{
// The array of connection factories which will be used by the Rest2LDAP
// Servlet and authentication filter.
"ldapConnectionFactories" : {
// Unauthenticated connections used for performing bind requests.
"default" : {
// Indicates whether or not LDAP connections should be secured using
// SSL or StartTLS. Acceptable values are:
//
// "none" - use plain LDAP connections (default)
// "ssl" - secure connection using LDAPS
// "startTLS" - secure connection using LDAP+StartTLS
//
"connectionSecurity" : "none",
// Specifies the policy for trusting server certificates exchanged
// during SSL/StartTLS negotiation. This setting and the following
// trust policy settings will be ignored if there is no connection
// security. Acceptable values are:
//
// "trustAll" - blindly trust all server certificates (default)
// "jvm" - only certificates signed by the authorities
// associated with the host JVM will be accepted
// "file" - use a file-based trust store for validating
// certificates. This option requires the following
// "fileBasedTrustManager*" settings to be configured.
//
"trustManager" : "trustAll",
// File based trust manager configuration (see above).
"fileBasedTrustManagerType" : "JKS",
"fileBasedTrustManagerFile" : "/path/to/truststore",
"fileBasedTrustManagerPassword" : "password",
// Re-usable pool of 24 connections per server.
"connectionPoolSize" : 24,
// Check pooled connections are alive every 30 seconds with a 500ms
// heart beat timeout.
"heartBeatIntervalSeconds" : 30,
"heartBeatTimeoutMilliSeconds" : 500,
// The preferred load-balancing pool.
"primaryLDAPServers" : [
{
"hostname" : "localhost",
"port" : 1389
}
],
// The fail-over load-balancing pool (optional).
"secondaryLDAPServers" : [
// Empty.
]
},
// Authenticated connections which will be used for searches during
// authentication and proxied operations (if enabled). This factory
// will re-use the server "default" configuration.
"root" : {
"inheritFrom" : "default",
// Defines how authentication should be performed. Only "simple"
// authentication is supported at the moment.
"authentication" : {
"simple" : {
"bindDN" : "cn=directory manager",
"bindPassword" : "password"
}
}
}
},
// The Rest2LDAP authentication filter configuration. The filter will be
// disabled if the configuration is not present. Upon successful
// authentication the filter will create a security context containing the
// following principals:
//
// "dn" - the DN of the user if known (may not be the case for sasl-plain)
// "id" - the username used for authentication.
"authenticationFilter" : {
// Indicates whether the filter should allow HTTP BASIC authentication.
"supportHTTPBasicAuthentication" : true,
// Indicates whether the filter should allow alternative authentication
// and, if so, which HTTP headers it should obtain the username and
// password from.
"supportAltAuthentication" : true,
"altAuthenticationUsernameHeader" : "X-OpenIDM-Username",
"altAuthenticationPasswordHeader" : "X-OpenIDM-Password",
// Indicates whether the authenticated LDAP connection should be cached
// for use within the Rest2LDAP Servlet for subsequent LDAP operations.
// If this is set to true then the Servlet will not need its own LDAP
// connection factory and will also not need to use proxied
// authorization.
"reuseAuthenticatedConnection" : true,
// Specifies how LDAP authentications should be performed. The method
// must be one of:
//
// "simple" - the username is an LDAP DN
// "sasl-plain" - the username is an authzid which will be
// substituted into the "saslAuthzIdTemplate" using
// %s substitution
// "search-simple" - the user's DN will be resolved by performing an
// LDAP search using a filter constructed by
// substituting the username into the
// "searchFilterTemplate" using %s substitution.
"method" : "search-simple",
// The connection factory which will be exclusively used for
// authenticating users using LDAP bind operations.
"bindLDAPConnectionFactory" : "default",
// The SASL AuthzID template which will be used for "sasl-plain"
// authentication. The %s format parameters will be substituted with
// the client-provided username, using DN character escaping for DN
// AuthzIDs.
"saslAuthzIdTemplate" : "dn:uid=%s,ou=people,dc=example,dc=com",
// The connection factory which will be used for performing LDAP
// searches to locate users when "search-simple" authentication is
// enabled.
"searchLDAPConnectionFactory" : "root",
// The search parameters to use for "search-simple" authentication. The
// %s filter format parameters will be substituted with the
// client-provided username, using LDAP filter string character escaping.
"searchBaseDN" : "ou=people,dc=example,dc=com",
"searchScope" : "sub", // Or "one".
"searchFilterTemplate" : "(&(uid=%s)(objectClass=inetOrgPerson))"
// TODO: support for HTTP sessions?
},
// The Rest2LDAP Servlet configuration.
"servlet" : {
// The connection factory which will be used for performing LDAP
// operations. Pre-authenticated connections passed through from the
// authentication filter (see "reuseAuthenticatedConnection") will be
// used in preference to this factory. Specifically, a connection
// factory does not need to be configured if a connection will always
// be passed on from the filter, which may not always be the case
// if the filter is configured to use HTTP sessions.
"ldapConnectionFactory" : "root",
// Specifies how LDAP authorization should be performed. The method
// must be one of:
//
// "none" - use connections acquired from the LDAP connection
// factory. Don't use proxied authorization, and don't
// use cached pre-authenticated connections,
// "reuse" - use the connection obtained during LDAP
// authentication. If no connection was passed through
// the authorization will fail,
// "proxy" - use proxied authorization with an authorization ID
// derived from the "proxyAuthzIdTemplate". Proxied
// authorization will only be used if there is no
// pre-authenticated connection available.
"authorizationPolicy" : "proxy",
// The AuthzID template which will be used for proxied authorization.
// The template should contain fields which are expected to be found in
// the security context create during authentication, e.g. "dn" and "id".
"proxyAuthzIdTemplate" : "dn:{dn}",
// The REST APIs and their LDAP attribute mappings.
"mappings" : {
"/users" : {
"baseDN" : "ou=people,dc=example,dc=com",
"readOnUpdatePolicy" : "controls",
"useSubtreeDelete" : false,
"usePermissiveModify" : true,
"etagAttribute" : "etag",
"namingStrategy" : {
"strategy" : "clientDNNaming",
"dnAttribute" : "uid"
},
"additionalLDAPAttributes" : [
{
"type" : "objectClass",
"values" : [
"top",
"person",
"organizationalPerson",
"inetOrgPerson"
]
}
],
"attributes" : {
"schemas" : { "constant" : [ "urn:scim:schemas:core:1.0" ] },
"_id" : { "simple" : { "ldapAttribute" : "uid", "isSingleValued" : true, "isRequired" : true, "writability" : "createOnly" } },
"_rev" : { "simple" : { "ldapAttribute" : "etag", "isSingleValued" : true, "writability" : "readOnly" } },
"userName" : { "simple" : { "ldapAttribute" : "mail", "isSingleValued" : true, "writability" : "readOnly" } },
"displayName" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "isRequired" : true } },
"name" : { "object" : {
"givenName" : { "simple" : { "ldapAttribute" : "givenName", "isSingleValued" : true } },
"familyName" : { "simple" : { "ldapAttribute" : "sn", "isSingleValued" : true, "isRequired" : true } }
} },
"manager" : { "reference" : {
"ldapAttribute" : "manager",
"baseDN" : "ou=people,dc=example,dc=com",
"primaryKey" : "uid",
"mapper" : { "object" : {
"_id" : { "simple" : { "ldapAttribute" : "uid", "isSingleValued" : true, "isRequired" : true } },
"displayName" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "writability" : "readOnlyDiscardWrites" } }
} }
} },
"groups" : { "reference" : {
"ldapAttribute" : "isMemberOf",
"baseDN" : "ou=groups,dc=example,dc=com",
"writability" : "readOnly",
"primaryKey" : "cn",
"mapper" : { "object" : {
"_id" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true } }
} }
} },
"contactInformation" : { "object" : {
"telephoneNumber" : { "simple" : { "ldapAttribute" : "telephoneNumber", "isSingleValued" : true } },
"emailAddress" : { "simple" : { "ldapAttribute" : "mail", "isSingleValued" : true } }
} },
"meta" : { "object" : {
"created" : { "simple" : { "ldapAttribute" : "createTimestamp", "isSingleValued" : true, "writability" : "readOnly" } },
"lastModified" : { "simple" : { "ldapAttribute" : "modifyTimestamp", "isSingleValued" : true, "writability" : "readOnly" } }
} }
}
},
"/groups" : {
"baseDN" : "ou=groups,dc=example,dc=com",
"readOnUpdatePolicy" : "controls",
"useSubtreeDelete" : false,
"usePermissiveModify" : true,
"etagAttribute" : "etag",
"namingStrategy" : {
"strategy" : "clientDNNaming",
"dnAttribute" : "cn"
},
"additionalLDAPAttributes" : [
{
"type" : "objectClass",
"values" : [
"top",
"groupOfUniqueNames"
]
}
],
"attributes" : {
"schemas" : { "constant" : [ "urn:scim:schemas:core:1.0" ] },
"_id" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "isRequired" : true, "writability" : "createOnly" } },
"_rev" : { "simple" : { "ldapAttribute" : "etag", "isSingleValued" : true, "writability" : "readOnly" } },
"displayName" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "isRequired" : true, "writability" : "readOnly" } },
"members" : { "reference" : {
"ldapAttribute" : "uniqueMember",
"baseDN" : "dc=example,dc=com",
"primaryKey" : "uid",
"mapper" : { "object" : {
"_id" : { "simple" : { "ldapAttribute" : "uid", "isSingleValued" : true, "isRequired" : true } },
"displayName" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "writability" : "readOnlyDiscardWrites" } }
} }
} },
"meta" : { "object" : {
"created" : { "simple" : { "ldapAttribute" : "createTimestamp", "isSingleValued" : true, "writability" : "readOnly" } },
"lastModified" : { "simple" : { "ldapAttribute" : "modifyTimestamp", "isSingleValued" : true, "writability" : "readOnly" } }
} }
}
}
}
}
}