Novell eDirectory
The Axon Ivy Engine connects to the Novell eDirectory via LDAP. In most cases, it is sufficient to copy the template below and adjust the values. However, there are many detailed settings that you can find in the reference. The Engine Cockpit offers a detailed configuration page to connect Novell eDirectory.
Template
1# Novell eDirectory as an Identity Provider for the 'default' Security System
2# [engineDir]/configuration/ivy.yaml
3SecuritySystems:
4 default:
5 IdentityProvider:
6 Name: "novell-edirectory"
7 Config:
8 Connection:
9 Url: ldap://localhost:389
10 UserName: Administrator@axonivy.com
11 Password: "${encrypt:1234}"
12 Binding:
13 DefaultContext: ou=ivyteam,dc=axonivy,dc=com
14
15 # Role mappings
16 Roles:
17 Manager: cn=manager,ou=ivyteam,dc=axonivy,dc=com
18 Employee: cn=employee,ou=ivyteam,dc=axonivy,dc=com
19
20 # User property mappings
21 UserAttribute:
22 Properties:
23 phoneNumber: phone
Reference
1Connection:
2 # Url to the Identity Provider
3 # - LDAP: ldap://<hostname>:<port> - port can be omitted if it is default port 389
4 # - LDAPS: ldaps://<hostname>:<port> - port can be omitted if it is default port 636
5 # NOTE: security protocol needs to be set to "ssl" for LDAPS (Environment.java.naming.security.protocol, see below).
6 Url: ldap://localhost:389
7
8 # Ivy access to the Identity Provider
9 # -------------------------------------
10 #
11 # provide a technical user for Ivy to access AD
12
13 # Which authentication scheme shall we use, none or simple?
14 #
15 # none = no authentication (default if UserName/Password NOT configured)
16 # simple = user name and password is used (default if UserName/Password is configured)
17 # [enum: none, simple]
18 AuthenticationKind: simple
19
20 # User name (java.naming.security.principal).
21 # Valid format is a LDAP Distinguished Name (RFC 4514) like cn=Administrator,dc=axonivy,dc=com
22 UserName: ""
23
24 # Password (java.naming.security.credentials).
25 # [password]
26 Password: ""
27
28 # Use a connection pool to store established LDAP connections?
29 #
30 # This can speed up access to the Identity Provider since the connections are established once and re-used instead of established, used, closed.
31 # N.B. Further configuration options for the pool have to be set in jvm.options.
32 # The settings are documented in https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html
33 #
34 UseLdapConnectionPool: false
35
36 # Allow insecure SSL connections (no server certificate verification)?
37 #
38 # NOTE: Setting EnableInsecureSSL to true will turn off server certificate verification.
39 # Whenever possible the LDAP server certificate (or its root certificate)
40 # should be added to the Ivy Engine trust store.
41 # See SSL.Client.TrustStore in the @engine.guide.url@/configuration/files/ivy-yaml.html
42 # on how to configure the engine truststore.
43 #
44 EnableInsecureSSL: false
45
46 Retry:
47 # Number of times a call should be retried after a failure.
48 Count: 3
49
50 # Delay in milliseconds before the next retry call, after a failure.
51 # With each retry the delay time doubles.
52 Delay: 500
53
54 # Here you can configure additional environment properties for the LDAP context.
55 Environment:
56 # How to handle LDAP aliases.
57 # https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/aliases.html
58 # [enum: always, never, finding, searching]
59 "java.naming.ldap.derefAliases": always
60
61 # Specify the security protocol.
62 # If this property is unspecified, the behavior is determined by the service provider.
63 # https://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
64 # [enum: , ssl]
65 "java.naming.security.protocol": ""
66
67 # Specify how referrals received from the Identity Provider are to be processed.
68 # https://docs.oracle.com/javase/jndi/tutorial/ldap/referral/index.html
69 # follow is the default setting, but may cause slow reading from the Identity Provider
70 # ignore does not follow the referral
71 # throw throws an error if a referral is found. It is intended mostly for identifying and debugging LDAP problems.
72 # [enum: follow, ignore, throw]
73 "java.naming.referral": follow
74
75 # LDAP Attributes binary
76 "java.naming.ldap.attributes.binary": guid
77
78Binding:
79 # Default Context to import from.
80 # The security system only sees and can import objects below the default context.
81 # If you want to see and import all users of an Identity Provider, then set the default context to the root object/domain.
82 # If you want to import only users from a certain department or location, then you can set the default context to
83 # the appropriate organization unit or location.
84 # See also EverybodyUserGroupName and UserFilter to control/filter the users that are imported.
85 # Format = LDAP Distinguished Name (RFC 4514) like dc=axonivy,dc=com or ou=ivyteam,dc=axonivy,dc=com
86 # [directoryBrowser]
87 DefaultContext: ""
88
89 # If configured, then the security system imports only the users that are members of this user group.
90 # See also DefaultContext and UserFilter to control/filter the users that are imported.
91 # Format = LDAP Distinguished Name (RFC 4514) of a user group like cn=AxonIvyUser,ou=ivyteam,dc=axonivy,dc=com
92 # Tip for eDirectory: To improve synch performance, you have to add an index on the groupMembership attribute.
93 # [directoryBrowser]
94 ImportUsersOfGroup: ""
95
96 # The security system only imports users that match the given filter.
97 # See also DefaultContext and EverybodyUserGroupName to control/filter the users that are imported.
98 # Format = LDAP Search Filter (RFC 4515)
99 UserFilter: "objectClass=inetOrgPerson"
100
101UserAttribute:
102 # The LDAP attribute that stores the unique identifier of a user
103 # This identifier is used during synchronization to identify a renamed user
104 Id: GUID
105
106 # The LDAP attribute that stores the name of a user
107 Name: uid
108
109 # The LDAP attribute that stores the full name of a user
110 FullName: fullName
111
112 # The LDAP attribute that stores the mail address of a user
113 EMail: mail
114
115 # The LDAP attribute that stores the language of a user
116 Language: ""
117
118 # Here you can specify a list of additional LDAP attributes that are imported and available as user properties (IUser.getProperty)
119 Properties:
120 # Maps a user property to an LDAP attribute
121 # In the example below 'phoneNumber' is the name of the user property.
122 # The value of the property is imported from the LDAP attribute 'phone' of the user.
123 #phoneNumber: phone
124
125Membership:
126 # The LDAP attribute that stores the user groups a user is member of
127 UserMemberOfAttribute: groupMembership
128
129 # Can the security system use the LDAP attribute configured in UserMemberOfAttribute (memberOf, groupMembership) to import user role membership.
130 # Sometimes this LDAP attribute is not available because of security concerns.
131 # If you set this to false, then the security system will import the user role membership with an alternative but slower mechanism.
132 UserMemberOfLookupAllowed: true
133
134 # The LDAP attribute that stores the user groups a user group is member of
135 UserGroupMemberOfAttribute: groupMembership
136
137 # The LDAP attribute that stores the members (user, user groups) of a user group
138 UserGroupMembersAttribute: uniqueMember
139
140 # This property defines how the synchronization find all users that are member of a user group.
141 # Normally the default should be fine for you, only if you have some security settings on your directory it can be possible that you need switch to TRAVERSE.
142 # The setting TRAVERSE may have a big impact on your synchronization speed if you use an 'ImportUsersOfGroup'.
143 # [enum: MATCHING_RULE, DIRECT, TRAVERSE]
144 NestedGroupsLookup: DIRECT
145
146# The number of objects the security system can read in one LDAP request
147PageSize: 500
148
149# Role mapping that is considered by the user synchronization.
150# Users are added to the roles to which they are assigned in.
151#Roles:
152 # The left side, e.g. Manager, specifies the unique name of the role defined in Axon Ivy.
153 # On the right side, e.g. cn=manager,ou=ivyteam,dc=axonivy,dc=com, the external name of the role is set.
154 # The synchronization adds all users to Manager respectively Employee that are assigned to cn=manager,ou=ivyteam,dc=axonivy,dc=com
155 # respectively cn=employee,ou=ivyteam,dc=axonivy,dc=com.
156 #Manager: cn=manager,ou=ivyteam,dc=axonivy,dc=com
157 #Employee: cn=employee,ou=ivyteam,dc=axonivy,dc=com