...
| Expand |
|---|
| title | slihouette.conf template |
|---|
|
| Code Block |
|---|
| # LDAP provider
ldap.hostname="MYLDAPSERVICE.MYCOMPANY.MYCOM"
# ldap.port=389|636(TLS)|<custom>
ldap.port=LDAPPORT
ldap.baseDN="dc=MYCOMPANY,dc=MYCOM"
ldap.adminUserDN="cn=MYADMIN,ou=MYADMINGROUP,dc=MYCOMPANY,dc=MYCOM"
ldap.adminPassword="MYADMINPASS"
ldap.userBindAttribute="uid"
ldap.mailAttribute="userPrincipalName"
# [optional]: For SSL/TLS + certificate-based LDAPS
# ldap.startTLS=false|true
ldap.startTLS=false
ldap.truststorePath=""
ldap.truststorePassword=""
ldap.trustStoreType = ""
# ldap.trustAllCertificates=true|false
ldap.trustAllCertificates=true
# --------------------------------------------------
# If you want to limit Syndeia access to the members of
# a single LDAP group, then supply appropriate values for each and every one of
# the group settings below in addition to the settings for the general LDAP authentication.
# --------------------------------------------------
#
# Base DN where Syndeia looks for <memberAttribute> to identify groups and/or users to authenticate for Syndeia Cloud
# ldap.groupSettings.dn="ou=MYTEAMS,dc=MYCOMPANY,dc=MYCOM"
#
# Necessary OU attribute value to help Syndeia identify LDAP group nodes
# Syndeia will search through nested groups of any depth but all must be within the base DN above specified in ldap.groupSettings.dn)
# ldap.groupSettings.ou="groups"
#
# Simple name of the group used to restrict access to Syndeia Cloud
# ldap.groupSettings.name="MYSYNDEIAUSERGROUP"
#
# Attribute used to indicate group instances
# for example, given a DN: "cn=MYSYNDEIAUSERGROUP,ou=MYTEAMS,dc=MYCOMPANY,dc=MYCOM", then use "cn" next
# ldap.groupSettings.bindAttribute="cn"
#
# Attribute used in group instances to indicate members of that group
# ldap.groupSettings.memberAttribute="uniqueMember"
|
|
Curious about the purpose of each and every setting? Expand this:
| Expand |
|---|
| title | Purpose of each Syndeia Silhouette LDAP setting |
|---|
|
Setting | Purpose | Mandatory? | Typical |
|---|
ldap.hostname
| names the server that is providing the LDAP service | YES | ldap.company.com | ldap.port
| identifies the port on the LDAP server | YES | 389 or 636 | ldap.adminUserDN
| the LDAP Distinguished Name for the LDAP Administrator | Usually | cn=MYADMIN,ou=MYADMINGROUP,dc=MYCOMPANY,dc=MYCOM | ldap.adminPassword
| encrypted value of the LDAP Admin’s password | Usually | MYADMINPASS (like #$%^&*_NOSOUPFORYOU) | ldap.baseDN
| base Distinguished Name for the start of user queries | YES | ou=MYUSERS,dc=MYCOMPANY,dc=MYCOM | ldap.userBindAttribute
| organization’s choice of LDAP attribute that uniquely identifies each user even without a full DN | YES | uid or sAMAccountName | ldap.mailAttribute
| organization’s choice of LDAP attribute that uniquely identifies each user’s Email address | YES | email or userPrincipalName | ldap.startTLS
| should Syndeia first attempt to establish an HTTPS session with the LDAP service before making queries? | YES | false for LDAP, true for Secure-LDAP | ldap.trustAllCertificates
| should Syndeia allow the LDAP service to use an untrustworthy or self-signed SSL certificate? | YES | false (production), true (testing) | ldap.truststorePath
| file location on the Syndeia server for the Java Keystore which holds public certificates that sign the public SSL certificate used by the LDAP server | NO | /opt/icx/syndeia-cloud-current/some/secure/path/to/keystore.jks | ldap.truststorePassword
| password for the JKS file at ldap.truststorePath | NO | Often it is left as “changeme” - but it should be changed when it a proper JKS keystore is being used | ldap.trustStoreType
| the type of Keystore. JKS is typical. This depends on what the running JVM has been configured to support. | NO | “JKS” “jks” - but only when a ldap.truststorePath is present. |
|
...
