http-config.json revision 6147
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // The array of connection factories which will be used by the Rest2LDAP
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // Servlet and authentication filter.
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "ldapConnectionFactories" : {
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // Unauthenticated connections used for performing bind requests.
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "default" : {
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "connectionPoolSize" : 10,
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "heartBeatIntervalSeconds" : 30,
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // The preferred load-balancing pool.
9458268e72c30309e7a723e3d1c5f8c3f69dcbabvboxsync "primaryLDAPServers" : [
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "hostname" : "localhost",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "port" : 1389
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // The fail-over load-balancing pool (optional).
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "secondaryLDAPServers" : [
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // Authenticated connections which will be used for searches during
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // authentication and proxied operations (if enabled). This factory
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // will re-use the server "default" configuration.
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync "inheritFrom" : "default",
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // Defines how authentication should be performed. Only "simple"
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // authentication is supported at the moment.
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "authentication" : {
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "simple" : {
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "bindDN" : "cn=directory manager",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "bindPassword" : "password"
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // The Rest2LDAP authentication filter configuration. The filter will be
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync // disabled if the configuration is not present. Upon successful
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // authentication the filter will create a security context containing the
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // following principals:
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // "dn" - the DN of the user if known (may not be the case for sasl-plain)
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // "id" - the username used for authentication.
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "authenticationFilter" : {
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // Indicates whether the filter should allow HTTP BASIC authentication.
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "supportHTTPBasicAuthentication" : true,
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync // Indicates whether the filter should allow alternative authentication
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // and, if so, which HTTP headers it should obtain the username and
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // password from.
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "supportAltAuthentication" : true,
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "altAuthenticationUsernameHeader" : "X-OpenIDM-Username",
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "altAuthenticationPasswordHeader" : "X-OpenIDM-Password",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // Indicates whether the authenticated LDAP connection should be cached
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // for use within the Rest2LDAP Servlet for subsequent LDAP operations.
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // If this is set to true then the Servlet will not need its own LDAP
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync // connection factory and will also not need to use proxied
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // authorization.
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "reuseAuthenticatedConnection" : true,
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // Specifies how LDAP authentications should be performed. The method
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // must be one of:
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // "simple" - the username is an LDAP DN
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // "sasl-plain" - the username is an authzid which will be
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // substituted into the "saslAuthzIdTemplate" using
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // %s substitution
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync // "search-simple" - the user's DN will be resolved by performing an
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // LDAP search using a filter constructed by
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // substituting the username into the
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // "searchFilterTemplate" using %s substitution.
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "method" : "simple",
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // The connection factory which will be exclusively used for
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // authenticating users using LDAP bind operations.
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "bindLDAPConnectionFactory" : "default",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // The SASL AuthzID template which will be used for "sasl-plain"
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // authentication.
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "saslAuthzIdTemplate" : "dn:uid=%s,ou=people,dc=example,dc=com",
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // The connection factory which will be used for performing LDAP
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // searches to locate users when "search-simple" authentication is
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // enabled.
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "searchLDAPConnectionFactory" : "root",
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // The search parameters to use for "search-simple" authentication.
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "searchBaseDN" : "ou=people,dc=example,dc=com",
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "searchScope" : "sub", // Or "one".
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync "searchFilterTemplate" : "(&(objectClass=inetOrgPerson)(uid=%s))"
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // TODO: support for HTTP sessions?
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync // The Rest2LDAP Servlet configuration.
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "servlet" : {
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync // The connection factory which will be used for performing LDAP
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync // operations. Pre-authenticated connections passed through from the
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // authentication filter (see "reuseAuthenticatedConnection") will be
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // used in preference to this factory. Specifically, a connection
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // factory does not need to be configured if a connection will always
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // be passed on from the filter, which may not always be the case
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // if the filter is configured to use HTTP sessions.
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "ldapConnectionFactory" : "root",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // Specifies how LDAP authorization should be performed. The method
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // must be one of:
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // "none" - use connections acquired from the LDAP connection
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // factory. Don't use proxied authorization, and don't
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync // use cached pre-authenticated connections,
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // "reuse" - use the connection obtained during LDAP
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // authentication. If no connection was passed through
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // the authorization will fail,
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // "proxy" - use proxied authorization with an authorization ID
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // derived from the "proxyAuthzIdTemplate". Proxied
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // authorization will only be used if there is no
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // pre-authenticated connection available.
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync "authorizationPolicy" : "proxy",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // The AuthzID template which will be used for proxied authorization.
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // The template should contain fields which are expected to be found in
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // the security context create during authentication, e.g. "dn" and "id".
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "proxyAuthzIdTemplate" : "dn:{dn}",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync // The REST APIs and their LDAP attribute mappings.
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "mappings" : {
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync "/users" : {
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "baseDN" : "ou=people,dc=example,dc=com",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "readOnUpdatePolicy" : "controls",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "additionalLDAPAttributes" : [
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "type" : "objectClass",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "values" : [
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "organizationalPerson",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "inetOrgPerson"
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "namingStrategy" : {
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "strategy" : "clientDNNaming",
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "dnAttribute" : "uid"
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "etagAttribute" : "etag",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "attributes" : {
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "schemas" : { "constant" : [ "urn:scim:schemas:core:1.0" ] },
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "_id" : { "simple" : { "ldapAttribute" : "uid", "isSingleValued" : true, "isRequired" : true, "writability" : "createOnly" } },
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "_rev" : { "simple" : { "ldapAttribute" : "etag", "isSingleValued" : true, "writability" : "readOnly" } },
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "userName" : { "simple" : { "ldapAttribute" : "mail", "isSingleValued" : true, "writability" : "readOnly" } },
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync "displayName" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "isRequired" : true } },
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "name" : { "object" : {
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "givenName" : { "simple" : { "ldapAttribute" : "givenName", "isSingleValued" : true } },
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "familyName" : { "simple" : { "ldapAttribute" : "sn", "isSingleValued" : true, "isRequired" : true } }
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync "manager" : { "reference" : {
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "ldapAttribute" : "manager",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "baseDN" : "ou=people,dc=example,dc=com",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "primaryKey" : "uid",
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync "mapper" : { "object" : {
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "_id" : { "simple" : { "ldapAttribute" : "uid", "isSingleValued" : true, "isRequired" : true } },
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "displayName" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "writability" : "readOnlyDiscardWrites" } }
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "groups" : { "reference" : {
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "ldapAttribute" : "isMemberOf",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "baseDN" : "ou=groups,dc=example,dc=com",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "writability" : "readOnly",
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync "primaryKey" : "cn",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "mapper" : { "object" : {
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "_id" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true } }
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "contactInformation" : { "object" : {
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "telephoneNumber" : { "simple" : { "ldapAttribute" : "telephoneNumber", "isSingleValued" : true } },
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "emailAddress" : { "simple" : { "ldapAttribute" : "mail", "isSingleValued" : true } }
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "meta" : { "object" : {
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "created" : { "simple" : { "ldapAttribute" : "createTimestamp", "isSingleValued" : true, "writability" : "readOnly" } },
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync "lastModified" : { "simple" : { "ldapAttribute" : "modifyTimestamp", "isSingleValued" : true, "writability" : "readOnly" } }
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "/groups" : {
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "baseDN" : "ou=groups,dc=example,dc=com",
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "readOnUpdatePolicy" : "controls",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "additionalLDAPAttributes" : [
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "type" : "objectClass",
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "values" : [
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "groupOfUniqueNames"
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "namingStrategy" : {
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "strategy" : "clientDNNaming",
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync "dnAttribute" : "cn"
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "etagAttribute" : "etag",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "attributes" : {
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "schemas" : { "constant" : [ "urn:scim:schemas:core:1.0" ] },
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "_id" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "isRequired" : true, "writability" : "createOnly" } },
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "_rev" : { "simple" : { "ldapAttribute" : "etag", "isSingleValued" : true, "writability" : "readOnly" } },
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "displayName" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "isRequired" : true, "writability" : "readOnly" } },
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "members" : { "reference" : {
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync "ldapAttribute" : "uniqueMember",
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "baseDN" : "dc=example,dc=com",
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "primaryKey" : "uid",
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "mapper" : { "object" : {
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "_id" : { "simple" : { "ldapAttribute" : "uid", "isSingleValued" : true, "isRequired" : true } },
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "displayName" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "writability" : "readOnlyDiscardWrites" } }
6728a36898fd2be125a28e84d2115d19aa4923edvboxsync "meta" : { "object" : {
0e52499a0d557fe66f1bea625fe78d8d15e6238bvboxsync "created" : { "simple" : { "ldapAttribute" : "createTimestamp", "isSingleValued" : true, "writability" : "readOnly" } },
9562e2d410460d8fae06fa24297f172fee1d1995vboxsync "lastModified" : { "simple" : { "ldapAttribute" : "modifyTimestamp", "isSingleValued" : true, "writability" : "readOnly" } }