7321N/A<?
xml version="1.0" encoding="UTF-8"?>
7321N/A ! This work is licensed under the Creative Commons 7321N/A ! Attribution-NonCommercial-NoDerivs 3.0 Unported License. 7321N/A ! To view a copy of this license, visit 7321N/A ! or send a letter to Creative Commons, 444 Castro Street, 7321N/A ! Suite 900, Mountain View, California, 94041, USA. 7321N/A ! You can also obtain a copy of the license at 7321N/A ! See the License for the specific language governing permissions 7321N/A ! and limitations under the License. 7321N/A ! If applicable, add the following below this CCPL HEADER, with the fields 7321N/A ! enclosed by brackets "[]" replaced with your own identifying information: 7321N/A ! Portions Copyright [yyyy] [name of copyright owner] 7321N/A ! Copyright 2013-2015 ForgeRock AS. 7321N/A<
appendix xml:
id='appendix-rest2ldap' 7321N/A <
title>REST LDAP Configuration</
title>
7321N/A <
indexterm><
primary>REST</
primary></
indexterm>
7321N/A <
indexterm><
primary>HTTP</
primary></
indexterm>
7321N/A <
para>OpenDJ offers two alternatives for RESTful access to directory
7321N/A <
para>OpenDJ directory server has an HTTP connection handler that exposes
7321N/A the RESTful API over HTTP (or HTTPS). You configure the mapping between
7321N/A JSON resources and LDAP entries by editing the configuration file for the
7321N/A HTTP connection handler, by default
7321N/A <
para>The OpenDJ REST LDAP gateway runs as a Servlet independent from your
7321N/A directory service. You configure the gateway to access your directory service
7321N/A deploy the gateway web application.</
para>
7321N/A <
para>The JSON format configuration can hold the following configuration
7321N/A objects. Some of the configuration settings are available only in the REST
7321N/A LDAP gateway configuration. The order here is the order shown in the default
7321N/A <
para>Interface stability: <
link xlink:
href="reference#interface-stability" 7321N/A <
term>"ldapConnectionFactories" (required, gateway only)</
term>
7321N/A <
para>Configures how the gateway connects to LDAP servers. This entire
7321N/A configuration object applies only to the REST LDAP gateway.</
para>
7321N/A <
para>Configures at least a connection factory for unauthenticated
7321N/A connections that are used for bind requests. By default, also configures a
7321N/A factory for authenticated connections that are used for searches during
7321N/A authentication and for proxied authorization operations.</
para>
7321N/A <
para>The default configuration is set to connect to a local directory
7321N/A server listening for LDAP connections on port 1389, authenticating as the
7321N/A root DN user <
literal>cn=Directory Manager</
literal>, with the password
7321N/A <
literal>password</
literal>.</
para>
7321N/A <
para>Configures the unauthenticated connection factory for bind
7321N/A <
term>"connectionPoolSize" (optional)</
term>
7321N/A <
para>The gateway creates connection pools to the primary and
7321N/A secondary LDAP servers that maintain up to
7321N/A <
literal>connectionPoolSize</
literal> connections to the
7321N/A <
programlisting language="javascript">"connectionPoolSize": 24</
programlisting>
7321N/A <
term>"connectionSecurity" (optional)</
term>
7321N/A <
para>Whether connections to LDAP servers should be secured by using
7321N/A SSL or StartTLS. The following values are supported.</
para>
7321N/A <
para>"none" (default) means connections use plain LDAP and are
7321N/A <
para>"ssl" means connections are secured using LDAPS.</
para>
7321N/A <
para>"startTLS" means connections are secured using LDAP and
7321N/A <
para>If you set "connectionSecurity", also review the
7321N/A "trustManager" and "fileBasedTrustManager*" settings.</
para>
7321N/A <
term>"heartBeatIntervalSeconds" (optional)</
term>
7321N/A <
para>The gateway tests its connections every
7321N/A <
literal>heartBeatIntervalSeconds</
literal> to detect whether
7321N/A the connection is still alive. The first test is performed
7321N/A immediately when the gateway gets a connection. Subsequent tests
7321N/A follow every <
literal>heartBeatIntervalSeconds</
literal>.</
para>
7321N/A <
para>Default: 30 (seconds)</
para>
7321N/A <
programlisting language="javascript">"heartBeatIntervalSeconds": 30</
programlisting>
7321N/A <
term>"heartBeatTimeoutMilliSeconds" (optional)</
term>
7321N/A <
para>When the gateway tests a connection, if the heartbeat does not come back after
7321N/A <
literal>heartBeatTimeoutMilliSeconds</
literal> the connection is marked as closed.</
para>
7321N/A <
para>Default: 500 (milliseconds)</
para>
7321N/A <
programlisting language="javascript">"heartBeatTimeoutMilliSeconds": 500</
programlisting>
7321N/A <
term>"fileBasedTrustManagerFile" (optional)</
term>
7321N/A <
para>If "trustManager"Â is set to "file", then this setting
7321N/A configures the location of the trust store file.</
para>
7321N/A <
term>"fileBasedTrustManagerPassword" (optional)</
term>
7321N/A <
para>If "trustManager"Â is set to "file", then this setting
7321N/A specifies the trust store password.</
para>
7321N/A <
para>Default: "password"</
para>
7321N/A <
term>"fileBasedTrustManagerType" (optional)</
term>
7321N/A <
para>If "trustManager"Â is set to "file", then this setting
7321N/A configures the format for the data in the trust store file specified
7321N/A by the "fileBasedTrustManagerFile" setting. Formats include the
7321N/A following, though other implementations might be supported as well
7321N/A depending on the Java environment.</
para>
7321N/A <
para>"JKS" (default) specifies Java Key Store format.</
para>
7321N/A <
para>"PKCS12" specifies Public-Key Cryptography Standards 12
7321N/A <
term>"primaryLDAPServers" (required)</
term>
7321N/A <
para>The gateway accesses this array of LDAP servers before failing
7321N/A over to the secondary LDAP servers. These might be LDAP servers in
7321N/A the same data center for example.</
para>
7321N/A <
programlisting language="javascript">{
7321N/A <
para>By default, the gateway connects to the directory server
7321N/A listening on port 1389 on the local host.</
para>
7321N/A <
term>"secondaryLDAPServers" (optional)</
term>
7321N/A <
para>The gateway accesses this array of LDAP servers if primary LDAP
7321N/A servers cannot be contacted. These might be LDAP servers in the same
7321N/A data center for example.</
para>
7321N/A <
programlisting language="javascript">{
7321N/A <
para>No secondary LDAP servers are configured by default.</
para>
7321N/A <
term>"trustManager" (optional)</
term>
7321N/A <
para>If "connectionSecurity"Â is set to "ssl" or "startTLS", then
7321N/A this setting configures how the LDAP servers are trusted. This
7321N/A setting is ignored if "connectionSecurity"Â is set to "none".</
para>
7321N/A <
para>"file" means trust the LDAP server certificate if it is
7321N/A signed by a Certificate Authority (CA) trusted according to the
7321N/A file-based trust store configured with the "fileBasedTrustManager*"
7321N/A <
para>"jvm" means trust the LDAP server certificate if it is signed
7321N/A by a CA trusted by the Java environment.</
para>
7321N/A <
para>"trustAll" (default) means blindly trust all LDAP server
7321N/A <
para>Configures the authenticated connection factory.</
para>
7321N/A <
term>"inheritFrom" (optional)</
term>
7321N/A <
para>Identifies the unauthenticated connection factory from which
7321N/A to inherit settings. If this connection factory does not inherit from
7321N/A another configuration object, then you must specify the configuration
7321N/A <
para>Default: "default"</
para>
7321N/A <
term>"authentication" (required)</
term>
7321N/A <
para>The gateway authenticates by simple bind using the credentials
7321N/A <
programlisting language="javascript">{
7321N/A "bindDN": "cn=Directory Manager",
7321N/A <
term>"authenticationFilter" (required)</
term>
7321N/A <
para>Configures the REST LDAP authentication filter. If the configuration
7321N/A is not present, the filter is disabled.</
para>
7321N/A <
para>The default configuration allows HTTP Basic authentication where user
7321N/A entries are <
literal>inetOrgPerson</
literal> entries expected to have
7321N/A <
literal>uid=<
replaceable>username</
replaceable></
literal>, and to be found
7321N/A under <
literal>ou=people,dc=example,dc=com</
literal>. The default
7321N/A configuration also allows alternative, HTTP header based authentication in
7321N/A the style of OpenIDM.</
para>
7321N/A <
para>By default, authentication is required both for the gateway and for
7321N/A the HTTP connection handler. When the HTTP connection handler property
7321N/A <
literal>authentication-required</
literal> is set to
7321N/A <
literal>false</
literal> (default: <
literal>true</
literal>), the HTTP
7321N/A connection handler accepts both authenticated and unauthenticated requests.
7321N/A All requests are subject to access control and resource limit settings in
7321N/A the same way as LDAP client requests to the directory server. The
7321N/A <
literal>authentication-required</
literal> setting can be overridden by the
7321N/A global configuration property
7321N/A <
literal>reject-unauthenticated-requests</
literal> (default:
7321N/A <
literal>false</
literal>), described in the section on <
link 7321N/A xlink:
show="new" xlink:
href="admin-guide#restrict-clients" 7321N/A Client Access</
citetitle></
link>.</
para>
7321N/A <
para>To protect passwords, configure HTTPS for the HTTP connection handler
7321N/A or for the container where the REST LDAP gateway runs.</
para>
7321N/A <
para>The filter has the following configuration fields.</
para>
7321N/A <
term>"supportHTTPBasicAuthentication"</
term>
7321N/A <
para>Whether to support HTTP Basic authentication. If this is set to
7321N/A <
literal>true</
literal>, then the entry corresponding to the user name
7321N/A is found using the "searchBaseDN", "searchScope", and
7321N/A "searchFilterTemplate" settings.</
para>
7321N/A <
para>Default: <
literal>true</
literal></
para>
7321N/A <
term>"supportAltAuthentication"</
term>
7321N/A <
para>Whether to allow alternative, HTTP header based authentication. If
7321N/A this is set to <
literal>true</
literal>, then the headers to use are
7321N/A specified in the "altAuthenticationUsernameHeader" and
7321N/A "altAuthenticationPasswordHeader" values, and the bind DN is resolved
7321N/A using the "searchFilterTemplate" value.</
para>
7321N/A <
para>Default: <
literal>true</
literal></
para>
7321N/A <
term>"altAuthenticationUsernameHeader"</
term>
7321N/A <
para>Specifies the HTTP header containing the username for
7321N/A authentication when alternative, HTTP-header based authentication is
7321N/A <
para>Default: "X-OpenIDM-Username"</
para>
7321N/A <
term>"altAuthenticationPasswordHeader"</
term>
7321N/A <
para>Specifies the HTTP header containing the password for
7321N/A authentication when alternative, HTTP-header based authentication is
7321N/A <
para>Default: "X-OpenIDM-Password"</
para>
7321N/A <
term>"reuseAuthenticatedConnection" (gateway only)</
term>
7321N/A <
para>Whether to use authenticated LDAP connections for subsequent LDAP
7321N/A operations. If this is set to <
literal>true</
literal>, the gateway does
7321N/A not need its own connection factory, nor does it need to use proxied
7321N/A authorization for LDAP operations. Instead, it performs the operations
7321N/A as the user on the authenticated connection.</
para>
7321N/A <
para>Default: <
literal>true</
literal></
para>
7321N/A <
term>"method" (gateway only)</
term>
7321N/A <
para>Specifies the authentication method used by the gateway. The
7321N/A following values are supported.</
para>
7321N/A <
para>"search-simple" (default) means the user name is resolved to
7321N/A an LDAP bind DN by a search using the "searchFilterTemplate" value.</
para>
7321N/A <
para>"sasl-plain" means the user name is resolved to an
7321N/A authorization ID (authzid) using the "saslAuthzIdTemplate" value.</
para>
7321N/A <
para>"simple" means the user name is the LDAP bind DN.</
para>
7321N/A <
term>"bindLDAPConnectionFactory" (gateway only)</
term>
7321N/A <
para>Identifies the factory providing connections used for bind
7321N/A operations to authenticate users to LDAP servers.</
para>
7321N/A <
para>Default: "default"</
para>
7321N/A <
term>"saslAuthzIdTemplate" (gateway only)</
term>
7321N/A <
para>Sets how to resolve the authorization ID when the authentication
7321N/A "method" is set to "sasl-plain", substituting <
literal>%s</
literal>
7321N/A in the template with the user name provided. The user name provided by
7321N/A is DN escaped before the value is returned.</
para>
7321N/A <
para>Default: "dn:uid=%s,ou=people,dc=example,dc=com"</
para>
7321N/A <
term>"searchLDAPConnectionFactory" (gateway only)</
term>
7321N/A <
para>Identifies the factory providing connections used to find
7321N/A user entries in the directory server when the "method" is set to
7321N/A <
para>Default: "root"</
para>
7321N/A <
term>"searchBaseDN"</
term>
7321N/A <
para>Sets the base DN to search for user entries. For the gateway,
7321N/A this applies when the "method" is set to "search-simple". This always
7321N/A applies for the HTTP connection handler.</
para>
7321N/A <
para>Default: "ou=people,dc=example,dc=com"</
para>
7321N/A <
para>Sets the search scope below the base DN such as "sub" (subtree
7321N/A search) or "one" (one-level search) to search for user entries. For the
7321N/A gateway, this applies when the "method" is set to "search-simple". This
7321N/A always applies for the HTTP connection handler.</
para>
7321N/A <
para>Default: "sub"</
para>
7321N/A <
term>"searchFilterTemplate"</
term>
7321N/A <
para>Sets the search filter used to find the user entry, substituting
7321N/A <
literal>%s</
literal> in the template with the user name provided. The
7321N/A user name provided by is DN escaped before the value is returned. For
7321N/A the gateway, this applies when the "method" is set to "search-simple".
7321N/A This always applies for the HTTP connection handler.</
para>
7321N/A <
para>Default: "(&(objectClass=inetOrgPerson)(uid=%s))"</
para>
7321N/A <
term>"servlet" (required)</
term>
7321N/A <
para>Configures how HTTP resources map to LDAP entries, and for the gateway
7321N/A how to connect to LDAP servers and how to use proxied authorization.</
para>
7321N/A <
para>The default gateway configuration tries to reuse authenticated
7321N/A connections for LDAP operations, falling back to a connection authenticated
7321N/A as root DN using proxied authorization for LDAP operations.</
para>
7321N/A <
term>"ldapConnectionFactory" (gateway only)</
term>
7321N/A <
para>Specifies the connection factory used by the gateway to perform
7321N/A LDAP operations if an authenticated connection is not passed from the
7321N/A authentication filter according to the setting for
7321N/A "reuseAuthenticatedConnection".</
para>
7321N/A <
para>Default: "root"</
para>
7321N/A <
term>"authorizationPolicy" (gateway only)</
term>
7321N/A <
para>Specifies how to handle LDAP authorization. The following values
7321N/A <
para>"proxy" (default) means use proxied authorization when no
7321N/A authenticated connection is provided for reuse, resolving the
7321N/A authorization ID according to the setting for
7321N/A "proxyAuthzIdTemplate".</
para>
7321N/A <
para>"none" means do not use proxied authorization and do not reuse
7321N/A authenticated connections, but instead use connections from the
7321N/A factory specified in "ldapConnectionFactory".</
para>
7321N/A <
para>"reuse" means reuse an authenticated connection passed by the
7321N/A filter, and fail if no connection was passed by the filter.</
para>
7321N/A <
term>"proxyAuthzIdTemplate" (gateway only)</
term>
7321N/A <
para>Specifies the template to derive the authorization ID from the
7321N/A security context created during authentication. Use
7321N/A <
literal>{dn}</
literal> to indicate the user's bind DN or
7321N/A <
literal>{id}</
literal> to indicate the user name provided for
7321N/A <
para>Default: "dn:{dn}"</
para>
7321N/A <
para>For each collection URI such as <
literal>/users</
literal> and
7321N/A <
literal>/groups</
literal>, you configure a mapping between the JSON
7321N/A resource returned over HTTP, and the LDAP entry returned by the
7321N/A <
para>Each mapping has a number of configuration elements.</
para>
7321N/A <
term>"baseDN" (required)</
term>
7321N/A <
para>The base DN where LDAP entries are found for this mapping.</
para>
7321N/A <
term>"readOnUpdatePolicy" (optional)</
term>
7321N/A <
para>The policy used to read an entry before it is deleted, or to
7321N/A read an entry after it is added or modified. One of the following.</
para>
7321N/A <
para>"controls": (default) use RFC 4527 read-entry controls to
7321N/A reflect the state of the resource at the time the update was
7321N/A <
para>The directory service must support RFC 4527.</
para>
7321N/A <
para>"disabled": do not read the entry or return the resource on
7321N/A <
para>"search": perform an LDAP search to retrieve the entry before
7321N/A deletion or after it is added or modified.</
para>
7321N/A <
para>The JSON resource returned might differ from the LDAP entry
7321N/A <
term>"useSubtreeDelete" (required)</
term>
7321N/A <
para>Whether to use the LDAP Subtree Delete Request Control (OID:
7321N/A <
literal>1.2.840.113556.1.4.805</
literal>) for LDAP delete operations
7321N/A resulting from delete operations on resources.</
para>
7321N/A <
para>Default: <
literal>false</
literal>. The default configuration
7321N/A uses <
literal>false</
literal>.</
para>
7321N/A <
para>Set this to <
literal>true</
literal> if you want this behavior,
7321N/A if your directory server supports the control, and if clients that
7321N/A request delete operations have access to use the control.</
para>
7321N/A <
term>"usePermissiveModify" (required)</
term>
7321N/A <
para>Whether to use the LDAP Permissive Modify Request Control (OID:
7321N/A <
literal>1.2.840.113556.1.4.1413</
literal>) for LDAP modify operations
7321N/A resulting from patch and update operations on resources.</
para>
7321N/A <
para>Default: <
literal>false</
literal>. The default configuration
7321N/A uses <
literal>true</
literal>.</
para>
7321N/A <
para>Set this to <
literal>false</
literal> when using the gateway if
7321N/A your directory server does not support the control.</
para>
7321N/A <
term>"etagAttribute" (optional)</
term>
7321N/A <
para>The LDAP attribute to use for multi-version concurrency control
7321N/A <
para>Default: "etag"</
para>
7321N/A <
term>"namingStrategy" (required)</
term>
7321N/A The approach used to map LDAP entry names to JSON resources.
7321N/A LDAP entries mapped to JSON resources
7321N/A must be immediate subordinates of the mapping's "baseDN".
7321N/A The following naming strategies are supported.
7321N/A <
para>RDN and resource ID are both derived from a single user
7321N/A attribute in the LDAP entry, as in the following example, where the
7321N/A <
literal>uid</
literal> attribute is the RDN and its value is the
7321N/A <
programlisting language="javascript">{
7321N/A "strategy": "clientDNNaming",
7321N/A <
para>RDN and resource ID are derived from separate user attributes
7321N/A in the LDAP entry, as in the following example where the RDN
7321N/A attribute is <
literal>uid</
literal> but the JSON resource ID is the
7321N/A value of the <
literal>mail</
literal> attribute.</
para>
7321N/A <
programlisting language="javascript">{
7321N/A "strategy": "clientNaming",
7321N/A <
para>RDN is derived from a user attribute and the resource ID from
7321N/A an operational attribute in the LDAP entry, as in the following
7321N/A example, where the RDN attribute is <
literal>uid</
literal> but the
7321N/A JSON resource ID is the value of the <
literal>entryUUID</
literal>
7321N/A operational attribute.</
para>
7321N/A <
programlisting language="javascript">{
7321N/A "strategy": "serverNaming",
7321N/A <
term>"additionalLDAPAttributes" (optional, but necessary)</
term>
7321N/A <
para>LDAP attributes to include during LDAP add operations as an
7321N/A array of type-value lists, such as the following example.</
para>
7321N/A <
programlisting language="javascript">{
7321N/A "additionalLDAPAttributes": [
7321N/A <
para>This configuration element is useful to set LDAP object classes
7321N/A for example, which are not present in JSON resources.</
para>
7321N/A <
term>"attributes" (required)</
term>
7321N/A <
para>How the JSON resource fields map to attributes on LDAP
7321N/A entries, each taking the form "<
replaceable>field-name</
replaceable>":
7321N/A <
replaceable>mapping-object</
replaceable>. A number of
7321N/A <
replaceable>mapping-object</
replaceable>s are supported.</
para>
7321N/A <
para>Maps a single JSON attribute to a fixed value.</
para>
7321N/A <
para>This can be useful as in the default case where each JSON
7321N/A resource "schemas" takes the SCIM URN, and so the value is not
7321N/A related to the underlying LDAP entries.</
para>
7321N/A <
programlisting language="javascript">{
7321N/A "urn:scim:schemas:core:1.0"
7321N/A <
para>Maps a JSON field to an LDAP attribute.</
para>
7321N/A <
para>Simple mappings are used where the correspondence between
7321N/A JSON fields and LDAP attributes is one-to-one.</
para>
7321N/A <
programlisting language="javascript">{
7321N/A <
para>Simple mappings can take a number of fields.</
para>
7321N/A <
para>(Required) "ldapAttribute": the name of LDAP attribute.</
para>
7321N/A <
para>(Optional) "defaultJSONValue": the JSON value if no LDAP
7321N/A attribute is available on the entry.</
para>
7321N/A <
para>No default is set if this is omitted.</
para>
7321N/A <
para>(Optional) "isBinary": true means the LDAP attribute is
7321N/A binary and the JSON field gets the base64-encoded value.</
para>
7321N/A <
para>Default: <
literal>false</
literal></
para>
7321N/A <
para>(Optional) "isRequired": true means the LDAP attribute is
7321N/A mandatory and must be provided to create the resource; false
7321N/A means it is optional.</
para>
7321N/A <
para>Default: <
literal>false</
literal></
para>
7321N/A <
para>(Optional) "isSingleValued": true means represent a
7321N/A possibly multi-valued LDAP attribute as a single value; false
7321N/A means represent it as an array of values.</
para>
7321N/A <
para>Default: determine the representation based on the LDAP
7321N/A schema, so SINGLE-VALUE attributes take single values, and
7321N/A multi-valued attributes take arrays.</
para>
7321N/A <
para>(Optional) "writability": indicates whether the LDAP
7321N/A attribute supports updates. This field can take the following
7321N/A <
para>"createOnly": This attribute can be set only when the
7321N/A entry is created. Attempts to update this attribute thereafter
7321N/A <
para>"createOnlyDiscardWrites": This attribute can be set only
7321N/A when the entry is created. Attempts to update this attribute
7321N/A thereafter do not result in errors. Instead the update value
7321N/A <
para>"readOnly": This attribute cannot be written. Attempts to
7321N/A write this attribute result in errors.</
para>
7321N/A <
para>"readOnlyDiscardWrites": This attribute cannot be written.
7321N/A Attempts to write this attribute do not result in errors.
7321N/A Instead the value to write is discarded.</
para>
7321N/A <
para>"readWrite": (default) This attribute can be set at
7321N/A creation and updated thereafter.</
para>
7321N/A <
para>Maps a JSON object to LDAP attributes.</
para>
7321N/A <
para>This mapping lets you create JSON objects whose fields
7321N/A themselves have mappings to LDAP attributes.</
para>
7321N/A <
para>Maps a JSON field to an LDAP entry found by reference.</
para>
7321N/A <
para>This mapping works for LDAP attributes whose values reference
7321N/A other entries. This is shown in the following example from the
7321N/A default configuration. The LDAP <
literal>manager</
literal>
7321N/A attribute values are user entry DNs. Here, the JSON
7321N/A <
literal>manager</
literal> field takes the user ID and name from
7321N/A the entry referenced by the LDAP attribute. On updates, changes
7321N/A to the JSON manager <
literal>_id</
literal> affect which manager
7321N/A entry is referenced, yet any changes to the manager's name are
7321N/A discarded, because changing managers only affects which user entry
7321N/A to point to, not the referenced user's name.</
para>
7321N/A <
programlisting language="javascript">{
7321N/A "ldapAttribute": "manager",
7321N/A "baseDN": "ou=people,dc=example,dc=com",
7321N/A "writability": "readOnlyDiscardWrites"
7321N/A <
para>Babs Jensen's manager in the sample LDAP data is Torrey
7321N/A Rigden, who has user ID <
literal>trigden</
literal>. Babs's entry has
7321N/A <
literal>manager: uid=trigden,ou=People,dc=example,dc=com</
literal>.
7321N/A With this mapping, the resulting JSON field is the following.</
para>
7321N/A <
programlisting language="javascript">{
7321N/A "displayName": "Torrey Rigden"
7321N/A <
para>Reference mapping objects have the following fields.</
para>
7321N/A <
para>(Required) "baseDN": indicates the base LDAP DN under which
7321N/A to find entries referenced by the JSON resource.</
para>
7321N/A <
para>(Required) "ldapAttribute": specifies the LDAP attribute in
7321N/A the entry underlying the JSON resource whose value points to the
7321N/A <
para>(Required) "mapper": describes how the referenced entry
7321N/A content maps to the content of this JSON field.</
para>
7321N/A <
para>(Required) "primaryKey": indicates which LDAP attribute in
7321N/A the mapper holds the primary key to the referenced entry.</
para>
7321N/A <
para>(Optional) "isRequired": true means the LDAP attribute is
7321N/A mandatory and must be provided to create the resource; false
7321N/A means it is optional.</
para>
7321N/A <
para>Default: <
literal>false</
literal></
para>
7321N/A <
para>(Optional) "isSingleValued": true means represent a
7321N/A possibly multi-valued LDAP attribute as a single value; false
7321N/A means represent it as an array of values.</
para>
7321N/A <
para>Default: <
literal>false</
literal></
para>
7321N/A <para>(Optional) "scope": indicates the scope of the LDAP search 7321N/A to find the referenced entry. The default is 7321N/A <
para>(Optional) "searchFilter": specifies the LDAP filter to
7321N/A use to search for the referenced entry. The default is
7321N/A <
literal>"(objectClass=*)"</
literal>.</
para>
7321N/A <
para>(Optional) "writability": indicates whether the mapping
7321N/A supports updates, as described above for the simple mapping. The
7321N/A default is "readWrite".</
para>
7321N/A <
para>The default mappings expose a SCIM view of user and group
7321N/A <
programlisting language="javascript">{
7321N/A "baseDN": "ou=people,dc=example,dc=com",
7321N/A "readOnUpdatePolicy": "controls",
7321N/A "usePermissiveModify": true,
7321N/A "strategy": "clientDNNaming",
7321N/A "additionalLDAPAttributes": [
7321N/A "urn:scim:schemas:core:1.0"
7321N/A "writability": "createOnly"
7321N/A "ldapAttribute": "givenName",
7321N/A "ldapAttribute": "manager",
7321N/A "baseDN": "ou=people,dc=example,dc=com",
7321N/A "writability": "readOnlyDiscardWrites"
7321N/A "ldapAttribute": "isMemberOf",
7321N/A "baseDN": "ou=groups,dc=example,dc=com",
7321N/A "ldapAttribute": "telephoneNumber",
7321N/A "ldapAttribute": "createTimestamp",
7321N/A "ldapAttribute": "modifyTimestamp",
7321N/A "baseDN": "ou=groups,dc=example,dc=com",
7321N/A "readOnUpdatePolicy": "controls",
7321N/A "usePermissiveModify": true,
7321N/A "strategy": "clientDNNaming",
7321N/A "additionalLDAPAttributes": [
7321N/A "urn:scim:schemas:core:1.0"
7321N/A "writability": "createOnly"
7321N/A "ldapAttribute": "uniqueMember",
7321N/A "baseDN": "dc=example,dc=com",
7321N/A "writability": "readOnlyDiscardWrites"
7321N/A "ldapAttribute": "createTimestamp",
7321N/A "ldapAttribute": "modifyTimestamp",