---
title: ADDecision
description: Resource path:
component: pingam
version: 8.1
page_id: pingam:entity-reference:sec-amster-entity-addecision
canonical_url: https://docs.pingidentity.com/pingam/8.1/entity-reference/sec-amster-entity-addecision.html
section_ids:
sec-amster-entity-addecision-realm-ops: Realm Operations
sec-amster-entity-addecision-realm-ops-create: create
sec-amster-entity-addecision-realm-ops-delete: delete
sec-amster-entity-addecision-realm-ops-gettype: getType
sec-amster-entity-addecision-realm-ops-getupgradedconfig: getUpgradedConfig
sec-amster-entity-addecision-realm-ops-query: query
sec-amster-entity-addecision-realm-ops-read: read
sec-amster-entity-addecision-realm-ops-update: update
sec-amster-entity-addecision-realm-ops-versioninfo: versionInfo
---
# ADDecision
## Realm Operations
Resource path:
```
/realm-config/authentication/authenticationtrees/nodes/ADDecisionNode/1.0
```
Resource version: `3.0`
### create
**Usage**
```
am> create ADDecision --realm Realm --id id --body body
```
**Parameters**
* *\--id*
The unique identifier for the resource.
* *\--body*
The resource in JSON format, described by the following JSON schema:
```json
{
"type" : "object",
"properties" : {
"returnUserDn" : {
"title" : "Return User DN to DataStore",
"description" : "When enabled, the node returns the DN rather than the User ID.",
"propertyOrder" : 1100,
"type" : "boolean",
"exampleValue" : ""
},
"heartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often AM should send a heartbeat request to the directory server to ensure that the connection does not remain idle.
Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to 0 or to a negative number. Set the units for the interval in the LDAP Connection Heartbeat Time Unit property.",
"propertyOrder" : 1600,
"type" : "integer",
"exampleValue" : ""
},
"ldapOperationsTimeout" : {
"title" : "LDAP Operations Timeout",
"description" : "Defines the timeout in milliseconds that ${am.abbr} should wait for a response from the directory server.
Default: 0 (No timeout).",
"propertyOrder" : 1800,
"type" : "integer",
"exampleValue" : ""
},
"ldapConnectionMode" : {
"title" : "LDAP Connection Mode",
"description" : "Specifies whether to use SSL or StartTLS to connect to the LDAP user data store.
AM must be able to trust the certificates used.",
"propertyOrder" : 1000,
"type" : "string",
"exampleValue" : ""
},
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "Specifies the minimum acceptable password length.",
"propertyOrder" : 1300,
"type" : "integer",
"exampleValue" : ""
},
"returnAccountLockedMessage" : {
"title" : "Return Account Locked Message",
"description" : "When disabled the node will return a generic authentication failure message when the user account is locked. When enabled the node will return a specific account locked message whether the correct password was provided or not.",
"propertyOrder" : 1099,
"type" : "boolean",
"exampleValue" : ""
},
"primaryServers" : {
"title" : "Primary LDAP Server",
"description" : "Specify one or more primary directory servers.
Specify each directory server in the following format:
host:port
For example, directory_services.example.com:389.",
"propertyOrder" : 100,
"items" : {
"type" : "string"
},
"minItems" : 1,
"type" : "array",
"exampleValue" : ""
},
"searchScope" : {
"title" : "Search Scope",
"description" : "Specifies the extent of searching for users in the directory server.
Scope OBJECT means search only the entry specified as the DN to Start User Search, whereas ONELEVEL means search only the entries that are directly children of that object. SUBTREE means search the entry specified and every entry under it.",
"propertyOrder" : 900,
"type" : "string",
"exampleValue" : ""
},
"userProfileAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "Specifies the attribute used to retrieve the profile of a user from the directory server.
The user search will have already happened, as specified by the Attributes Used to Search for a User to be Authenticated and User Search Filter properties.",
"propertyOrder" : 600,
"type" : "string",
"exampleValue" : ""
},
"adminPassword" : {
"title" : "Bind User Password",
"description" : "Specify the password of the account used to bind to the LDAP user data store.If mTLS is enabled, this attribute is ignored.",
"propertyOrder" : 500,
"type" : "string",
"format" : "password",
"exampleValue" : ""
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "When enabled, blindly trust server certificates, including self-signed test certificates.
Note: Use this feature with care as it bypasses the normal certificate verification process.",
"propertyOrder" : 1500,
"type" : "boolean",
"exampleValue" : ""
},
"affinityLevel" : {
"title" : "LDAP Affinity Level",
"description" : "Level of affinity used to balance requests across LDAP servers. The options are: no affinity, affinity for BIND requests only, affinity for all requests.",
"propertyOrder" : 2000,
"type" : "string",
"exampleValue" : ""
},
"heartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Specifies the time unit corresponding to LDAP Connection Heartbeat Interval.
Default: Seconds",
"propertyOrder" : 1700,
"type" : "string",
"exampleValue" : ""
},
"mtlsEnabled" : {
"title" : "mTLS Enabled",
"description" : "Enables mTLS (mutual TLS) between AM and this store. When mTLS is enabled:- Set connection mode to
LDAPS. - The values for
Bind User DN and Bind User Password are ignored. - You must provide an
mTLS Secret Label Identifier.
Instructions for setting up certificates and keystore mappings are in the product documentation.",
"propertyOrder" : 1033,
"type" : "boolean",
"exampleValue" : ""
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "Specifies an additional filter to append to user searches.
For example, searching for mail and specifying a User Search Filter of (objectClass=inetOrgPerson), causes AM to use (&(mail=address)(objectClass=inetOrgPerson)) as the resulting search filter, where address is the mail address provided by the user.",
"propertyOrder" : 800,
"type" : "string",
"exampleValue" : ""
},
"mtlsSecretLabel" : {
"title" : "mTLS Secret Label Identifier",
"description" : "Identifier used to create a secret label for mapping to the mTLS certificate in the secret store.
AM uses this label to create a specific secret label for this node. The secret label takes the form am.authentication.nodes.ad.decision.mtls.{{identifier}}.cert where {{identifier}} is the value of mTLS Secret Label Identifier. The label can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}.",
"propertyOrder" : 1066,
"type" : "string",
"exampleValue" : ""
},
"secondaryServers" : {
"title" : "Secondary LDAP Server",
"description" : "Specify one or more secondary directory servers.
Specify each directory server in the following format:
host:port
Secondary servers are used when none of the primary servers are available.
For example, directory_services_backup.example.com.",
"propertyOrder" : 200,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : ""
},
"accountSearchBaseDn" : {
"title" : "DN to Start User Search",
"description" : "Specify the DN from which to start the user search.
More specific DNs, such as ou=sales,dc=example,dc=com, result in better search performance.If multiple entries exist in the store with identical attribute values, ensure this property is specific enough to return only one entry.",
"propertyOrder" : 300,
"items" : {
"type" : "string"
},
"minItems" : 1,
"type" : "array",
"exampleValue" : ""
},
"mixedCaseForPasswordChangeMessages" : {
"title" : "Use mixed case for password change messages",
"description" : "Defines whether password change messages returned are in mixed (sentence) case or uppercase. Default: false",
"propertyOrder" : 1900,
"type" : "boolean",
"exampleValue" : ""
},
"searchFilterAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "Specifies the attributes used to match an entry in the directory server to the credentials provided by the user.
The default value of uid will form the following search filter of uid=user. Specifying multiple values such as uid and cn causes the node to create a search filter of (|(uid=user)(cn=user)).
Multiple attribute values allow the user to authenticate with any one of the values. For example, if you have both uid and mail, then Barbara Jensen can authenticate with either bjensen or bjensen@example.com.",
"propertyOrder" : 700,
"items" : {
"type" : "string"
},
"minItems" : 1,
"type" : "array",
"exampleValue" : ""
},
"userCreationAttrs" : {
"title" : "User Creation Attributes",
"description" : "This list lets you map (external) attribute names from the LDAP directory server to (internal) attribute names used by AM.
The format of this property is:
local attr1|external attr1",
"propertyOrder" : 1200,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : ""
},
"adminDn" : {
"title" : "Bind User DN",
"description" : "Specify the user DN used to bind to the LDAP user data store.
Note: Do not use cn=Directory Manager in production systems.If mTLS is enabled, this attribute is ignored.",
"propertyOrder" : 400,
"type" : "string",
"exampleValue" : ""
}
},
"required" : [ "returnUserDn", "heartbeatInterval", "ldapOperationsTimeout", "ldapConnectionMode", "minimumPasswordLength", "returnAccountLockedMessage", "primaryServers", "searchScope", "userProfileAttribute", "trustAllServerCertificates", "affinityLevel", "heartbeatTimeUnit", "mtlsEnabled", "secondaryServers", "accountSearchBaseDn", "mixedCaseForPasswordChangeMessages", "searchFilterAttributes", "userCreationAttrs" ]
}
```
### delete
**Usage**
```
am> delete ADDecision --realm Realm --id id
```
**Parameters**
* *\--id*
The unique identifier for the resource.
### getType
List information related to the node such as a name, description, tags and metadata.
**Usage**
```
am> action ADDecision --realm Realm --actionName getType
```
### getUpgradedConfig
Get the upgraded configuration for the node type.
**Usage**
```
am> action ADDecision --realm Realm --body body --actionName getUpgradedConfig --targetVersion targetVersion
```
**Parameters**
* *\--body*
The resource in JSON format, described by the following JSON schema:
```json
{
"type" : "object",
"title" : "The current configuration of the node type."
}
```
* *\--targetVersion*
\=== listOutcomes
List the available outcomes for the node type.
**Usage**
```
am> action ADDecision --realm Realm --body body --actionName listOutcomes
```
**Parameters**
* *\--body*
The resource in JSON format, described by the following JSON schema:
```json
{
"description" : "Some configuration of the node. This does not need to be complete against the configuration schema.",
"type" : "object",
"title" : "Node configuration"
}
```
### query
Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.
**Usage**
```
am> query ADDecision --realm Realm --filter filter
```
**Parameters**
* *\--filter*
A CREST formatted query filter, where "true" will query all.
### read
**Usage**
```
am> read ADDecision --realm Realm --id id
```
**Parameters**
* *\--id*
The unique identifier for the resource.
### update
**Usage**
```
am> update ADDecision --realm Realm --id id --body body
```
**Parameters**
* *\--id*
The unique identifier for the resource.
* *\--body*
The resource in JSON format, described by the following JSON schema:
```json
{
"type" : "object",
"properties" : {
"returnUserDn" : {
"title" : "Return User DN to DataStore",
"description" : "When enabled, the node returns the DN rather than the User ID.",
"propertyOrder" : 1100,
"type" : "boolean",
"exampleValue" : ""
},
"heartbeatInterval" : {
"title" : "LDAP Connection Heartbeat Interval",
"description" : "Specifies how often AM should send a heartbeat request to the directory server to ensure that the connection does not remain idle.
Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to 0 or to a negative number. Set the units for the interval in the LDAP Connection Heartbeat Time Unit property.",
"propertyOrder" : 1600,
"type" : "integer",
"exampleValue" : ""
},
"ldapOperationsTimeout" : {
"title" : "LDAP Operations Timeout",
"description" : "Defines the timeout in milliseconds that ${am.abbr} should wait for a response from the directory server.
Default: 0 (No timeout).",
"propertyOrder" : 1800,
"type" : "integer",
"exampleValue" : ""
},
"ldapConnectionMode" : {
"title" : "LDAP Connection Mode",
"description" : "Specifies whether to use SSL or StartTLS to connect to the LDAP user data store.
AM must be able to trust the certificates used.",
"propertyOrder" : 1000,
"type" : "string",
"exampleValue" : ""
},
"minimumPasswordLength" : {
"title" : "Minimum Password Length",
"description" : "Specifies the minimum acceptable password length.",
"propertyOrder" : 1300,
"type" : "integer",
"exampleValue" : ""
},
"returnAccountLockedMessage" : {
"title" : "Return Account Locked Message",
"description" : "When disabled the node will return a generic authentication failure message when the user account is locked. When enabled the node will return a specific account locked message whether the correct password was provided or not.",
"propertyOrder" : 1099,
"type" : "boolean",
"exampleValue" : ""
},
"primaryServers" : {
"title" : "Primary LDAP Server",
"description" : "Specify one or more primary directory servers.
Specify each directory server in the following format:
host:port
For example, directory_services.example.com:389.",
"propertyOrder" : 100,
"items" : {
"type" : "string"
},
"minItems" : 1,
"type" : "array",
"exampleValue" : ""
},
"searchScope" : {
"title" : "Search Scope",
"description" : "Specifies the extent of searching for users in the directory server.
Scope OBJECT means search only the entry specified as the DN to Start User Search, whereas ONELEVEL means search only the entries that are directly children of that object. SUBTREE means search the entry specified and every entry under it.",
"propertyOrder" : 900,
"type" : "string",
"exampleValue" : ""
},
"userProfileAttribute" : {
"title" : "Attribute Used to Retrieve User Profile",
"description" : "Specifies the attribute used to retrieve the profile of a user from the directory server.
The user search will have already happened, as specified by the Attributes Used to Search for a User to be Authenticated and User Search Filter properties.",
"propertyOrder" : 600,
"type" : "string",
"exampleValue" : ""
},
"adminPassword" : {
"title" : "Bind User Password",
"description" : "Specify the password of the account used to bind to the LDAP user data store.If mTLS is enabled, this attribute is ignored.",
"propertyOrder" : 500,
"type" : "string",
"format" : "password",
"exampleValue" : ""
},
"trustAllServerCertificates" : {
"title" : "Trust All Server Certificates",
"description" : "When enabled, blindly trust server certificates, including self-signed test certificates.
Note: Use this feature with care as it bypasses the normal certificate verification process.",
"propertyOrder" : 1500,
"type" : "boolean",
"exampleValue" : ""
},
"affinityLevel" : {
"title" : "LDAP Affinity Level",
"description" : "Level of affinity used to balance requests across LDAP servers. The options are: no affinity, affinity for BIND requests only, affinity for all requests.",
"propertyOrder" : 2000,
"type" : "string",
"exampleValue" : ""
},
"heartbeatTimeUnit" : {
"title" : "LDAP Connection Heartbeat Time Unit",
"description" : "Specifies the time unit corresponding to LDAP Connection Heartbeat Interval.
Default: Seconds",
"propertyOrder" : 1700,
"type" : "string",
"exampleValue" : ""
},
"mtlsEnabled" : {
"title" : "mTLS Enabled",
"description" : "Enables mTLS (mutual TLS) between AM and this store. When mTLS is enabled:- Set connection mode to
LDAPS. - The values for
Bind User DN and Bind User Password are ignored. - You must provide an
mTLS Secret Label Identifier.
Instructions for setting up certificates and keystore mappings are in the product documentation.",
"propertyOrder" : 1033,
"type" : "boolean",
"exampleValue" : ""
},
"userSearchFilter" : {
"title" : "User Search Filter",
"description" : "Specifies an additional filter to append to user searches.
For example, searching for mail and specifying a User Search Filter of (objectClass=inetOrgPerson), causes AM to use (&(mail=address)(objectClass=inetOrgPerson)) as the resulting search filter, where address is the mail address provided by the user.",
"propertyOrder" : 800,
"type" : "string",
"exampleValue" : ""
},
"mtlsSecretLabel" : {
"title" : "mTLS Secret Label Identifier",
"description" : "Identifier used to create a secret label for mapping to the mTLS certificate in the secret store.
AM uses this label to create a specific secret label for this node. The secret label takes the form am.authentication.nodes.ad.decision.mtls.{{identifier}}.cert where {{identifier}} is the value of mTLS Secret Label Identifier. The label can only contain characters {{a-z}} {{A-Z}} {{0-9}} {{.}} and cannot start or end with {{.}}.",
"propertyOrder" : 1066,
"type" : "string",
"exampleValue" : ""
},
"secondaryServers" : {
"title" : "Secondary LDAP Server",
"description" : "Specify one or more secondary directory servers.
Specify each directory server in the following format:
host:port
Secondary servers are used when none of the primary servers are available.
For example, directory_services_backup.example.com.",
"propertyOrder" : 200,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : ""
},
"accountSearchBaseDn" : {
"title" : "DN to Start User Search",
"description" : "Specify the DN from which to start the user search.
More specific DNs, such as ou=sales,dc=example,dc=com, result in better search performance.If multiple entries exist in the store with identical attribute values, ensure this property is specific enough to return only one entry.",
"propertyOrder" : 300,
"items" : {
"type" : "string"
},
"minItems" : 1,
"type" : "array",
"exampleValue" : ""
},
"mixedCaseForPasswordChangeMessages" : {
"title" : "Use mixed case for password change messages",
"description" : "Defines whether password change messages returned are in mixed (sentence) case or uppercase. Default: false",
"propertyOrder" : 1900,
"type" : "boolean",
"exampleValue" : ""
},
"searchFilterAttributes" : {
"title" : "Attributes Used to Search for a User to be Authenticated",
"description" : "Specifies the attributes used to match an entry in the directory server to the credentials provided by the user.
The default value of uid will form the following search filter of uid=user. Specifying multiple values such as uid and cn causes the node to create a search filter of (|(uid=user)(cn=user)).
Multiple attribute values allow the user to authenticate with any one of the values. For example, if you have both uid and mail, then Barbara Jensen can authenticate with either bjensen or bjensen@example.com.",
"propertyOrder" : 700,
"items" : {
"type" : "string"
},
"minItems" : 1,
"type" : "array",
"exampleValue" : ""
},
"userCreationAttrs" : {
"title" : "User Creation Attributes",
"description" : "This list lets you map (external) attribute names from the LDAP directory server to (internal) attribute names used by AM.
The format of this property is:
local attr1|external attr1",
"propertyOrder" : 1200,
"items" : {
"type" : "string"
},
"type" : "array",
"exampleValue" : ""
},
"adminDn" : {
"title" : "Bind User DN",
"description" : "Specify the user DN used to bind to the LDAP user data store.
Note: Do not use cn=Directory Manager in production systems.If mTLS is enabled, this attribute is ignored.",
"propertyOrder" : 400,
"type" : "string",
"exampleValue" : ""
}
},
"required" : [ "returnUserDn", "heartbeatInterval", "ldapOperationsTimeout", "ldapConnectionMode", "minimumPasswordLength", "returnAccountLockedMessage", "primaryServers", "searchScope", "userProfileAttribute", "trustAllServerCertificates", "affinityLevel", "heartbeatTimeUnit", "mtlsEnabled", "secondaryServers", "accountSearchBaseDn", "mixedCaseForPasswordChangeMessages", "searchFilterAttributes", "userCreationAttrs" ]
}
```
### versionInfo
List the versions available for the node type.
**Usage**
```
am> action ADDecision --realm Realm --actionName versionInfo
```