Setting | Purpose | Mandatory? | Typical |
---|
ldap.hostname
| names the server that is providing the LDAP service | YES | ldap.company.com |
ldap.port
| identifies the port on the LDAP server | YES | 389 or 636 |
ldap.adminUserDN
| the LDAP Distinguished Name for the LDAP Administrator | Usually | cn=MYADMIN,ou=MYADMINGROUP,dc=MYCOMPANY,dc=MYCOM |
ldap.adminPassword
| encrypted value of the LDAP Admin’s password | Usually | MYADMINPASS (like #$%^&*_NOSOUPFORYOU) |
ldap.baseDN
| base Distinguished Name for the start of user queries | YES | ou=MYUSERS,dc=MYCOMPANY,dc=MYCOM |
ldap.userBindAttribute
| organization’s choice of LDAP attribute that uniquely identifies each user even without a full DN | NO (defaults to “uid”) | uid or sAMAccountName |
ldap.mailAttribute
| organization’s choice of LDAP attribute that uniquely identifies each user’s Email address | NO (defaults to “mail”) | mail or userPrincipalName |
ldap.startTLS
| should Syndeia first attempt to establish an SSL session with the LDAP service before making queries? | NO (defaults to false) | false for LDAP, true for Secure-LDAP |
ldap.truststorePath
| file location on the Syndeia server for the Java Keystore which holds public certificates that sign the public SSL certificate used by the LDAP server | NO | /opt/icx/syndeia-cloud-current/some/secure/path/to/keystore.jks |
ldap.truststorePassword
| password for the JKS file at ldap.truststorePath | NO (defaults to “changeit”) | Often it is left as “changes” - but it should be changed when it a proper JKS keystore is being used |
ldap.trustStoreType
| the type of Keystore. JKS is typical. This depends on what the running JVM has been configured to support. | NO (defaults to “jks”) | “jks” - but only when a ldap.truststorePath is present. |
ldap.sslProtocol
| the algorithm to use for the TLS Protocol | NO (defaults to client/server negotiation) | TLSv1.2 |
ldap.sslCipher
| the encryption algorithm to use for SSL (with JVM, not OpenSSL, name) | NO (defaults to client/server negotiation) | TLS_RSA_WITH_AES_256_CBC_SHA256 |
When configuring LDAP Group-limited Access, some of the following must be provided: |
ldap.groupSettings.dn
| Distinguished Name for where to start looking for LDAP Group instances | NO - YES if intending to limit access to a Group | ou=MYTEAMS,dc=MYCOMPANY,dc=MYCOM |
ldap.groupSettings.ou
| obsolete | NO | ignored |
ldap.groupSettings.objectClass
| the LDAP object class for Group entries | NO (defaults to “groupofUniqueNames”) | groupOfUniqueNames or groupOfNames |
ldap.groupSettings.name
| a common name value that indicates the team of Syndeia Users | NO - YES if intending to limit access to a Group | MYSYNDEIAUSERGROUP |
ldap.groupSettings.bindAttribute
| the LDAP attribute in a group instance that identifies the common name | NO (defaults to “cn”) | cn | ldap.groupSettings.memberAttribute
| the LDAP attribute in a group instance that identifies one or more member entries | NO (defaults to “uniqueMember”) | uniqueMember or member |