http-config.json revision 9cbb15c8da2452687c698517c17306aa4e3381da
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // The array of connection factories which will be used by the Rest2LDAP
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // Servlet and authentication filter.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "ldapConnectionFactories" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // Unauthenticated connections used for performing bind requests.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "default" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "connectionPoolSize" : 10,
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "heartBeatIntervalSeconds" : 30,
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // The preferred load-balancing pool.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "primaryLDAPServers" : [
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "hostname" : "localhost",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "port" : 1389
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // The fail-over load-balancing pool (optional).
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "secondaryLDAPServers" : [
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // Authenticated connections which will be used for searches during
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // authentication and proxied operations (if enabled). This factory
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // will re-use the server "default" configuration.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "inheritFrom" : "default",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // Defines how authentication should be performed. Only "simple"
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // authentication is supported at the moment.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "authentication" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "simple" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "bindDN" : "cn=directory manager",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "bindPassword" : "password"
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // The Rest2LDAP authentication filter configuration. The filter will be
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // disabled if the configuration is not present. Upon successful
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // authentication the filter will create a security context containing the
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // following principals:
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // "dn" - the DN of the user if known (may not be the case for sasl-plain)
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // "id" - the username used for authentication.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "authenticationFilter" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // Indicates whether the filter should allow HTTP BASIC authentication.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "supportHTTPBasicAuthentication" : true,
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // Indicates whether the filter should allow alternative authentication
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // and, if so, which HTTP headers it should obtain the username and
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // password from.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "supportAltAuthentication" : true,
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "altAuthenticationUsernameHeader" : "X-OpenIDM-Username",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "altAuthenticationPasswordHeader" : "X-OpenIDM-Password",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // Indicates whether the authenticated LDAP connection should be cached
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // for use within the Rest2LDAP Servlet for subsequent LDAP operations.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // If this is set to true then the Servlet will not need its own LDAP
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // connection factory and will also not need to use proxied
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // authorization.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "reuseAuthenticatedConnection" : true,
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // Specifies how LDAP authentications should be performed. The method
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // must be one of:
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // "simple" - the username is an LDAP DN
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // "sasl-plain" - the username is an authzid which will be
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // substituted into the "saslAuthzIdTemplate" using
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // %s substitution
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // "search-simple" - the user's DN will be resolved by performing an
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // LDAP search using a filter constructed by
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // substituting the username into the
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // "searchFilterTemplate" using %s substitution.
5bb748e5e7ad459601a615f8fe91da83605f292bJnRouvignac "method" : "search-simple",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // The connection factory which will be exclusively used for
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // authenticating users using LDAP bind operations.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "bindLDAPConnectionFactory" : "default",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // The SASL AuthzID template which will be used for "sasl-plain"
5bb748e5e7ad459601a615f8fe91da83605f292bJnRouvignac // authentication. The %s format parameters will be substituted with
5bb748e5e7ad459601a615f8fe91da83605f292bJnRouvignac // the client-provided username, using DN character escaping for DN
5bb748e5e7ad459601a615f8fe91da83605f292bJnRouvignac // AuthzIDs.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "saslAuthzIdTemplate" : "dn:uid=%s,ou=people,dc=example,dc=com",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // The connection factory which will be used for performing LDAP
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // searches to locate users when "search-simple" authentication is
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "searchLDAPConnectionFactory" : "root",
5bb748e5e7ad459601a615f8fe91da83605f292bJnRouvignac // The search parameters to use for "search-simple" authentication. The
5bb748e5e7ad459601a615f8fe91da83605f292bJnRouvignac // %s filter format parameters will be substituted with the
5bb748e5e7ad459601a615f8fe91da83605f292bJnRouvignac // client-provided username, using LDAP filter string character escaping.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "searchBaseDN" : "ou=people,dc=example,dc=com",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "searchScope" : "sub", // Or "one".
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "searchFilterTemplate" : "(&(objectClass=inetOrgPerson)(uid=%s))"
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // TODO: support for HTTP sessions?
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // The Rest2LDAP Servlet configuration.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "servlet" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // The connection factory which will be used for performing LDAP
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // operations. Pre-authenticated connections passed through from the
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // authentication filter (see "reuseAuthenticatedConnection") will be
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // used in preference to this factory. Specifically, a connection
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // factory does not need to be configured if a connection will always
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // be passed on from the filter, which may not always be the case
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // if the filter is configured to use HTTP sessions.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "ldapConnectionFactory" : "root",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // Specifies how LDAP authorization should be performed. The method
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // must be one of:
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // "none" - use connections acquired from the LDAP connection
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // factory. Don't use proxied authorization, and don't
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // use cached pre-authenticated connections,
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // "reuse" - use the connection obtained during LDAP
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // authentication. If no connection was passed through
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // the authorization will fail,
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // "proxy" - use proxied authorization with an authorization ID
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // derived from the "proxyAuthzIdTemplate". Proxied
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // authorization will only be used if there is no
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // pre-authenticated connection available.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "authorizationPolicy" : "proxy",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // The AuthzID template which will be used for proxied authorization.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // The template should contain fields which are expected to be found in
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // the security context create during authentication, e.g. "dn" and "id".
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "proxyAuthzIdTemplate" : "dn:{dn}",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac // The REST APIs and their LDAP attribute mappings.
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "mappings" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "/users" : {
9cbb15c8da2452687c698517c17306aa4e3381daJnRouvignac "baseDN" : "ou=people,dc=example,dc=com",
9cbb15c8da2452687c698517c17306aa4e3381daJnRouvignac "readOnUpdatePolicy" : "controls",
9cbb15c8da2452687c698517c17306aa4e3381daJnRouvignac "useSubtreeDelete" : false,
9cbb15c8da2452687c698517c17306aa4e3381daJnRouvignac "usePermissiveModify" : true,
9cbb15c8da2452687c698517c17306aa4e3381daJnRouvignac "etagAttribute" : "etag",
9cbb15c8da2452687c698517c17306aa4e3381daJnRouvignac "namingStrategy" : {
9cbb15c8da2452687c698517c17306aa4e3381daJnRouvignac "strategy" : "clientDNNaming",
5bb748e5e7ad459601a615f8fe91da83605f292bJnRouvignac "dnAttribute" : "uid"
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "additionalLDAPAttributes" : [
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "type" : "objectClass",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "values" : [
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "organizationalPerson",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "inetOrgPerson"
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "attributes" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "schemas" : { "constant" : [ "urn:scim:schemas:core:1.0" ] },
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "_id" : { "simple" : { "ldapAttribute" : "uid", "isSingleValued" : true, "isRequired" : true, "writability" : "createOnly" } },
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "_rev" : { "simple" : { "ldapAttribute" : "etag", "isSingleValued" : true, "writability" : "readOnly" } },
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "userName" : { "simple" : { "ldapAttribute" : "mail", "isSingleValued" : true, "writability" : "readOnly" } },
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "displayName" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "isRequired" : true } },
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "name" : { "object" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "givenName" : { "simple" : { "ldapAttribute" : "givenName", "isSingleValued" : true } },
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "familyName" : { "simple" : { "ldapAttribute" : "sn", "isSingleValued" : true, "isRequired" : true } }
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "manager" : { "reference" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "ldapAttribute" : "manager",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "baseDN" : "ou=people,dc=example,dc=com",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "primaryKey" : "uid",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "mapper" : { "object" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "_id" : { "simple" : { "ldapAttribute" : "uid", "isSingleValued" : true, "isRequired" : true } },
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "displayName" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "writability" : "readOnlyDiscardWrites" } }
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "groups" : { "reference" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "ldapAttribute" : "isMemberOf",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "baseDN" : "ou=groups,dc=example,dc=com",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "writability" : "readOnly",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "primaryKey" : "cn",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "mapper" : { "object" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "_id" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true } }
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "contactInformation" : { "object" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "telephoneNumber" : { "simple" : { "ldapAttribute" : "telephoneNumber", "isSingleValued" : true } },
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "emailAddress" : { "simple" : { "ldapAttribute" : "mail", "isSingleValued" : true } }
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "meta" : { "object" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "created" : { "simple" : { "ldapAttribute" : "createTimestamp", "isSingleValued" : true, "writability" : "readOnly" } },
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "lastModified" : { "simple" : { "ldapAttribute" : "modifyTimestamp", "isSingleValued" : true, "writability" : "readOnly" } }
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "/groups" : {
9cbb15c8da2452687c698517c17306aa4e3381daJnRouvignac "baseDN" : "ou=groups,dc=example,dc=com",
9cbb15c8da2452687c698517c17306aa4e3381daJnRouvignac "readOnUpdatePolicy" : "controls",
9cbb15c8da2452687c698517c17306aa4e3381daJnRouvignac "useSubtreeDelete" : false,
9cbb15c8da2452687c698517c17306aa4e3381daJnRouvignac "usePermissiveModify" : true,
9cbb15c8da2452687c698517c17306aa4e3381daJnRouvignac "etagAttribute" : "etag",
9cbb15c8da2452687c698517c17306aa4e3381daJnRouvignac "namingStrategy" : {
9cbb15c8da2452687c698517c17306aa4e3381daJnRouvignac "strategy" : "clientDNNaming",
5bb748e5e7ad459601a615f8fe91da83605f292bJnRouvignac "dnAttribute" : "cn"
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "additionalLDAPAttributes" : [
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "type" : "objectClass",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "values" : [
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "groupOfUniqueNames"
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "attributes" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "schemas" : { "constant" : [ "urn:scim:schemas:core:1.0" ] },
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "_id" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "isRequired" : true, "writability" : "createOnly" } },
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "_rev" : { "simple" : { "ldapAttribute" : "etag", "isSingleValued" : true, "writability" : "readOnly" } },
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "displayName" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "isRequired" : true, "writability" : "readOnly" } },
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "members" : { "reference" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "ldapAttribute" : "uniqueMember",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "baseDN" : "dc=example,dc=com",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "primaryKey" : "uid",
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "mapper" : { "object" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "_id" : { "simple" : { "ldapAttribute" : "uid", "isSingleValued" : true, "isRequired" : true } },
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "displayName" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "writability" : "readOnlyDiscardWrites" } }
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "meta" : { "object" : {
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "created" : { "simple" : { "ldapAttribute" : "createTimestamp", "isSingleValued" : true, "writability" : "readOnly" } },
f1a8b8986de97939dbfcbdfc23ee9e66d5faadb2JnRouvignac "lastModified" : { "simple" : { "ldapAttribute" : "modifyTimestamp", "isSingleValued" : true, "writability" : "readOnly" } }