Primeur Online Docs
Data Mover 1.20
Explore our productsData Mover 1.20Data Watcher 1.20Data ShaperPanorama 1.2.4DWAgent 2.0.0Data One Installation Manager
Data Mover 1.20
Explore our productsData Mover 1.20Data Watcher 1.20Data ShaperPanorama 1.2.4DWAgent 2.0.0Data One Installation Manager
  • 🚀GETTING STARTED
    • What is Primeur Data Mover
    • Main features in Primeur Data Mover
    • Primeur Data Mover deployment
    • Navigate through Primeur Data Mover
  • 👥Actors
    • Who are they?
    • Create your first actor
    • Configuring an actor - NEW! 🚀
      • Users Tab
      • Groups Tab
      • VFS Tab
      • File Resource Tab
        • Creating File Resources
        • Navigating File Resources
        • How to use File Resources
      • Connection Contract Tab
      • Client Connections Tab
    • Searching files by Actor
    • Actor Lineage - NEW! 🚀
      • Aggregation of flows by protocol - NEW! 🚀
      • Lineage with connection contracts - NEW! 🚀
      • Lineage with input, mediation and output contracts - NEW! 🚀
      • Lineage with any contract type - NEW! 🚀
  • 📝Contracts
    • What is a contract
    • Create your first contract
      • Create an Input Contract
        • Define the Contract Info
        • Associate the Contract with the Actor
        • Define the Contract Actions
        • Set the Contract Variables
      • Create a Connection Contract
        • Create a Contract Clause
        • Associate the VFS with File Processing Rules
        • File Processing Rules
    • Managing contracts - NEW! 🚀
  • 🧱Workflows
    • What is a workflow
    • Create your first workflow template
      • Workflow template - Toolbar
      • Workflow template - Shape Repository Panel
      • Workflow template - Working Area
      • Workflow template - BPMN-Diagram
        • Variable types ---- review needed
      • Modeling elements
      • Editing Workflow Templates
    • How they work
    • Trigger types
    • Service Tasks
      • Configuring Service Tasks
      • Configuring Triggerable Service Tasks - NEW! 🚀
      • Handling Process Variable
      • Spazio Selectors and Filebox Metadata management
      • Error Management
    • Workflows and contracts interaction
    • Workflows hacks you may need
    • System Workflow Templates
      • Input templates
      • Mediation templates
      • Output templates
    • Error Workflow Templates
    • DataFlow Instance Context (DFIC) 🚀
  • 🔓Security
    • Identity and Access Management
    • Users & Groups
      • Setting the password policy
      • Creating Internal Users - NEW! 🚀
      • Creating Internal Groups
      • Creating External Users
      • Creating External Groups
    • Key Stores and Trust Stores
      • Key Store - NEW! 🚀
        • Creating a Key - NEW! 🚀
        • Creating a Certificate - NEW! 🚀
        • Importing a Key or a Certificate
        • Creating a Symmetric key
        • Examples
      • Trust Store - NEW! 🚀
        • Importing Keys - NEW! 🚀
        • Importing Certificates
      • Untrusted Cache - NEW! 🚀
      • Trusting an element
        • When do I use the Keys tab?
        • When do I use the Certificates tab?
      • PGP Key Store / PGP Trust Store
        • Configuring the PGP Key Store
        • Importing keys into the PGP Trust Store
  • 🛸TRANSPORT PROTOCOLS AND CONNECTORS
    • Data Mover client and server roles
    • Client Connections
      • FTP connection
      • Client Connection: FTPS
      • Client Connection: SFTP
      • Client Connection: HTTP
      • Client Connection: HTTPS
      • Client Connection: PESIT
      • Client Connection: SMB v3 or later versions
      • Client Connection: POP3 IMAP
      • Client Connection: SMTP
      • Client Connection: PR4/PR4S
      • Client Connection: PR5
      • Client Connection: PR5S
      • Client Connection: HDFS
      • Client Connection: HDFSS
      • Client Connection: Amazon S3 - NEW! 🚀
      • Client Connection: Google Cloud Storage
        • Credentials
      • Client Connection: Azure Blob Storage
      • Client Connection: IBM Sterling Connect:Direct
      • Appendix
    • Server Connections - NEW 🚀
      • FTP
      • FTPS
      • SFTP
      • HTTP
      • HTTPS
      • PeSIT
      • PR4
      • PR5
      • PR5S
      • CD
    • Stopping all servers in one go
  • 🛰️DMZ GATEWAYS
    • DMZ Gateways
    • DMZ Clusters
  • 🎧FILE EVENT LISTENER
    • What is the File Event Listener
    • Configuring File Event Listeners
      • Setting the File Event Listener Engine
      • Defining a contract for the File Event Listener
      • Setting events to be monitored
    • RegEx Rules
    • Monitoring File Event Listeners
  • 🔍ICAP
    • ICAP Engines
    • Configuring an ICAP Engine
    • Defining an ICAP rule
  • 📚CLUSTERING
    • STENG, Clusters and Servers
    • Adding a cluster and a STENG
    • Deleting a STENG
  • 🕒MONITORING
    • Jobs
      • Details about Jobs - NEW! 🚀
      • jobman.sh CLI
    • Job Manager
    • Job Queues
      • Managing Job Queues
    • File Transfers
      • Ongoing
      • Finished
      • Reports
    • File Transfers Rules
      • Configuring Rules
  • 🤓ADMINISTRATION
    • Storage Classes - NEW! 🚀
      • Storage Class: File System - NEW! 🚀
      • Storage Class: SMB v3 or later versions - NEW! 🚀
      • Storage Class: Amazon S3 - NEW! 🚀
      • Storage Class: Google Cloud Storage - NEW! 🚀
      • Storage Class: Azure Blob Storage - NEW! 🚀
    • Retention Classes
    • Virtual File Systems (VFS) - NEW! 🚀
      • Creating a VFS - NEW! 🚀
      • Configuring a VFS
      • Adding Virtual Paths
      • Modifying and Deleting a VFS
      • Searching files in all VFS
    • Advanced Settings
  • 👑FILE MANAGER
    • Getting started
    • Logging into File Manager
    • Managing the File Manager - NEW! 🚀
      • The list of results
      • Creating new folders
      • Uploading files
      • Downloading files - NEW! 🚀
      • Searching for files and folders
      • Deleting files - NEW! 🚀
      • Bulk actions - NEW! 🚀
    • File Manager and VFS
    • Customizing File Manager externals
      • The configuration-wui.json file - NEW! 🚀
      • How to customize the Login window and the logo
      • How to customize the footer
      • How to configure the Upload with Metadata option
      • How to customize bulk actions - NEW! 🚀
  • 🧑‍⚖️FILE ROUTING
    • What is File Routing - NEW! 🚀
    • Routing Rules page
      • The Rules tab
      • The Categories tab
      • The Output tab
    • How to create a rule - NEW! 🚀
      • Add metadata - NEW! 🚀
      • Select ACTIONS
      • Select OUTPUTS
      • Policy for the selection of metadata rules
    • Configuration of the environment in Data One
      • Set up Storage Classes
      • Set up Retention Classes
      • Configure the Actor
      • Set up File Resources
    • Associate the Routing Rule to a Contract
    • Example
  • 💬LOGS & AUDIT
    • Logs - NEW! 🚀
      • Logs options - NEW! 🚀
      • Troubleshooting error analysis in Logs
    • Audit Options - NEW! 🚀
      • Export audit logs - NEW! 🚀
      • List of Audit entity types - NEW! 🚀
      • Audit message codes - NEW! 🚀
    • Log Notifiers - NEW! 🚀
      • FEL message codes
  • 📩NOTIFICATION CHANNELS
    • What are Notification Channels
    • Configuring the default Email Notification Channel
    • Configuring a new Email Notification Channel
    • Trusting Certificates
    • Managing Templates
      • Data Watcher Macros
      • Contract Macros
      • ICAP Macros
      • Central Log Macros
      • Email Templates
      • Editing default templates
      • Loading a new template
  • 🟣DATA MOVER + DATA WATCHER
    • Data Mover in a bundle with Data Watcher
    • Attributes - NEW! 🚀
    • Cut-off Board
      • Cut-off Calendars
    • Dataflow Inquiry
  • 🟠DATA MOVER + DATA SHAPER
    • Data Mover in a bundle with Data Shaper
    • Monitoring
    • Execution History
    • Sandboxes
  • 💻API
    • HTTP MFT Rest API
    • Job Manager APIs - NEW! 🚀
    • SFTP Server sessions APIs - NEW! 🚀
  • 🕹️CLI and Configuration files
  • 🧐HOW TO...
    • ... use different DNS names - NEW! 🚀
    • ... configure a Cron Expression
    • ... create a Mediation Contract
    • ... create an Output Contract
    • ... configure an Application
    • ... customize a header
    • ... run searches in Data Watcher - NEW! 🚀
    • ... use Data Shaper graphs in Data One contracts
    • ... modify DMCFG and deploy it
    • ... tune Data One data retention
  • 🗒️RELEASE NOTES
    • Data One 1.20.10
    • Data One 1.20.9
    • Data One 1.20.8
    • Data One 1.20.7
      • Data One 1.20.7.1
    • Data One 1.20.6
    • Data One 1.20.5
    • Data One 1.20.4
    • Data One 1.20.3
    • Data One 1.20.2
    • Data One 1.20.1
    • Data One 1.20.0
Powered by GitBook
On this page
  • Add a Kerberos provider
  • Required settings
  • Cache settings
  • Add an LDAP provider
  • General options
  • Connection and authentication settings
  • LDAP searching and updating
  • Synchronization settings
  • Kerberos integration
  • Cache settings
  • Advanced settings
  1. Security

Identity and Access Management

Use this section to configure external databases and directories, such as LDAP and Active Directory.

Click the User federation option on the left and select the Kerberos or LDAP provider according to your needs.

Add a Kerberos provider

Required settings

Field
Is it required?
Description

UI display name

Y

Display name of provider when linked in the Admin UI.

Kerberos realm

Y

Name of kerberos realm. For example: FOO.ORG

Server principal

Y

Full name of server principal for HTTP service including server and domain name. For example: HTTP/host.foo.org@FOO.ORG.

Key tab

Y

Location of Kerberos KeyTab file containing the credentials of server principal. For example: /etc/krb5.keytab

Debug

N

Set to On to enable the debug logging to standard output for the Krb5LoginModule. Default: Off

Allow password authentication

N

Set to On to enable the possibility of username/password authentication against Kerberos database. Default: Off

Update first login

N

Set to On to update the profile on first login. Default: Off

Cache settings

Field
Is it required?
Description

Cache policy

N

Define the Cache Policy for the storage provider. Possible options are: - DEFAULT: whatever the default settings are for the global cache. - EVICT_DAILY is a time of day every day that the cache will be invalidated. - EVICT_WEEKLY is a day of the week and time the cache will be invalidated. - MAX_LIFESPAN is the time in milliseconds that will be the lifespan of a cache entry. - NO_CACHE: choose this option if you do not want the cache to be enabled.Default: DEFAULT

Add an LDAP provider

General options

Field
Is it required?
Description

UI display name

Y

Display name of provider when linked in the Admin UI. Default: ldap

Vendor

Y

Select the LDAP vendor (provider). Possible options are: - Active Directory - Red Hat Directory Server - Tivoli - Novell eDirectory - Other Default: Active Directory

Connection and authentication settings

Field
Is it required?
Description

Connection URL

Y

Connection URL to your LDAP server.

Enable StartTLS

N

Encrypts the connection to LDAP using STARTTLS, which will disable connection pooling. Default: Off

Use Truststore SPI

N

Specifies whether LDAP connection will use the Truststore SPI with the truststore configured in standalone.xml/domain.sml. - Always means that it will always use it. - Never means that it will not use it. - Only for ldaps means that it will use it if your connection URL uses ldaps. Note that even if standalone.xml/domain.xml is not configured, the default java cacerts or certificate specified by 'javax.net.ssl.trustStore' property will be used. Default: Only for ldaps

Connection pooling

N

Determines if Identity Access Manager should use connection pooling for accessing LDAP server. If set to On, Identity Access Manager will use connection pooling for accessing LDAP server. Default: Off

Connection timeout

N

LDAP connection timeout in milliseconds.

Bind type

Y

Type of the authentication method used during LDAP bind operation. It is used in most of the requests sent to the LDAP server. Currently only 'none' (anonymous LDAP authentication) or 'simple' (bind credential + bind password authentication) mechanisms are available. Default: simple

Bind DN

Y

DN of the LDAP admin, which will be used by the Identity Access Manager.

Bind credentials

Y

Password of LDAP admin. This field can obtain its value from vault, use ${vault.ID} format.

Use the Test connection and Test authentication buttons to verify that the connection and the authentication are correctly configured.

LDAP searching and updating

Field
Is it required?
Description

Edit mode

Y

READ_ONLY is a read-only LDAP store. WRITABLE means data will be synced back to LDAP on demand. UNSYNCED means user data will be imported, but not synced back to LDAP. Default: empty

Users DN

Y

Full DN of LDAP tree where your users are. This DN is the parent of LDAP users. It could be for example 'ou=users,dc=example,dc=com' assuming that your typical user will have DN like 'uid='john',ou=users,dc=example,dc=com'.

Username LDAP attribute

Y

Name of the LDAP attribute, which is mapped as the Identity Access Manager username. For many LDAP server vendors it can be 'uid'. For Active directory it can be 'sAMAccountName' or 'cn'. The attribute should be filled for all LDAP user records you want to import from LDAP to the Identity Access Manager. Default: cn

RDN LDAP attribute

Y

Name of the LDAP attribute, which is used as RDN (top attribute) of typical user DN. Usually it's the same as the Username LDAP attribute, however it is not required. For example for Active directory, it is common to use 'cn' as RDN attribute when username attribute might be 'sAMAccountName'. Default: cn

UUID LDAP attribute

Y

Name of the LDAP attribute, which is used as a unique object identifier (UUID) for objects in LDAP. For many LDAP server vendors, it is 'entryUUID'; however some are different. For example, for Active directory it should be 'objectGUID'. If your LDAP server does not support the notion of UUID, you can use any other attribute that is supposed to be unique among LDAP users in tree. For example 'uid' or 'entryDN'. Default: objectGUID

User object classes

Y

All values of LDAP objectClass attribute for users in LDAP, divided by commas. For example: 'inetOrgPerson, organizationalPerson'. Newly created Identity Access Manager users will be written to LDAP with all those object classes and existing LDAP user records are found just if they contain all those object classes. Default: person, organizationalPerson, user

User LDAP filter

N

Additional LDAP filter for filtering searched users. Leave this empty if you don't need an additional filter. Make sure that it starts with '(' and ends with ')'.

Search scope

N

For one level, the search applies only for users in the DNs specified by User DNs. For subtree, the search applies to the whole subtree. See LDAP documentation for more details. Default: One Level

Read timeout

N

LDAP read timeout in milliseconds. This timeout applies for LDAP read operations.

Pagination

N

Whether the LDAP server supports pagination. Default: Off

Synchronization settings

Field
Is it required?
Description

Import users

N

If true, LDAP users will be imported into the Identity Access Manager DB and synced by the configured sync policies. Default: On

Sync Registrations

N

Should newly created users be created within LDAP store? Priority effects which provider is chosen to sync the new user. This setting is effectively applied only with WRITABLE edit mode. Default: On

Batch size

N

Count of LDAP users to be imported from LDAP to the Identity Access Manager within a single transaction. Default: empty

Periodic full sync

N

Set whether periodic full synchronization of LDAP users to the Identity Access Manager should be enabled or not. Default: Off

Periodic changed users sync

N

Set whether periodic synchronization of changed or newly created LDAP users to the Identity Access Manager should be enabled or not. Default: Off

Kerberos integration

Field
Is it required?
Description

Allow Kerberos authentication

N

Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data about authenticated users will be provisioned from this LDAP server. Default: Off

Use Kerberos for password authentication

N

User Kerberos login module for authenticating username/password against Kerberos server instead of authenticating against LDAP server with Directory Service API Default: Off

Cache settings

Field
Is it required?
Description

Cache policy

N

Cache Policy for this storage provider. - DEFAULT is whatever the default settings are for the global cache. - EVICT_DAILY is a time of day every day that the cache will be invalidated. - EVICT_WEEKLY is a day of the week and time the cache will be invalidated. - MAX_LIFESPAN is the time in milliseconds that will be the lifespan of a cache entry. - NO_CACHE: choose this option if you do not want the cache to be enabled. Default: DEFAULT

Advanced settings

Field
Is it required?
Description

Enable the LDAPv3 password modify extended operation

N

Use the LDAPv3 Password Modify Extended Operation (RFC-3062). The password modify extended operation usually requires that LDAP user already has password in the LDAP server. So when this is used with 'Sync Registrations', it can be good to add also 'Hardcoded LDAP attribute mapper' with randomly generated initial password. Default: Off

Validate password policy

N

Determines if the Identity Access Manager should validate the password with the realm password policy before updating it. Default: Off

Trust email

N

If enabled, email provided by this provider is not verified even if verification is enabled for the realm. Default: Off

Use the Query Supported Extensions button to verify the connection to Kerberos.

PreviousDataFlow Instance Context (DFIC) 🚀NextUsers & Groups

Last updated 1 month ago

🔓