LDAPPassThroughAuthenticationPolicyConfiguration.xml revision 82b7f1f0a013260a27dffde120fc50931a1942fc
<?xml version="1.0" encoding="UTF-8"?>
<!--
! CDDL HEADER START
!
! The contents of this file are subject to the terms of the
! Common Development and Distribution License, Version 1.0 only
! (the "License"). You may not use this file except in compliance
! with the License.
!
! You can obtain a copy of the license at
! See the License for the specific language governing permissions
! and limitations under the License.
!
! When distributing Covered Code, include this CDDL HEADER in each
! file and include the License file at
! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
! add the following below this CDDL HEADER, with the fields enclosed
! by brackets "[]" replaced with your own identifying information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CDDL HEADER END
!
!
! Copyright 2011 ForgeRock AS
! -->
<adm:managed-object name="ldap-pass-through-authentication-policy"
plural-name="ldap-pass-through-authentication-policies" extends="authentication-policy"
xmlns:ldap="http://www.opends.org/admin-ldap">
<adm:synopsis>
An authentication policy for users whose credentials are managed
by a remote LDAP directory service.
</adm:synopsis>
<adm:description>
Authentication attempts will be redirected to the remote LDAP
directory service based on a combination of the criteria specified in this
policy and the content of the user's entry in this directory server.
</adm:description>
<adm:constraint>
<adm:synopsis>
One or more mapped attributes must be specified when using the
"mapped-bind" or "mapped-search" mapping policies.
</adm:synopsis>
<adm:condition>
<adm:implies>
<adm:or>
<adm:contains property="mapping-policy" value="mapped-bind" />
<adm:contains property="mapping-policy" value="mapped-search" />
</adm:or>
<adm:is-present property="mapped-attribute" />
</adm:implies>
</adm:condition>
</adm:constraint>
<adm:constraint>
<adm:synopsis>
One or more search base DNs must be specified when using the
"mapped-search" mapping policies.
</adm:synopsis>
<adm:condition>
<adm:implies>
<adm:or>
<adm:contains property="mapping-policy" value="mapped-search" />
</adm:or>
<adm:is-present property="mapped-search-base-dn" />
</adm:implies>
</adm:condition>
</adm:constraint>
<adm:profile name="ldap">
<ldap:object-class>
<ldap:name>ds-cfg-ldap-pass-through-authentication-policy</ldap:name>
<ldap:superior>ds-cfg-authentication-policy</ldap:superior>
</ldap:object-class>
</adm:profile>
<adm:property-override name="java-class" advanced="true">
<adm:default-behavior>
<adm:defined>
<adm:value>
</adm:value>
</adm:defined>
</adm:default-behavior>
</adm:property-override>
<adm:property name="primary-remote-ldap-server" multi-valued="true"
mandatory="true">
<adm:synopsis>
Specifies the primary list of remote LDAP servers which should
be used for pass through authentication.
</adm:synopsis>
<adm:description>
If more than one LDAP server is specified then operations
may be distributed across them. If all of the primary LDAP servers are
unavailable then operations will fail-over to the set of secondary LDAP
servers, if defined.
</adm:description>
<adm:syntax>
<adm:string>
<adm:pattern>
<adm:regex>^.+:[0-9]+$</adm:regex>
<adm:usage>HOST:PORT</adm:usage>
<adm:synopsis>
A host name followed by a ":" and a port number.
</adm:synopsis>
</adm:pattern>
</adm:string>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-primary-remote-ldap-server</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="secondary-remote-ldap-server" multi-valued="true">
<adm:synopsis>
Specifies the secondary list of remote LDAP servers which
should be used for pass through authentication in the event that the
primary LDAP servers are unavailable.
</adm:synopsis>
<adm:description>
If more than one LDAP server is specified then operations
may be distributed across them. Operations will be rerouted to the primary
LDAP servers as soon as they are determined to be available.
</adm:description>
<adm:default-behavior>
<adm:alias>
<adm:synopsis>No secondary LDAP servers.</adm:synopsis>
</adm:alias>
</adm:default-behavior>
<adm:syntax>
<adm:string>
<adm:pattern>
<adm:regex>^.+:[0-9]+$</adm:regex>
<adm:usage>HOST:PORT</adm:usage>
<adm:synopsis>
A host name followed by a ":" and a port number.
</adm:synopsis>
</adm:pattern>
</adm:string>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-secondary-remote-ldap-server</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="connection-timeout">
<adm:synopsis>
Specifies the timeout used when connecting to remote LDAP
director servers, performing SSL negotiation, and for individual search
and bind requests.
</adm:synopsis>
<adm:description>
If the timeout expires then the current operation will be
aborted and retried against another LDAP server if one is available.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>3 seconds</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:duration base-unit="ms" lower-limit="0" />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-connection-timeout</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property-reference name="use-ssl" />
<adm:property name="trust-manager-provider">
<adm:synopsis>
Specifies the name of the trust manager that should be used
when negotiating SSL connections with remote LDAP directory servers.
</adm:synopsis>
<adm:requires-admin-action>
<adm:none>
<adm:synopsis>
Changes to this property take effect immediately, but only
impact subsequent SSL connection negotiations.
</adm:synopsis>
</adm:none>
</adm:requires-admin-action>
<adm:default-behavior>
<adm:undefined />
</adm:default-behavior>
<adm:syntax>
<adm:aggregation relation-name="trust-manager-provider"
parent-path="/">
<adm:constraint>
<adm:synopsis>
The referenced trust manager provider must be enabled
when SSL is enabled.
</adm:synopsis>
<adm:target-needs-enabling-condition>
<adm:and>
<adm:contains property="use-ssl" value="true" />
</adm:and>
</adm:target-needs-enabling-condition>
<adm:target-is-enabled-condition>
<adm:contains property="enabled" value="true" />
</adm:target-is-enabled-condition>
</adm:constraint>
</adm:aggregation>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-trust-manager-provider</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="mapping-policy" mandatory="true">
<adm:synopsis>
Specifies the mapping algorithm for obtaining the bind DN from
the user's entry.
</adm:synopsis>
<adm:default-behavior>
<adm:defined>
<adm:value>unmapped</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:enumeration>
<adm:value name="unmapped">
<adm:synopsis>
Bind to the remote LDAP directory service using the DN
of the user's entry in this directory server.
</adm:synopsis>
</adm:value>
<adm:value name="mapped-bind">
<adm:synopsis>
Bind to the remote LDAP directory service using a DN
obtained from an attribute in the user's entry. This policy will
check each attribute named in the "mapped-attribute" property. If
more than one attribute or value is present then the first one will
be used.
</adm:synopsis>
</adm:value>
<adm:value name="mapped-search">
<adm:synopsis>
Bind to the remote LDAP directory service using the DN
of an entry obtained using a search against the remote LDAP
directory service. The search filter will comprise of an equality
matching filter whose attribute type is the "mapped-attribute"
property, and whose assertion value is the attribute value obtained
from the user's entry. If more than one attribute or value is
present then the filter will be composed of multiple equality
filters combined using a logical OR (union).
</adm:synopsis>
</adm:value>
</adm:enumeration>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-mapping-policy</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="mapped-attribute" multi-valued="true">
<adm:synopsis>
Specifies one or more attributes in the user's entry whose
value(s) will determine the bind DN used when authenticating to the remote
LDAP directory service. This property is mandatory when using the
"mapped-bind" or "mapped-search" mapping policies.
</adm:synopsis>
<adm:description>
At least one value must be provided. All values must refer
to the name or OID of an attribute type defined in the directory server
schema. At least one of the named attributes must exist in a user's
local entry in order for authentication to proceed. When multiple
attributes or values are found in the user's entry then the behavior is
determined by the mapping policy.
</adm:description>
<adm:default-behavior>
<adm:undefined />
</adm:default-behavior>
<adm:syntax>
<adm:attribute-type />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-mapped-attribute</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="mapped-search-bind-dn">
<adm:synopsis>
Specifies the bind DN which should be used to perform user
searches in the remote LDAP directory service.
</adm:synopsis>
<adm:default-behavior>
<adm:alias>
<adm:synopsis>Searches will be performed anonymously.</adm:synopsis>
</adm:alias>
</adm:default-behavior>
<adm:syntax>
<adm:dn />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-mapped-search-bind-dn</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="mapped-search-bind-password">
<adm:synopsis>
Specifies the bind password which should be used to perform
user searches in the remote LDAP directory service.
</adm:synopsis>
<adm:default-behavior>
<adm:alias>
<adm:synopsis>Searches will be performed anonymously.</adm:synopsis>
</adm:alias>
</adm:default-behavior>
<adm:syntax>
<adm:password />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-mapped-search-bind-password</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="mapped-search-base-dn" multi-valued="true">
<adm:synopsis>
Specifies the set of base DNs below which to search for users
in the remote LDAP directory service. This property is mandatory when
using the "mapped-search" mapping policy.
</adm:synopsis>
<adm:description>
If multiple values are given, searches are performed below
all specified base DNs.
</adm:description>
<adm:default-behavior>
<adm:undefined />
</adm:default-behavior>
<adm:syntax>
<adm:dn />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-mapped-search-base-dn</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="use-tcp-keep-alive" advanced="true">
<adm:synopsis>
Indicates whether LDAP connections should use TCP keep-alive.
</adm:synopsis>
<adm:description>
If enabled, the SO_KEEPALIVE socket option is used to
indicate that TCP keepalive messages should periodically be sent to the
client to verify that the associated connection is still valid. This may
also help prevent cases in which intermediate network hardware
could silently drop an otherwise idle client connection, provided
that the keepalive interval configured in the underlying operating
system is smaller than the timeout enforced by the network hardware.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>true</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:boolean />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-use-tcp-keep-alive</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="use-tcp-no-delay" advanced="true">
<adm:synopsis>
Indicates whether LDAP connections should use TCP no-delay.
</adm:synopsis>
<adm:description>
If enabled, the TCP_NODELAY socket option is used to ensure
that response messages to the client are sent immediately rather
than potentially waiting to determine whether additional response
messages can be sent in the same packet. In most cases, using the
TCP_NODELAY socket option provides better performance and
lower response times, but disabling it may help for some cases in
which the server sends a large number of entries to a client
in response to a search request.
</adm:description>
<adm:default-behavior>
<adm:defined>
<adm:value>true</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:boolean />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-use-tcp-no-delay</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="ssl-protocol" multi-valued="true" advanced="true">
<adm:synopsis>
Specifies the names of the SSL protocols which are allowed for
use in SSL based LDAP connections.
</adm:synopsis>
<adm:requires-admin-action>
<adm:none>
<adm:synopsis>
Changes to this property take effect immediately but will
only impact new SSL LDAP connections created after the
change.
</adm:synopsis>
</adm:none>
</adm:requires-admin-action>
<adm:default-behavior>
<adm:alias>
<adm:synopsis>
Uses the default set of SSL protocols provided by the
server's JVM.
</adm:synopsis>
</adm:alias>
</adm:default-behavior>
<adm:syntax>
<adm:string />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-ssl-protocol</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="ssl-cipher-suite" multi-valued="true"
advanced="true">
<adm:synopsis>
Specifies the names of the SSL cipher suites that are allowed
for use in SSL based LDAP connections.
</adm:synopsis>
<adm:requires-admin-action>
<adm:none>
<adm:synopsis>
Changes to this property take effect immediately but will
only impact new SSL LDAP connections created after the
change.
</adm:synopsis>
</adm:none>
</adm:requires-admin-action>
<adm:default-behavior>
<adm:alias>
<adm:synopsis>
Uses the default set of SSL cipher suites provided by the
server's JVM.
</adm:synopsis>
</adm:alias>
</adm:default-behavior>
<adm:syntax>
<adm:string />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-ssl-cipher-suite</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
</adm:managed-object>