable password length.", "propertyOrder" : 1300, "type" : "integer", "exampleValue" : "" }, "heartbeatTimeUnit" : { "title" : "LDAP Connection Heartbeat Time Unit", "description" : "Specifies the time unit corresponding to LDAP Connection Heartbeat Interval.<br><br> Default: Seconds", "propertyOrder" : 1700, "type" : "string", "exampleValue" : "" }, "secondaryServers" : { "title" : "Secondary LDAP Server", "description" : "Specify one or more secondary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>Secondary servers are used when none of the primary servers are available.<br><br>For example, <code>directory_services_backup.example.com</code>.", "propertyOrder" : 200, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "ldapConnectionMode" : { "title" : "LDAP Connection Mode", "description" : "Specifies whether to use SSL or StartTLS to connect to the LDAP user data store. <br><br>AM must be able to trust the certificates used.", "propertyOrder" : 1000, "type" : "string", "exampleValue" : "" }, "trustAllServerCertificates" : { "title" : "Trust All Server Certificates", "description" : "When enabled, blindly trust server certificates, including self-signed test certificates. <br><br><em>Note:</em> Use this feature with care as it bypasses the normal certificate verification process.", "propertyOrder" : 1500, "type" : "boolean", "exampleValue" : "" }, "primaryServers" : { "title" : "Primary LDAP Server", "description" : "Specify one or more primary directory servers. <br><br>Specify each directory server in the following format: <br><code>host:port</code><br><br>For example, <code>directory_services.example.com:389</code>.", "propertyOrder" : 100, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "searchFilterAttributes" : { "title" : "Attributes Used to Search for a User to be Authenticated", "description" : "Specifies the attributes used to match an entry in the directory server to the credentials provided by the user. <br><br>The default value of <code>uid</code> will form the following search filter of <code>uid=user</code>. Specifying multiple values such as <code>uid</code> and <code>cn</code> causes the node to create a search filter of <code>(|(uid=user)(cn=user))</code>. <br><br>Multiple attribute values allow the user to authenticate with any one of the values. For example, if you have both <code>uid</code> and <code>mail</code>, then Barbara Jensen can authenticate with either <code>bjensen</code> or <code>bjensen@example.com</code>.", "propertyOrder" : 700, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "userCreationAttrs" : { "title" : "User Creation Attributes", "description" : "This list lets you map (external) attribute names from the LDAP directory server to (internal) attribute names used by AM. <br><br>The format of this property is: <br><code>local attr1|external attr1</code>", "propertyOrder" : 1200, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "adminDn" : { "title" : "Bind User DN", "description" : "Specify the user DN used to bind to the LDAP user data store. <br><br><em>Note:</em> Do not use <code>cn=Directory Manager</code> in production systems.If mTLS is enabled, this attribute is ignored.", "propertyOrder" : 400, "type" : "string", "exampleValue" : "" }, "returnAccountLockedMessage" : { "title" : "Return Account Locked Message", "description" : "When disabled the node will return a generic authentication failure message when the user account is locked. When enabled the node will return a specific account locked message whether the correct password was provided or not.", "propertyOrder" : 1099, "type" : "boolean", "exampleValue" : "" }, "mtlsEnabled" : { "title" : "mTLS Enabled", "description" : "Enables mTLS (mutual TLS) between AM and this store. When mTLS is enabled:<ul><li>Set connection mode to <code>LDAPS</code>. <li>The values for <code>Bind User DN</code> and <code>Bind User Password</code> are ignored.</li><li>You must provide an <code>mTLS Secret Label Identifier</code>.</li></ul>Instructions for setting up certificates and keystore mappings are in the product documentation.", "propertyOrder" : 1033, "type" : "boolean", "exampleValue" : "" } }, "required" : [ "accountSearchBaseDn", "returnUserDn", "heartbeatInterval", "mixedCaseForPasswordChangeMessages", "userProfileAttribute", "searchScope", "affinityLevel", "ldapOperationsTimeout", "minimumPasswordLength", "heartbeatTimeUnit", "secondaryServers", "ldapConnectionMode", "trustAllServerCertificates", "primaryServers", "searchFilterAttributes", "userCreationAttrs", "returnAccountLockedMessage", "mtlsEnabled" ] }