1# 2# ------------------------------------------- 3# Axon.ivy Security System Configuration 4# ------------------------------------------- 5# 6# This file shows all configuration of the Security Systems of the Axon.ivy engine applications. 7# https://developer.axonivy.com/doc/8.0/engine-guide/configuration/index.html#users 8# 9# Copy contents of this reference file to 'configuration/ivy.yaml' before adjusting them to your needs. 10# https://developer.axonivy.com/doc/8.0/engine-guide/configuration/files/ivy-yaml.html 11# 12# OVERRIDING: 13# Any configuration value of this file can be set in alternative sources. 14# * environment variables: of the operating system can set app config entries. 15# Their key must be prefixed with 'IVY_'. 16# https://developer.axonivy.com/doc/8.0/engine-guide/configuration/advanced-configuration.html#overriding-configuration 17# 18 19 20 21# == Security Systems == 22# 23# List of Security Systems. 24# A security system defines how users and roles are managed. 25# Security systems that are configured here can be used by applications. 26# !! If you change a security system then all users that are no longer defined by the changed security system will be deleted. 27# !! SecuritySystem changes are immediately reloaded and a user synchronization is executed. Wrong or incomplete configurations may lead to accidentally removing users! 28# !! Switching from Microsoft Active Directory or Novell eDirectory to Axon.ivy Security System keeps all synchronized users, but requires to set new passwords for them. 29# !! Tasks assigned to the deleted users are moved to the UNASSIGNED state and has to be manually reassigned later to a new user or role. 30# 31SecuritySystems: 32 33 # Example security system with name myIvySecuritySystem 34 mySecuritySystem: 35 # The Security System manages the user and roles in the system database. 36 # If it's ivy Security System, no additional configuration is needed. 37 # If it's Microsoft Active Directory or Novell eDirectory the secuity system uses LDAP to import users and role relations from AD to system database. 38 # [Format:ENUMERATION][Values:ivy Security System, Microsoft Active Directory, Novell eDirectory] 39 Provider: "ivy Security System" 40 41 Connection: 42 # Url to the naming and directory service 43 # - LDAP: ldap://<hostname>:<port> - port can be omitted if it is default port 389 44 # - LDAPS: ldaps://<hostname>:<port> - port can be omitted if it is default port 636 45 # NOTE: security protocol needs to be set to "ssl" for LDAPS (Environment.java.naming.security.protocol, see below). 46 Url: ldap://localhost:389 47 48 # How to authenticate to the naming and directory service 49 # none = no authentication (default if UserName/Password NOT configured) 50 # simple = user name and password is used (default if UserName/Password is configured) 51 # [Format:ENUMERATION][Values:none, simple] 52 AuthenticationKind: simple 53 54 # User name to authenticate to the naming and directory service (java.naming.security.principal). 55 # Valid formats are... 56 # - LDAP Distingushed Name (RFC 4514) like cn=Administrator,dc=axonivy,dc=com 57 # - Active Directory user name like Administrator@axonivy.com 58 UserName: "" 59 60 # Password to authenticate to the naming and directory service (java.naming.security.credentials). 61 # [Format:PASSWORD] 62 Password: "" 63 64 # Use a connection pool to store established LDAP connections. 65 # [Format:BOOLEAN] 66 UseLdapConnectionPool: false 67 68 # Flag indicating if an insecure SSL connections is allowed (no server certificate verification). 69 # NOTE: Setting EnableInsecureSSL to true will turn off server certificate verification. 70 # Whenever possible the LDAP server certificate (or its root certificate) 71 # should be added to the Ivy Engine trust store. 72 # See SSL.Client.TrustStore in the https://developer.axonivy.com/doc/8.0/engine-guide/configuration/files/ivy-yaml.html 73 # on how to configure the engine truststore. 74 # [Format:BOOLEAN] 75 EnableInsecureSSL: false 76 77 Retry: 78 # Number of times a call should be retried after a failure. 79 # [Format:NUMBER] 80 Count: 3 81 82 # Delay in milliseconds before the next retry call, after a failure. 83 # With each retry the delay time doubles. 84 # [Format:NUMBER] 85 Delay: 500 86 87 # Here you can configure additional environment properties for the LDAP context. 88 Environment: 89 # How to handle LDAP aliases. 90 # https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/aliases.html 91 # [Format:ENUMERATION][Values:always, never, finding, searching] 92 "java.naming.ldap.derefAliases": always 93 94 # Specifying the security protocol. 95 # If this property is unspecified, the behaviour is determined by the service provider. 96 # https://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html 97 # [Format:ENUMERATION][Values:, ssl] 98 "java.naming.security.protocol": "" 99 100 # Specifying how referrals encountered by the service provider are to be processed. 101 # https://docs.oracle.com/javase/jndi/tutorial/ldap/referral/index.html 102 # [Format:ENUMERATION][Values:follow, ignore, throw] 103 "java.naming.referral": follow 104 105 Binding: 106 # Default Context to import from. 107 # The security system only sees and can import objects below the default context. 108 # Normally, you want to see and import all users of a security system then set the default context to the root object/domain. 109 # If you want to import only users from a certain department or location, then you can set the default context to the appropriate organization unit or location. 110 # See also EverybodyUserGroupName and UserFilter to control/filter the users that are imported. 111 # Format = LDAP Distingushed Name (RFC 4514) like dc=axonivy,dc=com or ou=ivyteam,dc=axonivy,dc=com 112 DefaultContext: ou=ivyteam,dc=axonivy,dc=com 113 114 # If configured, then the security system imports only the users that are members of this user group. 115 # See also DefaultContext and UserFilter to control/filter the users that are imported. 116 # Format = LDAP Distingushed Name (RFC 4514) of a user group like cn=AxonIvyUser,ou=ivyteam,dc=axonivy,dc=com 117 ImportUsersOfGroup: "" 118 119 # The security system only imports users that match the given filter. 120 # See also DefaultContext and EverybodyUserGroupName to control/filter the users that are imported. 121 # Format = LDAP Search Filter (RFC 4515) 122 UserFilter: "(&(objectClass=user)(!(objectClass=computer)))" 123 124 UserAttribute: 125 # The LDAP attribute that stores the name of a user 126 # [AD:sAMAccountName][ND:uid] 127 Name: "sAMAccountName" 128 129 # The LDAP attribute that stores the full name of a user 130 # [AD:displayName][ND:fullName] 131 FullName: "displayName" 132 133 # The LDAP attribute that stores the mail address of a user 134 EMail: "mail" 135 136 # The LDAP attribute that stores the langauge of a user 137 Language: "" 138 139 # Here you can specify a list of additional LDAP attributes that are imported and available as user properties (IUser.getProperty) 140 Properties: 141 # Maps a user property to an LDAP attribute 142 # In the example below 'phoneNumber' is the name of the user property. 143 # The value of the property is imported from the LDAP attribute 'phone' of the user. 144 #phoneNumber: phone 145 146 Membership: 147 # The LDAP attribute that stores the user groups a user is member of 148 # [AD:memberOf][ND:groupMembership] 149 UserMemberOfAttribute: "memberOf" 150 151 # Should the security system use the LDAP attribute configured in UserMemberOfAttribute (memberOf, groupMembership) to import user role membership. 152 # Sometimes this LDAP attribute is not available because of security concerns. 153 # If you set this to false, then the security system will import the user role membership with an alternative but slower mechanism. 154 # [Format:BOOLEAN] 155 # [AD:true][ND:false] 156 UseUserMemberOfForUserRoleMembership: true 157 158 # The LDAP attribute that stores the user groups a user group is member of 159 # [AD:memberOf][ND:groupMembership] 160 UserGroupMemberOfAttribute: memberOf 161 162 # The LDAP attribute that stores the members (user, user groups) of a user group 163 # [AD:member][ND:uniqueMember] 164 UserGroupMembersAttribute: member 165 166 # Does the security system has to traverse nested groups (groups that are members of a group) to find all users that are member of a user group? 167 # Some external security systems provide all users on the member attribute of a user group even those that are members of nested groups. 168 # [Format:BOOLEAN] 169 # [AD:true][ND:false] 170 TraverseNestedGroups: true 171 172 Import: 173 # Should users be imported on demand or by the synchronizing job. 174 # If OnDemand is set to: 175 # true: then users are not imported by the synchronization job. Instead, a user is imported the first time she logs in. 176 # false: then users are imported by the user synchronizing job. If a user was not yet imported by the user synchronization job she is also imported the first time she logs in. 177 # [Format:BOOLEAN] 178 OnDemand: false 179 180 # The number of objects the security system can read in one LDAP request 181 # [Format:NUMBER] 182 PageSize: 500 183 184 # Flag to indicate if the daily security system synchronization should run (true) or not (false). 185 # When the synchronization runs is defined by UpdateTime. 186 # [Format:BOOLEAN] 187 UpdateEnabled: true 188 189 # Time of day when the security system will synchronize the users. 190 # Daily security system synchronization can be switched on or off by setting UpdateEnabled. 191 # Format is hh:mm. e.g. "02:00" or "14:15" 192 # [Format:DAYTIME] 193 UpdateTime: "00:00"