Skip to content

Update connection_ldap.rst #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update connection_ldap.rst #28

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 11 additions & 10 deletions source/connection_ldap.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,30 +28,31 @@ Let's look at a sample:

First, to be able to reference the connection in the service, it's mandatory to give it a unique name element so that it can be referenced later in services (here ``ldap-dst-conn``).

* **name**: mandatory, this field is the name of this LDAP connection.
* **url**: mandatory, this field shall contain a valid `LDAP URL <http://www.ietf.org/rfc/rfc2255.txt>`__
* **username**: optional, this element shall contain the string that is used to identify against the directory, most of the time it is a *LDAP Distinguished Name*, but it may be a simple SASL username (like ``DOMAIN\username`` for Active Directory)
* **password**: optional, this is the clear text value that is used to connect to the directory
* **authentication**: mandatory, one of the ``NONE``, ``SIMPLE``, ``SASL``, ``DIGEST-MD5``, ``GSSAPI`` value. ``SIMPLE`` is the value to use if you plan to authenticate through a simple username and password without any further security consideration
* **referral**: mandatory, one of the following values: ``IGNORE``, ``THROUGH``, ``THROW`` or ``ERROR``. Most of the time you should either ``IGNORE`` them, go ``THROUGH`` or handle them as an ``ERROR``
* **authentication**: optional, one of the ``NONE``, ``SIMPLE``, ``SASL``, ``DIGEST-MD5``, ``GSSAPI`` value. ``SIMPLE`` is the value to use if you plan to authenticate through a simple username and password without any further security consideration. Defaults to ``SIMPLE``.
* **referral**: optional, one of the following values: ``IGNORE``, ``THROUGH``, ``THROW`` or ``ERROR``. Most of the time you should either ``IGNORE`` them, go ``THROUGH`` or handle them as an ``ERROR``. Defaults to ``IGNORE``.

.. tip::

By default, when referral is set to ``IGNORE``, `JNDI <https://en.wikipedia.org/wiki/Java_Naming_and_Directory_Interface>`__ adds *ManageDsaIT control*, preventing attribute computation. This can be unhandy, especially when synchronizing dynamic groups. If you set referral to ``THROW``, the *ManageDsaIT* is not sent any more.

* **derefAliases**: mandatory, one of the following values: ``NEVER``, ``SEARCH``, ``FIND`` or ``ALWAYS``. Most of the time, use ``NEVER``
* **version**: mandatory, either ``VERSION_2`` or ``VERSION_3``. Prefer ``VERSION_3`` as LDAPv2 is deprecated
* **pageSize**: mandatory, specify either ``-1`` or the page size to use. The page size is implemented either through the corresponding control or through `Virtual List View <https://datatracker.ietf.org/doc/html/draft-ietf-ldapext-ldapv3-vlv>`__ depending on the directory capabilities which are discovered at run time (VLV preferred)
* **factory**: mandatory, only the Sun factory is supported now and you should use the corresponding value ``com.sun.jndi.ldap.LdapCtxFactory``
* **tlsActivated**: mandatory, enable or disable startTLS operation (either true or false). See :doc:`SSL/TLS <ssltls>` configuration for more information
* **derefAliases**: optional, one of the following values: ``NEVER``, ``SEARCH``, ``FIND`` or ``ALWAYS``. Most of the time, use ``NEVER``. Defaults to ``NEVER``.
* **version**: optional, either ``VERSION_2`` or ``VERSION_3``. Defaults to ``VERSION_3``, as LDAP V2 is deprecated.
* **pageSize**: optional, specify either ``-1`` or the page size to use. The page size is implemented either through the corresponding control or through `Virtual List View <https://datatracker.ietf.org/doc/html/draft-ietf-ldapext-ldapv3-vlv>`__ depending on the directory capabilities which are discovered at run time (VLV preferred). Defaults to ``-1``.
* **factory**: optional, the Sun factory is the only one supported at the moment and you should use the corresponding value ``com.sun.jndi.ldap.LdapCtxFactory``. Defaults to ``com.sun.jndi.ldap.LdapCtxFactory``.
* **tlsActivated**: optional, enable or disable startTLS operation (either true or false). See :doc:`SSL/TLS <ssltls>` configuration for more information. Defaults to ``false``.
* **saslMutualAuthentication**: optional, tells if the server must authenticate the connection. It sets the java ``javax.security.sasl.server.authentication`` property to true. This is only useful when using ``SASL`` authentication. Defaults to ``false``.

.. note::

For complete SSL/TLS configuration, please look at the following page: :doc:`SSL and TLS activation <ssltls>`

* **saslMutualAuthentication**: optional, set to true for SASL mutual authentication (default: false)
* **sortedBy**: optional, attribute name on which results will be sorted (server side sorting)
* **binaryAttributes**: optional, list of attribute names to be fetched as binary
* **recursiveDelete**: optional, set to true to allow recursive delete in the clean phase (default: false)
* **relaxRules**: optional, set to true to use `relax control <https://datatracker.ietf.org/doc/html/draft-zeilenga-ldap-relax>`__ (default: false)
* **recursiveDelete**: optional, set to true to allow recursive delete in the clean phase. Defaults to ``false``.
* **relaxRules**: optional, set to true to use `relax control <https://datatracker.ietf.org/doc/html/draft-zeilenga-ldap-relax>`__. Defaults to ``false``
* **saslQopType**: optional, see :doc:`Kerberos (GSSAPI) <kerberos>`