Page History
...
The remaining settings in this mode look like this:
Explanation:
- General
LDAP Server URL
: The LDAP Server URL specifies the protocol, e.g.ldap://
for Plain Text and TLS connections,ldaps://
for SSL connections. The protocol is added the hostname (FQDN) and port of the LDAP Server.LDAP Start TLS
: This switch makes TLS the protocol for the connection to the LDAP Server.LDAP Host Name Verification
: This switch has to be active to check if hostnames in theLDAP Server URL
and in the LDAP Server certificate match.LDAP Truststore Path
: Should the LDAP Server be configured for TLS/SSL protocols then the indicated truststore has to include an X.509 certificate specified for the extended key usage of Server Authentication.- The truststore can include a self-signed certificate or a CA-signed certificate. Typically the Root CA certificate is used as otherwise the complete certificate chain involved in signing the Server Authentication certificate has to be available with the truststore.
- If the LDAP Server is operated for TLS/SSL connections and this setting is not specified then JOC Cockpit will use the truststore that is configured with the
JETTY_BASE/resources/joc/joc.properties
configuration file. This includes use of settings for the truststore password and truststore type.
- If the LDAP Server is operated for TLS/SSL connections and this setting is not specified then JOC Cockpit will use the truststore that is configured with the
- The truststore can include a self-signed certificate or a CA-signed certificate. Typically the Root CA certificate is used as otherwise the complete certificate chain involved in signing the Server Authentication certificate has to be available with the truststore.
LDAP Truststore Password
: If an LDAP truststore is used and the LDAP truststore is protected by a password, then the password has to be specified.LDAP Truststore Type
: If an LDAP truststore is used then the type of the indicated truststore has to be specified being eitherPKCS12
orJKS
(deprecated).
- Authentication
LDAP User DN Template
: The Distinguished Name (DN) identifies a user account. In case of Active Directory LDAP Servers the value{0}
can be used that is replaced by the user account specified during login. Alternatively an LDAP query can be specified, for exampleuid={0},OU=Operations,O=IT,O=Users,DC=example,DC=com
.
- Authorization
LDAP Search Base
: TheSearch Base
for looking up user accounts in the hierarchy of LDAP Server entries, for exampleOU=Operations,O=IT,O=Users,DC=example,DC=com
.LDAP Group Search Base
: Similarly to theSearch Base
theGroup Search Base
is used to find Security Groups that a user account has membership for. This setting specifies the hierarchy starting from which Security Groups are looked up.LDAP Group Search Filter
: This filter specifies an LDAP query that is used to identify Security Groups the user account is a member of. The filter is applied for search results provided starting from theGroup Search Base
.LDAP User Search Filter
: This filter specifies an LDAP query that is used to identify the user account in the hierarchy of LDAP entries.LDAP Group Name Attribute
: This attribute provides the name of the Security Group that a user account is a member of, for example theCN
(Common Name) attribute.LDAP User Name Attribute
: This attribute provides the name of the user account, frequently theCN
(Common Name) attribute is used.
- Group/Roles Mapping
- The LDAP Group/Roles Mapping is in fact a mapping of Security Groups that the user account is a member of and JS7 roles. Security Groups have to be specified depending on the
LDAP Group Search Attribute
as Distinguished Names, e.g.CN=js7_admins,OU=Operations,O=IT,O=Groups,DC=example,DC=com
, or as Common Names, e.g.js7_admins
.
- The LDAP Group/Roles Mapping is in fact a mapping of Security Groups that the user account is a member of and JS7 roles. Security Groups have to be specified depending on the
Further Resources
The following articles provide detailed information about configuration of an LDAP Identity Service:
...
Overview
Content Tools