server_host |
The host name of the LDAP server. |
server_port |
The port on which the LDAP server listens. For
example, 389 or 636. 389 is the default port for non-SSL LDAP and
AD. 636 is the default port for SSL LDAP and AD. For more
information about ports, see OpsCenter
ports.
|
uri_scheme |
In LDAPv2 environments, TLS is normally started using the LDAP
Secure URI scheme instead of the normal LDAP URI scheme. OpenLDAP
command line tools allow either scheme to used with the -H flag and with
the URI ldap.conf(5) option. Defaults to ldap for ldap_security = None;
defaults to ldaps for ldap_security = SSL or TLS. |
search_dn |
The username of the user that is used to search for
other users on the LDAP server. When a user attempts to authenticate
with LDAP, OpsCenter searches for the user in LDAP to discover
whether the user exists and which roles the user is associated with.
The only permission that the search user needs to have in the LDAP
system is the ability to perform LDAP searches. Note: If the
search_dn and search_password
(that constitute the search user entry point for locating users in
LDAP) are omitted from the configuration, LDAP attempts to make an
anonymous bind to perform the user
search.
|
search_password |
The password of the search_dn
user. |
user_search_base |
The search base for your domain, used to look
up users. Set the ou and dc
elements for your LDAP domain. Typically this is set to
ou=users,dc=domain,dc=top
level domain . For example,
ou=users,dc=example,dc=com .Active
Directory uses a different search base, typically
CN=search,CN=Users,DC=Active Directory
domain name,DC=internal . For example,
CN=search,CN=Users,DC=example-sales,DC=internal .
|
user_search_filter |
The LDAP search filter used to uniquely
identify a user. The default setting is
(uid={0}) , which looks for a user by unique user
identifier. The value of the {0} variable is the username provided when
logging in to OpsCenter.When using Active Directory, set the
filter to (sAMAccountName={0}) .
Note: There is a
known limitation in OpsCenter when using search filters for Active
Directory. See troubleshooting
LDAP.
|
group_search_base |
The ldap search base used to find a group, example:
ou=groups,dc=qaldap,dc=datastax,dc=lan |
group_search_filter |
Deprecated. The ldap search filter used to find a user's group.
Example: (member=cn={0},ou=users,dc=nodomain). Within the
group_search_base , filter for members based on cn.
For existing AD implementations that have this configuration option
already set, the group_search_filter_with_dn overwrites
the returned value with the user's DN. |
group_search_filter_with_dn |
The ldap search filter used to find a user's group. Uses the full
user's DN from a user search. Overrides the deprecated
group_search_filter. Example:
(member={0}). |
group_name_attribute |
The ldap field name used to identify a group's name. For example:
cn. |
admin_group_name |
The name of the admin group or a comma-separated list of admin group
names; for example: admin, superusers. OpsCenter automatically creates
the roles with admin permissions for the roles provided in the
admin_group_name list. Escape any restricted LDAP characters. If
your group name contains restricted LDAP characters such as "," a comma,
you must escape them. For example, two admin groups "foo , bar" and
"baz" should be entered as: foo \, bar, baz |
user_memberof_attribute |
Set to the attribute on the user entry containing group membership
information.Set this option when using a
memberof_search for the
group_search_type . |
group_search_type |
Defines how group membership is determined for a user. Available options:
directory_search - (default) Performs a subtree
search of group_search_base using
group_search_filter to filter the
results.
memberof_search - gets groups from the
user_memberof_attribute of a user. Using
this option requires the directory server to have memberof
support. When using the memberof_search rather
than directory_search for group searches, you
do not need to specify the group_search_base or
group_search_filter options.
|
ssl_cacert |
Path to the CA Cert file, example: ./cacert.pem |
ssl_cert |
Path to the cert file, example: ./cert.pem |
ssl_key |
Path to the key, example: ./user.key.pem |
tls_reqcert |
Sets the security level for secure communication. Specifies the
checks performed on a server certificate. Available options: NEVER,
DEMAND (default), TRY, ALLOW. |
tls_demand |
Sets the demand level for tls. Available options: Never, HARD. See
http://www.openldap.org/doc/admin21/tls.html. |
ldap_security |
The type of security to use with LDAP: None, TLS, SSL. When set to
TLS, uses TLS start. Setting this option to TLS or SSL sets the
uri_scheme to LDAPS. Setting this option to None
sets the uri_scheme to LDAP. |
connection_timeout |
The number of seconds to wait before concluding that the ldap server
is down. Default: 20 seconds. |
opt_referrals |
A number that represents whether referrals are followed. Zero does
not follow referrals. Any other number follows referrals. This option
usually needs to be set to 0 for Active Directory. The default setting
is 1. |
protocol_version |
Sets the LDAP protocol version. For ldap v3, this option must be
explicitly set to 3. |