Connection properties

The LDAP connection properties can be repeated multiple times in the property file, but only once per LDAP connection/domain. Some properties can contain multiple values (lists) and those properties are used multiple times with an ".*" extension, where the * is an index starting with 0.

As an example, consider the example properties file above. It contains two defined group Distinguished Names for LDAP connection 1:

  • ldap.groupDN.extended.conf1.0=OU=Groups

  • ldap.groupDN.extended.conf1.1=OU=More-Groups

The .0 and .1 components of these properties are the indexes into the created list of group distinguished names.

Each property ends with the name of the configuration/domain, possibly followed by an index for multi-value properties. So for the "ldap.hostName" property for configuration 1, the property name in the file becomes "ldap.hostName.conf1" and for the second configuration (if there is more than one), it becomes "ldap.hostName.conf2". The descriptions below use the "conf#" annotation, where the # should be replaced with the correct configuration number starting with 1.

Property Description
ldap.hostName.conf# This property is the FQDN or IP address of the LDAP server. This is a required property.
ldap.port.conf# This property specifies the port used for the LDAP server communication. Deployment fails if the port is invalid. Default values are 389 (if encryption method is NONE or START_TLS) or 636 (if LDAPS is used). If neither ldap.port or ldap.encryptionMethod are specified, the deployment fails.
ldap.encryptionMethod.conf# This property provides the encryption method used to connect to the LDAP server. Possible values are NONE, LDAPS, and START_TLS. Default values are LDAPS (if ldap.port=636), START_TLS (if ldap.port=389), or NONE (for any other port values). If neither ldap.port or ldap.encryptionMethod are specified, the deployment fails.
ldap.baseDN.conf# This property defines the Distinguished Name of the root of the LDAP server, under which all the users and groups are found. This is a required property.
ldap.bindUser.conf#

This property defines the user that performs the initial bind to the LDAP server. This user must have permissions to find all users in the LDAP tree that must be able to log on. This is a required property.

If the user is specified in the "domain\user" format, two backslashes are required to get the desired behavior (that is, "domain\\user").

ldap.bindPassword.conf# This property defines the password of the LDAP bind user. This is a required property.
ldap.userAttribute.conf#

This property specifies the attribute that must be used to match with the provided username when logging on a user.

Default value: cn.

ldap.userObjectClass.conf#

This property specifies the objectClass of a user in the LDAP schema.

Default value: user

ldap.userSearchScope.conf#

This property defines the search scope for finding users.

Possible values:

  • one - only the search bases defined by ldap.userDN.extended are used. Any users lower in the directory tree are not found.

  • sub - entries below the search base are also found.

Default value: sub

ldap.groupSearchScope.conf#

This property defines the search scope for finding groups.

Possible values:

  • one - only the search bases defined by ldap.groupDN.extended are used. Any groups lower in the directory tree are not found.

  • sub - entries below the search base are also found.

Default value: one

ldap.groupObjectClass.conf#

This property specifies the objectClass of a group in the LDAP schema.

Default value: group

ldap.groupAttributeName.conf#

This property specifies the LDAP attribute of a group to match users with to determine group membership.

Default value: member

ldap.nested.groups.conf#

This property specifies if the LDAP Session Provider should look in nested groups when resolving user role membership. A nested group is a group that contains other groups. If this property is set to true, the user will inherit the implicit group membership from groups within groups. If set to false, only explicit group membership will be resolved.

Default value: false
ldap.userDisplayName.conf#.* This is a list property so it may contain multiple values. The attributes in this list are used to determine the Display Name used for the Grid Principal after a successful logon. This is an optional property.
ldap.userDN.extended.conf#.* This is a list property so it may contain multiple values. This property is a list of different Distinguished Names of LDAP Organizational Units where users are stored. These are the search bases used to find users. This is an optional property and defaults to the ldap.baseDN value.
ldap.groupDN.extended.conf#.* This is a list property so it may contain multiple values. This property is a list of different Distinguished Names of LDAP Organizational Units where groups are stored. These are the search bases used to find groups. This is an optional property and defaults to the ldap.baseDN value.
ldap.strip.domain.conf#

This property defines whether the LDAP Session Provider should remove any domain information from the username before creating the Grid Principal.

Default value: true

ldap.hostName.failOver.conf#.* This is a list property, so it may contain multiple values. This property is a list of FQDNs or IP addresses for the fail-over hosts to use for this domain/configuration. The property is optional.