ivy.securitysystem.yaml
[engineDir]/configuration/reference/ivy.securitysystem.yaml
1#
2# -------------------------------------------
3# Axon Ivy Security System Configuration
4# -------------------------------------------
5#
6# This file shows all configuration of the Security Systems of the Axon Ivy Engine applications.
7# https://developer.axonivy.com/doc/9.3/engine-guide/configuration/index.html#users
8#
9# Copy contents of this reference file to 'configuration/ivy.yaml' before adjusting them to your needs.
10# https://developer.axonivy.com/doc/9.3/engine-guide/configuration/files/ivy-yaml.html
11#
12# OVERRIDING:
13# Any configuration value of this file can be set in alternative sources.
14# * environment variables: of the operating system can set app config entries.
15# Their key must be prefixed with 'IVY_'.
16# https://developer.axonivy.com/doc/9.3/engine-guide/configuration/advanced-configuration.html#overriding-configuration
17#
18
19
20
21# == Security Systems ==
22#
23# List of Security Systems.
24# A security system defines how users and roles are managed.
25# Security systems that are configured here can be used by applications.
26# !! If you change a security system then all users that are no longer defined by the changed security system will be disabled.
27# !! SecuritySystem changes are immediately reloaded and a user synchronization is executed.
28# !! Switching from Microsoft Active Directory or Novell eDirectory to Axon Ivy Security System keeps all synchronized users, but requires to set new passwords for them.
29#
30SecuritySystems:
31
32 # Example security system with name myIvySecuritySystem
33 mySecuritySystem:
34 # The Security System manages the user and roles in the system database.
35 # If it's ivy Security System, no additional configuration is needed.
36 # If it's Microsoft Active Directory or Novell eDirectory the security system uses LDAP to import users and role relations from AD to system database.
37 # [enum: ivy Security System, Microsoft Active Directory, Novell eDirectory]
38 Provider: "ivy Security System"
39
40 Connection:
41 # Url to the naming and directory service
42 # - LDAP: ldap://<hostname>:<port> - port can be omitted if it is default port 389
43 # - LDAPS: ldaps://<hostname>:<port> - port can be omitted if it is default port 636
44 # NOTE: security protocol needs to be set to "ssl" for LDAPS (Environment.java.naming.security.protocol, see below).
45 Url: ldap://localhost:389
46
47 # How to authenticate to the naming and directory service
48 # none = no authentication (default if UserName/Password NOT configured)
49 # simple = user name and password is used (default if UserName/Password is configured)
50 # [enum: none, simple]
51 AuthenticationKind: simple
52
53 # User name to authenticate to the naming and directory service (java.naming.security.principal).
54 # Valid formats are...
55 # - LDAP Distinguished Name (RFC 4514) like cn=Administrator,dc=axonivy,dc=com
56 # - Active Directory user name like Administrator@axonivy.com
57 UserName: ""
58
59 # Password to authenticate to the naming and directory service (java.naming.security.credentials).
60 # [password]
61 Password: ""
62
63 # Use a connection pool to store established LDAP connections.
64 UseLdapConnectionPool: false
65
66 # Flag indicating if an insecure SSL connections is allowed (no server certificate verification).
67 # NOTE: Setting EnableInsecureSSL to true will turn off server certificate verification.
68 # Whenever possible the LDAP server certificate (or its root certificate)
69 # should be added to the Ivy Engine trust store.
70 # See SSL.Client.TrustStore in the https://developer.axonivy.com/doc/9.3/engine-guide/configuration/files/ivy-yaml.html
71 # on how to configure the engine truststore.
72 EnableInsecureSSL: false
73
74 Retry:
75 # Number of times a call should be retried after a failure.
76 Count: 3
77
78 # Delay in milliseconds before the next retry call, after a failure.
79 # With each retry the delay time doubles.
80 Delay: 500
81
82 # Here you can configure additional environment properties for the LDAP context.
83 Environment:
84 # How to handle LDAP aliases.
85 # https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/aliases.html
86 # [enum: always, never, finding, searching]
87 "java.naming.ldap.derefAliases": always
88
89 # Specifying the security protocol.
90 # If this property is unspecified, the behavior is determined by the service provider.
91 # https://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
92 # [enum: , ssl]
93 "java.naming.security.protocol": ""
94
95 # Specifying how referrals encountered by the service provider are to be processed.
96 # https://docs.oracle.com/javase/jndi/tutorial/ldap/referral/index.html
97 # [enum: follow, ignore, throw]
98 "java.naming.referral": follow
99
100 Binding:
101 # Default Context to import from.
102 # The security system only sees and can import objects below the default context.
103 # Normally, you want to see and import all users of a security system then set the default context to the root object/domain.
104 # If you want to import only users from a certain department or location, then you can set the default context to the appropriate organization unit or location.
105 # See also EverybodyUserGroupName and UserFilter to control/filter the users that are imported.
106 # Format = LDAP Distinguished Name (RFC 4514) like dc=axonivy,dc=com or ou=ivyteam,dc=axonivy,dc=com
107 DefaultContext: ""
108
109 # If configured, then the security system imports only the users that are members of this user group.
110 # See also DefaultContext and UserFilter to control/filter the users that are imported.
111 # Format = LDAP Distinguished Name (RFC 4514) of a user group like cn=AxonIvyUser,ou=ivyteam,dc=axonivy,dc=com
112 # Tip for eDirectory: To improve synch performance you have to add an index on the groupMembership attribute.
113 ImportUsersOfGroup: ""
114
115 # The security system only imports users that match the given filter.
116 # See also DefaultContext and EverybodyUserGroupName to control/filter the users that are imported.
117 # Format = LDAP Search Filter (RFC 4515)
118 UserFilter: "(&(objectClass=user)(!(objectClass=computer)))"
119
120 UserAttribute:
121 # The LDAP attribute that stores the unique identifier of a user
122 # This identifier is used during synchronization to identify a renamed user
123 # [AD:objectGUID][ND:GUID]
124 Id: objectGUID
125
126 # The LDAP attribute that stores the name of a user
127 # [AD:sAMAccountName][ND:uid]
128 Name: sAMAccountName
129
130 # The LDAP attribute that stores the full name of a user
131 # [AD:displayName][ND:fullName]
132 FullName: displayName
133
134 # The LDAP attribute that stores the mail address of a user
135 EMail: mail
136
137 # The LDAP attribute that stores the language of a user
138 Language: ""
139
140 # Here you can specify a list of additional LDAP attributes that are imported and available as user properties (IUser.getProperty)
141 Properties:
142 # Maps a user property to an LDAP attribute
143 # In the example below 'phoneNumber' is the name of the user property.
144 # The value of the property is imported from the LDAP attribute 'phone' of the user.
145 #phoneNumber: phone
146
147 Membership:
148 # The LDAP attribute that stores the user groups a user is member of
149 # [AD:memberOf][ND:groupMembership]
150 UserMemberOfAttribute: memberOf
151
152 # Can the security system use the LDAP attribute configured in UserMemberOfAttribute (memberOf, groupMembership) to import user role membership.
153 # Sometimes this LDAP attribute is not available because of security concerns.
154 # If you set this to false, then the security system will import the user role membership with an alternative but slower mechanism.
155 UserMemberOfLookupAllowed: true
156
157 # The LDAP attribute that stores the user groups a user group is member of
158 # [AD:memberOf][ND:groupMembership]
159 UserGroupMemberOfAttribute: memberOf
160
161 # The LDAP attribute that stores the members (user, user groups) of a user group
162 # [AD:member][ND:uniqueMember]
163 UserGroupMembersAttribute: member
164
165 # This property defines how the synchronization find all users that are member of a user group.
166 # Normally the default should be fine for you, only if you have some security settings on your directory it can be possible that you need switch to TRAVERSE.
167 # The setting TRAVERSE may have a big impact on your synchronization speed if you use an 'ImportUsersOfGroup'.
168 # [enum: MATCHING_RULE, DIRECT, TRAVERSE]
169 # [AD:MATCHING_RULE][ND:DIRECT]
170 NestedGroupsLookup: MATCHING_RULE
171
172 Import:
173 # Should users be imported on demand or by the synchronizing job.
174 # If OnDemand is set to:
175 # true: then users are not imported by the synchronization job. Instead, a user is imported the first time she logs in.
176 # false: then users are imported by the user synchronizing job. If a user was not yet imported by the user synchronization job she is also imported the first time she logs in.
177 OnDemand: false
178
179 # The number of objects the security system can read in one LDAP request
180 PageSize: 500
181
182 # Flag to indicate if the daily security system synchronization should run (true) or not (false).
183 # When the synchronization runs is defined by UpdateTime.
184 UpdateEnabled: true
185
186 # Time of day when the security system will synchronize the users.
187 # The engine must be running at this time otherwise the synchronization will not be executed.
188 # Daily security system synchronization can be switched on or off by setting UpdateEnabled.
189 # Format is hh:mm. e.g. "02:00" or "14:15"
190 # [daytime]
191 UpdateTime: "00:00"
192
193 UserSynch:
194 # Whether the user should be synchronized with the external security system at login or not.
195 # If the user does not exist yet, it will be synchronized anyway. In case of slow external
196 # security system connections it can make sense to deactivate this setting.
197 OnLogin: true