Skip to main content

address

The address KVGroup allows you to specify arguments for the LDAP connector, using key-value pairs.

Write the address KVGroup in the format:

"address" "" = {
    "<key>" = "<value>"
    ...
}

Note

listUniquifyObjects support implemented in Connector Pack 4.4.0.

You can include any of following keys. Each key is optional:

  • deleteSubs Set to true to be able to delete users that have auxiliary objects and attributes. The default value is false .

  • listMembersByAccount Set to true to list group memberships based on attributes in an account object instead of attributes in a group object. The default value is false .

    Use in combination with the "memberAttr" and "memberidAttr" keys within the "accounts" kvgroup.

    Use this option to reversely look up group memberships from account objects instead of typically from group objects. The groups (such as a group id) will instead be held within custom account attributes for the users/accounts.

    Note

    Adding and removing group members is currently not supported for this method when listMembersByAccount is set to true.

  • listUniquifyObjects Skip over duplicate records if they are encountered from multiple schemas or other configurations. The default is false .

  • passattr the attribute where the password is stored (Default: userpassword )

  • pageSupported overrides the server queried page support value. The value is either true or false . The default is true .

  • pageSize configures the page size limit queried from the server. The default value is 500.

  • pwtruncate truncates password to a set value for the verify and reset operation. After a reset operation, the user can log in with the truncated password, as well as the remaining full length password. Any password shorter than the value of pwtruncate will not be accepted.

  • pwhash the name of a Win32 executable program used to hash the password, or one of the following password hashing functions:

    • {SSHA} – Salted SHA-1 (Secure Hash Algorithm)

    • {SHA} – SHA-1 (Secure Hash Algorithm)

    • {SMD5} – Salted MD5 (Message Digest Algorithm)

    • {MD5} – MD5 (Message Digest Algorithm)

    • {CRYPT} – Unix crypt

    • {UNIX} – Same as Unix crypt, but with a prefix of {UNIX} rather than {CRYPT}

    • "" – when set to a blank value, the password is sent to the LDAP server as plain text and it is the responsibility of the DSA to hash the password.

      Warning

      Do not specify a password hashing function unless you are sure that it is supported by your particular LDAP system. Specifying an unsupported function will cause a new LDAP password to be invalid.

    The default value is SSHA.

    See Password hashing programs and scripts for more information.

  • pwprefix text to be appended to the pwhash

  • pwpostfix text to be prepended to the pwhash

  • verify the host name or IP address of a server to use for verifications and user listing

    You can include multiple verify keys if more than one server is used.

  • searchDnForAttributes Set to true to use the DN for account attribute searches. This performs an unpaged search. The default value is false .

  • stableidAttr The attribute to use as the most stable ID that the connector will use to list from. Default value is dn .

  • verifyHostname Specify multiple servers in a multi-key-value pair format to verify against. If one of the servers is unavailable, it will attempt to bind to the next available server.

  • verifyBindOnly Set to true to verify an account’s credentials using the bind operation only. Set to false to verify using password comparison, then falling back to bind. The default value is true .

  • proxyAuthOnReset switch of proxy authentication on the reset operation. The value is either true or false (Default: false) .

    This facilitates an administration-less reset by proxy authenticating to the users account first, before issuing a password reset. The password is then reset by the user.

  • mailAttr the attribute used as loading email address

    The value of this attribute would be a valid attribute on LDAP directory server.

    Allows the administrator to specify (override) the default mail attribute (Default: mail).

  • rdnAttr the attribute for group objects that exposes the ability to specify an alternate rdn attribute other than "CN" on create in order to return the correct case for DNs.

  • sasl applies SASL (Simple Authentication Security Layer) binding. If not specified, the option is disabled so that simple binding is applied.

    This KVGroup includes a pair of keys and values:

    • enable If set to true, SASL binding is enabled and applied.

    • fastBind Applies a subset of SASL binding and applicable only when SASL binding is enabled. If both SASL and fastBind are set to true, SASL fast binding is enabled and applied.

  • accounts determines what user accounts are returned when requested, in the format:

      "accounts" "" = {
     "objectClass" "person" = {
        "filter" = "objectClass=person"  # the filter for a user search
        "shortidAttr" = "uid"  # the login ID attribute
        "descAttr" = "cn"  # the attribute used as the user's full name
        "memberAttr" = ""  # The custom attribute to use to hold the group id.
        "memberidAttr" = ""  # The attribute used to define the group member attribute, for example "cn" for a group id.
     }
  }

  • groups determines what groups are returned when requested, in the format:

      "groups" "" = {
     "objectClass" "groupOfUniqueNames" = {  # the object class for groups.  When listing groups, the object class is used to determine whether a group member is a person or a group (contained within a parent group).
        "filter" = "objectClass=groupOfUniqueNames"  # the filter to use when listing groups
        "shortidAttr" = "cn"  # the group ID attribute
        "rdnAttr" = "cn"   # can be used for an alternate rdn attribute
        "descAttr" = "description"  # the attribute used as the group's description
        "memberAttr" = "uniqueMember"  # the attribute of a group which holds its members
        "memberidAttr" = "dn"  # the format to identify the group memberships
        "managerAttr" = "owner"  # The attribute for the owner of the group
     }
  }

  • resources determines what computer server and workstation resource information are returned when requested, in the format:

      "resources" "ls_compwkstn" = { # List computers as workstations
   "filter" = "<filter object>=<value>" # An alternate filter for workstation search
   "attrName" = "<LDAP attribute Name>" # This attribute is the computer
               # name, having a unique value to be distinguished from others
   "attrAdditional" "<attribute>" = {
      "multivalue" = "<true>|<false>" # Listed as multi-valued if set to true
   }
   "attrAdditional" "<attribute>" = { # More than one attrAdditional can
                                      # be requested to returned.
    ...
    }
    ...
  }
  "resource" "ls_compsvr" = { # List computers as servers.
   "filter" = "objectClass=computers"
   "attrName" = "cn" # This attribute is the computer
               # name, having a unique value to be distinguished from others
   "attrAdditional" "IPAddr" = {
      "multivalue" = "true"
   }
   "attrAdditional" "<attribute>" = { # More than one attrAdditional can
                                      # be requested to returned.
    ...
    }
    ...
  }
In this section: