Try OpenEdge Now
skip to main content
OpenEdge 11.6.3 New Information : Progress Application Server for OpenEdge : LDAP configuration support in PAS for OpenEdge : Advanced LDAP configuration : Summary of advanced LDAP authentication beans
 
Summary of advanced LDAP authentication beans
The following sections summarize the constructor and property values that you can change in the advanced LDAP authentication beans that are inserted in the Spring Security LDAP configuration files (oeablSecurity-basic-ldap.xml or oeablSecurity-form-ldap.xml).
Caution: The following section only contains the constructor arguments and bean properties that you can change. The XML that defines these beans contains additional arguments and properties that should not be changed.
See Example of LDAP bean definitions for an example of how these beans are implemented in a configuration file.

ldapContextSource

Specifies the user name and password required for login to the LDAP provider in order to perform a user account search.
Element type
Element name
Element value
constructor-arg
[first argument]
Comma separated list of the URLs used to connect to servers that supply LDAP Directory Services.
property
base
The root DN of the Directory Service (if not specified in the LDAP Service URL).
property
userDn
Full Distinguished Name of the user that can log into the Directory Service and perform user account searches.
property
password
The password for the user specified in the userDn property.
baseEnvironmentProperties
Optional. Passes Java system properties to the Java JNDI service. (See note below.)
Note: The baseEnvironmentProperties property is provided to exercise control over the Java distribution’s JNDI (Java Naming and Directory Interface). The following is an example of how use JNDI properties to control connection timeout:
<property name="baseEnvironmentProperties">
<map>
<!—set the connection timeout in milli-seconds
0 = use TCP socket connection timeout
1 – n = timeout connection in milliseconds
<entry key="com.sun.jndi.ldap.connect.timeout" value="0" />
</map>
</property>
See the Oracle Java JNDI guide for a complete list of available System Properties and their values.

ldapSearchBean

Specifies the user account search operation's parameters used by the ldapContextSource. Search tries to find a user object whose attribute matches the search filter. It starts at a base DN, then searches the entire subtree if subtree search is enabled.
Element type
Element name
Element value
constructor-arg
[first argument]
DN of where a group query begins.
constructor-arg
[second argument]
The LDAP query string used to find a user's account in the Directory Service.
The default is “(uid={0})”.
Note: The {0} is a required value. It is a token that represents the user account that is being validated.
Also see the Note below.
property
searchSubtree
Enable/disable subtree searches for user account objects. The default is false, which disables subtree searching.
Note: The constructor argument containing the LDAP query string may be different from the description in the table above, depending upon the Directory Service vendor, and the form of user-id entered at login time. Here are some possible variations:
Generic Directory Service (unix)
(uid={0})

Windows Active Directory
(sAMAccountName={0})
(userPrincipalName={0})
(mail={0})

ldapBindAuthenticator

Specifies how to bind to an LDAP server, where binding is equivalent to logging in. You bind either by using a DN pattern or by performing a user account search using the ldapSearchBean.
There are no configurable constructor arguments or properties in this bean.

ldapAuthoritiesPopulator

Specifies which LDAP user account role memberships (Spring authorities) to add to the security token that is used in an application's authorization process. The role memberships are found by searching the LDAP directory for objects whose attributes contain the fully qualified DN of the user account.
Element type
Element name
Element value
constructor-arg
[second argument]
DN of where the group query begins.
property
groupSearchFilter
The LDAP query string used to find the user group objects.
The default is “(member={0})”. (In some LDAP implementations the name is memberof.)
Note: The {0} is a required value. It is a token that represents the user account that is being validated.
property
groupRoleAttribute
The Group object’s attribute holding the user account DN returned from the user account search.
property
searchSubtree
Enable/disable subtree searches for user account objects. The default is false, which disables subtree searching.
property
ignorePartialResultException
Ignore status notifications from a failure to locate any group objects. The default is false, which means that errors are not ignored.
Status notifications of this type can result from the LDAP configuration.
property
rolePrefix
The prefix assigned to the role obtained from an LDAP group search. In OpenEdge, the prefix ROLE_ is typically used to designate it as a Spring Security role.
property
convertToUpperCase
Converts the group object name located in the search to uppercase. The default is true.

ldapUserDetailsContextMapper bean

Specifies the mapping of LDAP user account object attributes into the security token.
There are no configurable constructor arguments or properties in this bean.

ldapAuthProvider

Specifies the LDAP authentication provider plug-in, with its references to the beans that implement binding to the service, populating roles, and how to make a connection.
There are no configurable constructor arguments or properties in this bean.