Novell eDirectory

The Axon Ivy Engine connects to the Novell eDirectory via LDAP. In most cases, it is sufficient to copy the template below and adjust the values. However, there are many detailed settings that you can find in the reference. The Engine Cockpit offers a detailed configuration page to connect Novell eDirectory.

Template

 1# Novell eDirectory as an Identity Provider for the 'default' Security System
 2# [engineDir]/configuration/ivy.yaml
 3SecuritySystems:
 4  default:
 5    Provider: "Novell eDirectory"
 6    Connection:
 7      Url: ldap://localhost:389
 8      UserName: Administrator@axonivy.com
 9      Password: "${encrypt:1234}"
10    Binding:
11      DefaultContext: ou=ivyteam,dc=axonivy,dc=com
12
13    # Role mappings
14    Roles:
15      Manager: cn=manager,ou=ivyteam,dc=axonivy,dc=com
16      Employee: cn=employee,ou=ivyteam,dc=axonivy,dc=com
17
18    # User property mappings
19    UserAttribute:
20      Properties:
21        phoneNumber: phone

Reference

  1Connection:
  2  # Url to the Identity Provider
  3  # - LDAP:  ldap://<hostname>:<port>   - port can be omitted if it is default port 389
  4  # - LDAPS: ldaps://<hostname>:<port>  - port can be omitted if it is default port 636
  5  # NOTE: security protocol needs to be set to "ssl" for LDAPS (Environment.java.naming.security.protocol, see below).
  6  Url: ldap://localhost:389
  7    
  8  # Ivy access to the Identity Provider
  9  # -------------------------------------
 10  #
 11  # provide a technical user for Ivy to access AD
 12
 13  # Which authentication scheme shall we use, none or simple?
 14  #
 15  # none = no authentication (default if UserName/Password NOT configured)
 16  # simple = user name and password is used (default if UserName/Password is configured)
 17  # [enum: none, simple]
 18  AuthenticationKind: simple
 19    
 20  # User name (java.naming.security.principal).
 21  # Valid format is a LDAP Distinguished Name (RFC 4514) like cn=Administrator,dc=axonivy,dc=com
 22  UserName: ""
 23
 24  # Password (java.naming.security.credentials).
 25  # [password]
 26  Password: ""
 27    
 28  # Use a connection pool to store established LDAP connections?
 29  #
 30  # This can speed up access to the Identity Provider since the connections are established once and re-used instead of established, used, closed.
 31  # N.B. Further configuration options for the pool have to be set in jvm.options.
 32  # The settings are documented in https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html
 33  #
 34  UseLdapConnectionPool: false
 35  
 36  # Allow insecure SSL connections (no server certificate verification)?
 37  #
 38  # NOTE: Setting EnableInsecureSSL to true will turn off server certificate verification.
 39  #       Whenever possible the LDAP server certificate (or its root certificate)
 40  #       should be added to the Ivy Engine trust store.
 41  #       See SSL.Client.TrustStore in the @engine.guide.url@/configuration/files/ivy-yaml.html
 42  #       on how to configure the engine truststore.
 43  #
 44  EnableInsecureSSL: false
 45
 46  Retry:
 47    # Number of times a call should be retried after a failure.
 48    Count: 3
 49
 50    # Delay in milliseconds before the next retry call, after a failure.
 51    # With each retry the delay time doubles.
 52    Delay: 500
 53
 54  # Here you can configure additional environment properties for the LDAP context.
 55  Environment:
 56    # How to handle LDAP aliases. 
 57    # https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/aliases.html
 58    # [enum: always, never, finding, searching]
 59    "java.naming.ldap.derefAliases": always
 60     
 61    # Specify the security protocol. 
 62    # If this property is unspecified, the behavior is determined by the service provider. 
 63    # https://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
 64    # [enum: , ssl]
 65    "java.naming.security.protocol": ""
 66     
 67    # Specify how referrals received from the Identity Provider are to be processed. 
 68    # https://docs.oracle.com/javase/jndi/tutorial/ldap/referral/index.html
 69    # follow is the default setting, but may cause slow reading from the Identity Provider
 70    # ignore does not follow the referral
 71    # throw throws an error if a referral is found. It is intended mostly for identifying and debugging LDAP problems.
 72    #
 73    "java.naming.referral": follow
 74
 75Binding:
 76  # Default Context to import from. 
 77  # The security system only sees and can import objects below the default context. 
 78  # If you want to see and import all users of an Identity Provider, then set the default context to the root object/domain.
 79  # If you want to import only users from a certain department or location, then you can set the default context to 
 80  # the appropriate organization unit or location.
 81  # See also EverybodyUserGroupName and UserFilter to control/filter the users that are imported.
 82  # Format = LDAP Distinguished Name (RFC 4514) like dc=axonivy,dc=com or ou=ivyteam,dc=axonivy,dc=com
 83  DefaultContext: ""
 84    
 85  # If configured, then the security system imports only the users that are members of this user group.
 86  # See also DefaultContext and UserFilter to control/filter the users that are imported.
 87  # Format = LDAP Distinguished Name (RFC 4514) of a user group like cn=AxonIvyUser,ou=ivyteam,dc=axonivy,dc=com
 88  # Tip for eDirectory: To improve synch performance, you have to add an index on the groupMembership attribute.
 89  ImportUsersOfGroup: ""
 90    
 91  # The security system only imports users that match the given filter.
 92  # See also DefaultContext and EverybodyUserGroupName to control/filter the users that are imported.
 93  # Format = LDAP Search Filter (RFC 4515)
 94  UserFilter: "(&(objectClass=user)(!(objectClass=computer)))"
 95
 96UserAttribute:
 97  # The LDAP attribute that stores the unique identifier of a user
 98  # This identifier is used during synchronization to identify a renamed user 
 99  Id: GUID
100
101  # The LDAP attribute that stores the name of a user
102  Name: uid
103    
104  # The LDAP attribute that stores the full name of a user
105  FullName: fullName
106    
107  # The LDAP attribute that stores the mail address of a user
108  EMail: mail
109    
110  # The LDAP attribute that stores the language of a user
111  Language: ""
112  
113  # Here you can specify a list of additional LDAP attributes that are imported and available as user properties (IUser.getProperty)
114  Properties:
115    # Maps a user property to an LDAP attribute
116    # In the example below 'phoneNumber' is the name of the user property. 
117    # The value of the property is imported from the LDAP attribute 'phone' of the user.
118    #phoneNumber: phone
119
120Membership:
121  # The LDAP attribute that stores the user groups a user is member of
122  UserMemberOfAttribute: groupMembership
123  
124  # Can the security system use the LDAP attribute configured in UserMemberOfAttribute (memberOf, groupMembership) to import user role membership.
125  # Sometimes this LDAP attribute is not available because of security concerns. 
126  # If you set this to false, then the security system will import the user role membership with an alternative but slower mechanism.
127  UserMemberOfLookupAllowed: true
128  
129  # The LDAP attribute that stores the user groups a user group is member of
130  UserGroupMemberOfAttribute: groupMembership
131  
132  # The LDAP attribute that stores the members (user, user groups) of a user group
133  UserGroupMembersAttribute: uniqueMember
134  
135  # This property defines how the synchronization find all users that are member of a user group.
136  # Normally the default should be fine for you, only if you have some security settings on your directory it can be possible that you need switch to TRAVERSE.
137  # The setting TRAVERSE may have a big impact on your synchronization speed if you use an 'ImportUsersOfGroup'.
138  # [enum: MATCHING_RULE, DIRECT, TRAVERSE]
139  NestedGroupsLookup: DIRECT
140  
141# The number of objects the security system can read in one LDAP request
142PageSize: 500
143
144# Role mapping that is considered by the user synchronization.
145# Users are added to the roles to which they are assigned in.
146#Roles:
147  # The left side, e.g. Manager, specifies the unique name of the role defined in Axon Ivy.
148  # On the right side, e.g. cn=manager,ou=ivyteam,dc=axonivy,dc=com, the external name of the role is set.
149  # The synchronization adds all users to Manager respectively Employee that are assigned to cn=manager,ou=ivyteam,dc=axonivy,dc=com
150  # respectively cn=employee,ou=ivyteam,dc=axonivy,dc=com.
151  #Manager: cn=manager,ou=ivyteam,dc=axonivy,dc=com
152  #Employee: cn=employee,ou=ivyteam,dc=axonivy,dc=com