1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193
# # ------------------------------------------- # Axon.ivy Security System Configuration # ------------------------------------------- # # This file shows all configuration of the Security Systems of the Axon.ivy engine applications. # https://developer.axonivy.com/doc/8.0/engine-guide/configuration/index.html#users # # Copy contents of this reference file to 'configuration/ivy.yaml' before adjusting them to your needs. # https://developer.axonivy.com/doc/8.0/engine-guide/configuration/files/ivy-yaml.html # # OVERRIDING: # Any configuration value of this file can be set in alternative sources. # * environment variables: of the operating system can set app config entries. # Their key must be prefixed with 'IVY_'. # https://developer.axonivy.com/doc/8.0/engine-guide/configuration/advanced-configuration.html#overriding-configuration # # == Security Systems == # # List of Security Systems. # A security system defines how users and roles are managed. # Security systems that are configured here can be used by applications. # !! If you change a security system then all users that are no longer defined by the changed security system will be deleted. # !! SecuritySystem changes are immediately reloaded and a user synchronization is executed. Wrong or incomplete configurations may lead to accidentally removing users! # !! Switching from Microsoft Active Directory or Novell eDirectory to Axon.ivy Security System keeps all synchronized users, but requires to set new passwords for them. # !! Tasks assigned to the deleted users are moved to the UNASSIGNED state and has to be manually reassigned later to a new user or role. # SecuritySystems: # Example security system with name myIvySecuritySystem mySecuritySystem: # The Security System manages the user and roles in the system database. # If it's ivy Security System, no additional configuration is needed. # If it's Microsoft Active Directory or Novell eDirectory the secuity system uses LDAP to import users and role relations from AD to system database. # [Format:ENUMERATION][Values:ivy Security System, Microsoft Active Directory, Novell eDirectory] Provider: "ivy Security System" Connection: # Url to the naming and directory service # - LDAP: ldap://<hostname>:<port> - port can be omitted if it is default port 389 # - LDAPS: ldaps://<hostname>:<port> - port can be omitted if it is default port 636 # NOTE: security protocol needs to be set to "ssl" for LDAPS (Environment.java.naming.security.protocol, see below). Url: ldap://localhost:389 # How to authenticate to the naming and directory service # none = no authentication (default if UserName/Password NOT configured) # simple = user name and password is used (default if UserName/Password is configured) # [Format:ENUMERATION][Values:none, simple] AuthenticationKind: simple # User name to authenticate to the naming and directory service (java.naming.security.principal). # Valid formats are... # - LDAP Distingushed Name (RFC 4514) like cn=Administrator,dc=axonivy,dc=com # - Active Directory user name like Administrator@axonivy.com UserName: "" # Password to authenticate to the naming and directory service (java.naming.security.credentials). # [Format:PASSWORD] Password: "" # Use a connection pool to store established LDAP connections. # [Format:BOOLEAN] UseLdapConnectionPool: false # Flag indicating if an insecure SSL connections is allowed (no server certificate verification). # NOTE: Setting EnableInsecureSSL to true will turn off server certificate verification. # Whenever possible the LDAP server certificate (or its root certificate) # should be added to the Ivy Engine trust store. # See SSL.Client.TrustStore in the https://developer.axonivy.com/doc/8.0/engine-guide/configuration/files/ivy-yaml.html # on how to configure the engine truststore. # [Format:BOOLEAN] EnableInsecureSSL: false Retry: # Number of times a call should be retried after a failure. # [Format:NUMBER] Count: 3 # Delay in milliseconds before the next retry call, after a failure. # With each retry the delay time doubles. # [Format:NUMBER] Delay: 500 # Here you can configure additional environment properties for the LDAP context. Environment: # How to handle LDAP aliases. # https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/aliases.html # [Format:ENUMERATION][Values:always, never, finding, searching] "java.naming.ldap.derefAliases": always # Specifying the security protocol. # If this property is unspecified, the behaviour is determined by the service provider. # https://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html # [Format:ENUMERATION][Values:, ssl] "java.naming.security.protocol": "" # Specifying how referrals encountered by the service provider are to be processed. # https://docs.oracle.com/javase/jndi/tutorial/ldap/referral/index.html # [Format:ENUMERATION][Values:follow, ignore, throw] "java.naming.referral": follow Binding: # Default Context to import from. # The security system only sees and can import objects below the default context. # Normally, you want to see and import all users of a security system then set the default context to the root object/domain. # If you want to import only users from a certain department or location, then you can set the default context to the appropriate organization unit or location. # See also EverybodyUserGroupName and UserFilter to control/filter the users that are imported. # Format = LDAP Distingushed Name (RFC 4514) like dc=axonivy,dc=com or ou=ivyteam,dc=axonivy,dc=com DefaultContext: ou=ivyteam,dc=axonivy,dc=com # If configured, then the security system imports only the users that are members of this user group. # See also DefaultContext and UserFilter to control/filter the users that are imported. # Format = LDAP Distingushed Name (RFC 4514) of a user group like cn=AxonIvyUser,ou=ivyteam,dc=axonivy,dc=com ImportUsersOfGroup: "" # The security system only imports users that match the given filter. # See also DefaultContext and EverybodyUserGroupName to control/filter the users that are imported. # Format = LDAP Search Filter (RFC 4515) UserFilter: "(&(objectClass=user)(!(objectClass=computer)))" UserAttribute: # The LDAP attribute that stores the name of a user # [AD:sAMAccountName][ND:uid] Name: "sAMAccountName" # The LDAP attribute that stores the full name of a user # [AD:displayName][ND:fullName] FullName: "displayName" # The LDAP attribute that stores the mail address of a user EMail: "mail" # The LDAP attribute that stores the langauge of a user Language: "" # Here you can specify a list of additional LDAP attributes that are imported and available as user properties (IUser.getProperty) Properties: # Maps a user property to an LDAP attribute # In the example below 'phoneNumber' is the name of the user property. # The value of the property is imported from the LDAP attribute 'phone' of the user. #phoneNumber: phone Membership: # The LDAP attribute that stores the user groups a user is member of # [AD:memberOf][ND:groupMembership] UserMemberOfAttribute: "memberOf" # Should the security system use the LDAP attribute configured in UserMemberOfAttribute (memberOf, groupMembership) to import user role membership. # Sometimes this LDAP attribute is not available because of security concerns. # If you set this to false, then the security system will import the user role membership with an alternative but slower mechanism. # [Format:BOOLEAN] # [AD:true][ND:false] UseUserMemberOfForUserRoleMembership: true # The LDAP attribute that stores the user groups a user group is member of # [AD:memberOf][ND:groupMembership] UserGroupMemberOfAttribute: memberOf # The LDAP attribute that stores the members (user, user groups) of a user group # [AD:member][ND:uniqueMember] UserGroupMembersAttribute: member # Does the security system has to traverse nested groups (groups that are members of a group) to find all users that are member of a user group? # Some external security systems provide all users on the member attribute of a user group even those that are members of nested groups. # [Format:BOOLEAN] # [AD:true][ND:false] TraverseNestedGroups: true Import: # Should users be imported on demand or by the synchronizing job. # If OnDemand is set to: # true: then users are not imported by the synchronization job. Instead, a user is imported the first time she logs in. # false: then users are imported by the user synchronizing job. If a user was not yet imported by the user synchronization job she is also imported the first time she logs in. # [Format:BOOLEAN] OnDemand: false # The number of objects the security system can read in one LDAP request # [Format:NUMBER] PageSize: 500 # Flag to indicate if the daily security system synchronization should run (true) or not (false). # When the synchronization runs is defined by UpdateTime. # [Format:BOOLEAN] UpdateEnabled: true # Time of day when the security system will synchronize the users. # Daily security system synchronization can be switched on or off by setting UpdateEnabled. # Format is hh:mm. e.g. "02:00" or "14:15" # [Format:DAYTIME] UpdateTime: "00:00"