ivy.securitysystem.yamlΒΆ
[engineDir]/configuration/reference/ivy.securitysystem.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 | #
# -------------------------------------------
# Axon.ivy Security System Configuration
# -------------------------------------------
#
# This file shows all configuration of the Security Systems of the Axon.ivy engine applications.
# https://developer.axonivy.com/doc/9.1/engine-guide/configuration/index.html#users
#
# Copy contents of this reference file to 'configuration/ivy.yaml' before adjusting them to your needs.
# https://developer.axonivy.com/doc/9.1/engine-guide/configuration/files/ivy-yaml.html
#
# OVERRIDING:
# Any configuration value of this file can be set in alternative sources.
# * environment variables: of the operating system can set app config entries.
# Their key must be prefixed with 'IVY_'.
# https://developer.axonivy.com/doc/9.1/engine-guide/configuration/advanced-configuration.html#overriding-configuration
#
# == Security Systems ==
#
# List of Security Systems.
# A security system defines how users and roles are managed.
# Security systems that are configured here can be used by applications.
# !! If you change a security system then all users that are no longer defined by the changed security system will be disabled.
# !! SecuritySystem changes are immediately reloaded and a user synchronization is executed.
# !! Switching from Microsoft Active Directory or Novell eDirectory to Axon.ivy Security System keeps all synchronized users, but requires to set new passwords for them.
#
SecuritySystems:
# Example security system with name myIvySecuritySystem
mySecuritySystem:
# The Security System manages the user and roles in the system database.
# If it's ivy Security System, no additional configuration is needed.
# If it's Microsoft Active Directory or Novell eDirectory the security system uses LDAP to import users and role relations from AD to system database.
# [Format:ENUMERATION][Values:ivy Security System, Microsoft Active Directory, Novell eDirectory]
Provider: "ivy Security System"
Connection:
# Url to the naming and directory service
Url: ldap://localhost:389
# How to authenticate to the naming and directory service
# none = no authentication (default if UserName/Password NOT configured)
# simple = user name and password is used (default if UserName/Password is configured)
# [Format:ENUMERATION][Values:none, simple]
AuthenticationKind: simple
# User name to authenticate to the naming and directory service (java.naming.security.principal).
# Valid formats are...
# - LDAP Distinguished Name (RFC 4514) like cn=Administrator,dc=axonivy,dc=com
# - Active Directory user name like Administrator@axonivy.com
UserName: ""
# Password to authenticate to the naming and directory service (java.naming.security.credentials).
# [Format:PASSWORD]
Password: ""
# Use a connection pool to store established LDAP connections.
# [Format:BOOLEAN]
UseLdapConnectionPool: false
Retry:
# Number of times a call should be retried after a failure.
# [Format:NUMBER]
Count: 3
# Delay in milliseconds before the next retry call, after a failure.
# With each retry the delay time doubles.
# [Format:NUMBER]
Delay: 500
# Here you can configure additional environment properties for the LDAP context.
Environment:
# How to handle LDAP aliases.
# https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/aliases.html
# [Format:ENUMERATION][Values:always, never, finding, searching]
"java.naming.ldap.derefAliases": always
# Specifying the security protocol.
# If this property is unspecified, the behavior is determined by the service provider.
# https://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
# [Format:ENUMERATION][Values:, ssl]
"java.naming.security.protocol": ""
# Specifying how referrals encountered by the service provider are to be processed.
# https://docs.oracle.com/javase/jndi/tutorial/ldap/referral/index.html
# [Format:ENUMERATION][Values:follow, ignore, throw]
"java.naming.referral": follow
Binding:
# Default Context to import from.
# The security system only sees and can import objects below the default context.
# Normally, you want to see and import all users of a security system then set the default context to the root object/domain.
# If you want to import only users from a certain department or location, then you can set the default context to the appropriate organization unit or location.
# See also EverybodyUserGroupName and UserFilter to control/filter the users that are imported.
# Format = LDAP Distinguished Name (RFC 4514) like dc=axonivy,dc=com or ou=ivyteam,dc=axonivy,dc=com
DefaultContext: ""
# If configured, then the security system imports only the users that are members of this user group.
# See also DefaultContext and UserFilter to control/filter the users that are imported.
# Format = LDAP Distinguished Name (RFC 4514) of a user group like cn=AxonIvyUser,ou=ivyteam,dc=axonivy,dc=com
# Tip for eDirectory: To improve synch performance you have to add an index on the groupMembership attribute.
ImportUsersOfGroup: ""
# The security system only imports users that match the given filter.
# See also DefaultContext and EverybodyUserGroupName to control/filter the users that are imported.
# Format = LDAP Search Filter (RFC 4515)
UserFilter: "(&(objectClass=user)(!(objectClass=computer)))"
UserAttribute:
# The LDAP attribute that stores the unique identifier of a user
# This identifier is used during synchronization to identify a renamed user
# [AD:objectGUID][ND:GUID]
Id: objectGUID
# The LDAP attribute that stores the name of a user
# [AD:sAMAccountName][ND:uid]
Name: sAMAccountName
# The LDAP attribute that stores the full name of a user
# [AD:displayName][ND:fullName]
FullName: displayName
# The LDAP attribute that stores the mail address of a user
EMail: email
# The LDAP attribute that stores the language of a user
Language: ""
# Here you can specify a list of additional LDAP attributes that are imported and available as user properties (IUser.getProperty)
Properties:
# Maps a user property to an LDAP attribute
# In the example below 'phoneNumber' is the name of the user property.
# The value of the property is imported from the LDAP attribute 'phone' of the user.
#phoneNumber: phone
Membership:
# The LDAP attribute that stores the user groups a user is member of
# [AD:memberOf][ND:groupMembership]
UserMemberOfAttribute: memberOf
# Can the security system use the LDAP attribute configured in UserMemberOfAttribute (memberOf, groupMembership) to import user role membership.
# Sometimes this LDAP attribute is not available because of security concerns.
# If you set this to false, then the security system will import the user role membership with an alternative but slower mechanism.
# [Format:BOOLEAN]
UserMemberOfLookupAllowed: true
# The LDAP attribute that stores the user groups a user group is member of
# [AD:memberOf][ND:groupMembership]
UserGroupMemberOfAttribute: memberOf
# The LDAP attribute that stores the members (user, user groups) of a user group
# [AD:member][ND:uniqueMember]
UserGroupMembersAttribute: member
# This property defines how the synchronization find all users that are member of a user group.
# Normally the default should be fine for you, only if you have some security settings on your directory it can be possible that you need switch to TRAVERSE.
# The setting TRAVERSE may have a big inpact on your synchronization speed if you use an 'ImportUsersOfGroup'.
# [Format:ENUMERATION][Values:MATCHING_RULE, DIRECT, TRAVERSE]
# [AD:MATCHING_RULE][ND:DIRECT]
NestedGroupsLookup: MATCHING_RULE
Import:
# Should users be imported on demand or by the synchronizing job.
# If OnDemand is set to:
# true: then users are not imported by the synchronization job. Instead, a user is imported the first time she logs in.
# false: then users are imported by the user synchronizing job. If a user was not yet imported by the user synchronization job she is also imported the first time she logs in.
# [Format:BOOLEAN]
OnDemand: false
# The number of objects the security system can read in one LDAP request
# [Format:NUMBER]
PageSize: 500
# Time of day when the security system will synchronize the users.
# The engine must be running at this time otherwise the synchronization will not be executed.
# Format is hh:mm. e.g. "02:00" or "14:15"
# [Format:DAYTIME]
UpdateTime: "00:00"
|