LDAP Synchronization configuration

Useful links

• Application server Kerberos configuration - support for LIDS Explorer
• Gateway Kerberos configuration - support for Dynamic APP

Environment properties

LDAP connection properties

• All those properties can start as ldap instead of security.ldap. If both of them are defined, the security.ldap property is used, not the ldap property.
• If security.ldap.import.base property is defined, security.ldap.base property is not used.
• If security.ldap.configurationProperty property is defined, security searches for properties with prefix defined in this property instead of prefix ldap.

Property	Type	Required for LDAP synchronization	Description	Example value
security.ldap.url	string	true	LDAP server URL	ldap://server:port
security.ldap.base	string	true	LDAP context base	dc=company,dc=local
security.ldap.userDn	string	true	LDAP service account dn	CN=ldap,OU=Accounts,OU=Common,DC=company,DC=local
security.ldap.password	string	true	LDAP service account password	this-is-secret
security.ldap.referral	string	false
security.ldap.ignorePartialResultException	boolean	false (default false)	Ignore partial result exception while search	true

LDAP import properties

Property	Type	Required for LDAP synchronization	Description	Example value	Since version
security.ldap.import.enabled	boolean	true (default false)	Is LDAP import enabled	true
security.ldap.import.cronExpression	string	false	Automatic LDAP import schedule (cron) expressions	0 0/30 * * * ?
security.ldap.import.base	string	false	Overwrites general ldap.base property for import	dc=company,dc=local
security.ldap.import.paging.enabled	boolean	false	Enables paging of ldap import.	true	8.25.8
security.ldap.import.paging.size	integer	false (true if paging enabled)	Import page size.	1000	8.25.8
security.ldap.configurationProperty	string	false (default ldap)	Overwrites ldap connection properties prefix	ldap

LDAP property configuration example

security.ldap.base=dc=company,dc=local
security.ldap.userDn=CN=ldap,OU=Accounts,OU=Common,DC=company,DC=local
security.ldap.url=ldap://server:port
security.ldap.ignorePartialResultException=true
security.ldap.password=this-is-secret
security.ldap.import.enabled=true
security.ldap.import.cronExpression=0 0/30 * * * ?

Database configuration

sec_config table

• All those properties are optional string properties stored in sec_config table in database used for ldap mappings. If property is not set in database, default value is used instead.
• Example value for principal: ${sAMAccountName}@company.local

Property	Default value
ldapImport.statusBitMask	000000000010
ldapImport.externalId	${userPrincipalName!}
ldapImport.username	${sAMAccountName!}
ldapImport.principal	${userPrincipalName!}
ldapImport.firstName	${givenName!}
ldapImport.lastName	${sn!}
ldapImport.email	${mail!}
ldapImport.street	${streetAddress!}
ldapImport.streetNumber
ldapImport.city	${l!}
ldapImport.zip	${postalCode!}
ldapImport.statusAttribute	${userAccountControl}

Console configuration

• In security server administration console, two data object can be managed - import sources and groups mappings.

Import sources

• Import source is where filters for LDAP import are managed.
• Stored in db table sec_ldap_import.

Property	Type	Description	Example value
Name	String	Name of LDAP import source	LDAP source
LDAP Base	String	LDAP context base	dc=company,dc=local
LDAP Filter	String	LDAP filter	(memberOf=CN=ML Group,OU=Groups,OU=Common,DC=company,DC=local)
User type	Pick value (sec_user_type)	Imported user type	LDAP

Groups mapping

• You can manage mapping of LDAP groups to LIDS groups here.
• Stored in db table sec_ldap_groups.

Property	Type	Description	Example value
Name	String	Name of LDAP groups mapping	clients-read
LDAP Base	String	LDAP context base	dc=company,dc=local
LDAP Group DN/CN	String	LDAP Group domain/canonical name	CN=Group,OU=Groups,OU=Common,DC=company,DC=local
Security group	Pick value (sec_group)	SAMO Group	SAMO Users