Generic LDAPv3
Use these attributes when configuring Generic LDAPv3 compliant identity stores, including Oracle Unified Directory:
amster service name: IdRepository
All tabs
Load Schema
Import the appropriate LDAP schema to the directory server before saving the configuration. The LDAP Bind DN service account must have the required privileges to perform this operation.
Learn more in Prepare identity stores.
Server Settings tab
LDAP Server
An ordered list of directory servers.
The format is HOST:PORT[|SERVERID[|SITEID]], where HOST:PORT are the directory server FQDN and its port,
and SERVERID and SITEID are optional parameters for deployments with multiple servers and sites.
Multiple servers must be comma-separated, for example,
ldap1.example.com:1636, ldap2.example.com:1636.
AM uses the optional settings to determine which directory server to contact first. AM tries to contact directory servers in the following priority order, with highest priority first:
-
The first directory server in the list whose serverID matches the current AM server.
-
The first directory server in the list whose siteID matches the current AM server.
-
The first directory server in the remaining list.
If the directory server isn’t available, AM proceeds to the next directory server in the list.
In production environments, you should specify more than one directory server for failover purposes.
Default: host:port of the initial directory server configured for this AM server.
LDAP Bind DN
Bind DN of the service account AM uses to connect to the directory server. Some AM capabilities require write access to directory entries.
LDAP Organization DN
The base DN under which to find user and group profiles.
Ensure that the identity store is setup with the specified DN before making any changes to this property in AM.
Default: base-dn
LDAP Connection Mode
Whether to use LDAP, LDAPS or StartTLS to connect to the directory server. When LDAPS or StartTLS are enabled, AM must be able to trust server certificates, either because the server certificates were signed by a CA whose certificate is already included in the trust store used by the container where AM runs, or because you imported the certificates into the trust store.
Possible values: LDAP, LDAPS, and StartTLS
LDAP Connection Pool Maximum Size
Maximum number of connections to the directory server. Make sure the directory service can cope with the maximum number of client connections across all servers.
Default: 10
LDAP Connection Heartbeat Interval
How often to send a heartbeat request to the directory server to ensure that the connection doesn’t remain idle. Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to 0. To set the units for the interval, use LDAP Connection Heartbeat Time Unit.
Default: 10
LDAP Connection Heartbeat Search Base
Defines the search base for:
-
The heartbeat request that checks connections to the LDAP server are alive and prevents idle timeouts (keepalive).
-
The load balancer availability check.
The keepalive and availability checks are only enabled if the heartbeat interval and timeout
are set to a value greater than 0.
The LDAP server connection pool will be marked as unavailable if the search fails with an error, returns no entries, or if more than one entry is returned.
If the search results in an error, AM fails to start up with an exception such as
org.forgerock.opendj.ldap.ConnectionException: Connect Error: No operational connection factories available.
Default: [Empty]
LDAP Connection Heartbeat Search Filter
Defines the search filter for:
-
The heartbeat request that checks connections to the LDAP server are alive and prevents idle timeouts (keepalive).
-
The load balancer availability check.
You can also use the absolute True and False filter (&).
The LDAP server connection pool will be marked as unavailable if the search fails with an error, returns no entries, or if more than one entry is returned.
If the search results in an error, AM fails to start up with an exception such as
org.forgerock.opendj.ldap.ConnectionException: Connect Error: No operational connection factories available.
Default: (objectClass=*)
LDAP Connection Heartbeat Time Unit
Time unit for the LDAP Connection Heartbeat Interval setting.
Default: second
Maximum Results Returned from Search
A cap for the number of search results to return, for example, when viewing profiles under Identities. Rather than raise this number, consider narrowing your search to match fewer directory entries.
Default: 1000
Search Timeout
Maximum time to wait for search results in seconds. Doesn’t apply to persistent searches.
Default: 10
LDAPv3 Plugin Search Scope
LDAP searches can apply to a single entry (SCOPE_BASE), entries directly below the search DN (SCOPE_ONE),
or all entries below the search DN (SEARCH_SUB).
Default: SCOPE_SUB
Behera Support Enabled
Enable this property to use Behera draft control in outgoing requests for operations that might modify password values.
Behera draft control allows AM to display password policy related error messages when password policies aren’t met.
Default: Enabled
Affinity Enabled
Enables affinity-based load balanced access to identity stores.
Affinity-based load balancing means that each request for the same entry goes to the same directory server. The directory server used for a specific operation is determined by the DN of the identity involved.
List the directory server instances that form part of the affinity deployment in the LDAP Server field.
| When you enable affinity, the value of the LDAP Server property must be identical for all AM instances in the deployment. |
Set the operations that use affinity (none, bind only, or all operations) in the Affinity Level property.
Default: Disabled
Plug-in Configuration tab
LDAPv3 Repository Plugin Class Name
AM identity store implementation.
Default: org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo
LDAPv3 Plugin Supported Types and Operations
Specifies the identity types supported by the datastore, such as user, group, or realm,
and which operations can be performed on them.
The following table illustrates the identity types supported by this datastore, and the operations that can be performed on them:
| read | create | edit | delete | service | |
|---|---|---|---|---|---|
|
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
✔ |
|
Read the identity type |
Create new identities of the given identity type |
Edit entities of the given identity type |
Delete entities of the given identity type |
Read and write service settings associated with the given identity type. |
You can remove permissions based on your datastore needs.
For example, if the datastore should not be written to,
you can set the operations to read only for the identity types.
The service operation is only relevant to the realm and the user identity types.
For example, the Session Service configuration can be stored by realm,
and a user can have specific session timeout settings.
Default:
realm=read,create,edit,delete,service
user=read,create,edit,delete,service
group=read,create,edit,delete
User Configuration tab
LDAP Users Search Attribute
When searching for a user by name, match values against this attribute.
Default: uid
|
Don’t modify the value of the search attribute in user profiles. Modifying this attribute value can result in incorrectly cached identity data. |
LDAP Users Search Filter
When searching for users, apply this LDAP search filter as well.
Default: (objectclass=inetorgperson)
LDAP User Object Class
User profiles have these LDAP object classes.
AM handles only those attributes listed in this setting. AM discards any unlisted attributes from requests and the request proceeds without the attribute.
For example, with default settings, if you request that AM execute a search
that asks for the mailAlternateAddress attribute, AM does the search,
but doesn’t request mailAlternateAddress.
In the same way, AM does perform an update operation with a request
to set the value of an unlisted attribute like mailAlternateAddress,
but it drops the unlisted attribute from the update request.
Default: inetorgperson, inetUser, organizationalPerson, person, top
LDAP User Attributes
User profiles have these LDAP attributes.
AM handles only those attributes listed in this setting. AM discards any unlisted attributes from requests and the request proceeds without the attribute.
Default:
uid
caCertificate
authorityRevocationList
inetUserStatus
mail
sn
manager
userPassword
adminRole
objectClass
givenName
memberOf
cn
telephoneNumber
preferredlanguage
userCertificate
postalAddress
dn
employeeNumber
distinguishedName
Create User Attribute Mapping
When creating a user profile, apply this map of AM profile attribute names to directory server attribute names.
Attributes not mapped to another attribute (for example, cn) and attributes mapped to themselves
(for example, cn=cn) take the value of the username
unless the attribute values are provided when creating the profile.
The object classes for user profile LDAP entries generally require Common Name (cn) and Surname (sn) attributes,
so this prevents an LDAP constraint violation when performing the add operation.
Default: cn, sn
User Status Active Value
Active users have the user status attribute set to this value.
Default: Active
User Status Inactive Value
Inactive users have the user status attribute set to this value.
Default: Inactive
LDAP People Container Naming Attribute
RDN attribute of the LDAP base DN which contains user profiles.
LDAP People Container Value
RDN attribute value of the LDAP base DN which contains user profiles.
If specified, AM will limit searches for user profiles to the provided base DN. Otherwise, AM searches the entire directory.
Knowledge Based Authentication Attribute Name
Profile attribute in which knowledge-based authentication information is stored.
Default: kbaInfo
Authentication Configuration tab
Authentication Naming Attribute
RDN attribute for building the bind DN when given a username and password to authenticate a user against the directory server.
|
If you change this value after you have deployed and configured AM, you must update or recreate all existing identities to refresh user DNs. Failure to do so could result in unsuccessful authentication or risk of impersonation attacks. |
Default: uid
Group Configuration tab
LDAP Groups Search Attribute
When searching for a group by name, match values against this attribute.
Default: cn
LDAP Groups Search Filter
When searching for groups, apply this LDAP search filter as well.
Default: (objectclass=groupOfUniqueNames)
LDAP Groups Container Naming Attribute
RDN attribute of the LDAP base DN which contains group profiles.
Default: ou
LDAP Groups Container Value
RDN attribute value of the LDAP base DN which contains group profiles.
If specified, AM will limit searches for group profiles to the provided base DN. Otherwise, AM searches the entire directory.
Default: groups
LDAP Groups Object Class
Group profiles have these LDAP object classes.
Default: groupofuniquenames, top
LDAP Groups Attributes
Group profiles have these LDAP attributes.
Default: ou, cn, description, dn, objectclass, uniqueMember
Attribute Name for Group Membership
LDAP attribute in the member’s LDAP entry whose values are the groups to which a member belongs.
Attribute Name of Unique Member
Attribute in the group’s LDAP entry whose values are the members of the group.
Default: uniqueMember
Persistent Search Controls tab
Cache Control tab
DN Cache
Whether to enable the DN cache, which is used to cache DN lookups that can happen in bursts during authentication. As the cache can become stale when a user is moved or renamed, enable DN caching when the directory service allows move/rename operations (Mod DN), and when AM uses persistent searches to obtain notification of such updates.
Default: false