Identity and Access Management

Use this section to configure external databases and directories, such as LDAP and Active Directory.

Click the User federation option on the left and select the Kerberos or LDAP provider according to your needs.

Add a Kerberos provider

Required settings

FieldIs it required?Description
UI display nameYDisplay name of provider when linked in the Admin UI.
Kerberos realmYName of kerberos realm.
For example: FOO.ORG
Server principalYFull name of server principal for HTTP service including server and domain name.
For example: HTTP/[email protected].
Key tabYLocation of Kerberos KeyTab file containing the credentials of server principal.
For example: /etc/krb5.keytab
DebugNSet to On to enable the debug logging to standard output for the Krb5LoginModule.
Default: Off
Allow password authenticationNSet to On to enable the possibility of username/password authentication against Kerberos database.
Default: Off
Update first loginNSet to On to update the profile on first login.
Default: Off

Cache settings

FieldIs it required?Description
Cache policyNDefine the Cache Policy for the storage provider. Possible options are:

- DEFAULT: whatever the default settings are for the global cache.
- EVICT_DAILY is a time of day every day that the cache will be invalidated.
- EVICT_WEEKLY is a day of the week and time the cache will be invalidated.
- MAX_LIFESPAN is the time in milliseconds that will be the lifespan of a cache entry.
- NO_CACHE: choose this option if you do not want the cache to be enabled.Default: DEFAULT

Add an LDAP provider

General options

FieldIs it required?Description
UI display nameY Display name of provider when linked in the Admin UI.
Default: ldap
VendorYSelect the LDAP vendor (provider). Possible options are:

- Active Directory
- Red Hat Directory Server
- Tivoli
- Novell eDirectory
- Other
Default: Active Directory

Connection and authentication settings

FieldIs it required?Description
Connection URLY Connection URL to your LDAP server.
Enable StartTLSNEncrypts the connection to LDAP using STARTTLS, which will disable connection pooling.
Default: Off
Use Truststore SPINSpecifies whether LDAP connection will use the Truststore SPI with the truststore configured in standalone.xml/domain.sml.

- Always means that it will always use it.
- Never means that it will not use it.
- Only for ldaps means that it will use it if your connection URL uses ldaps.
Note that even if standalone.xml/domain.xml is not configured, the default java cacerts or certificate specified by 'javax.net.ssl.trustStore' property will be used.
Default: Only for ldaps
Connection poolingNDetermines if Identity Access Manager should use connection pooling for accessing LDAP server. If set to On, Identity Access Manager will use connection pooling for accessing LDAP server.
Default: Off
Connection timeoutNLDAP connection timeout in milliseconds.
Bind typeY Type of the authentication method used during LDAP bind operation. It is used in most of the requests sent to the LDAP server. Currently only 'none' (anonymous LDAP authentication) or 'simple' (bind credential + bind password authentication) mechanisms are available.
Default: simple
Bind DNY DN of the LDAP admin, which will be used by the Identity Access Manager.
Bind credentialsY Password of LDAP admin. This field can obtain its value from vault, use ${vault.ID} format.

Use the Test connection and Test authentication buttons to verify that the connection and the authentication are correctly configured.

LDAP searching and updating

FieldIs it required?Description
Edit modeY READ_ONLY is a read-only LDAP store.
WRITABLE means data will be synced back to LDAP on demand.
UNSYNCED means user data will be imported, but not synced back to LDAP.
Default: empty
Users DNYFull DN of LDAP tree where your users are. This DN is the parent of LDAP users. It could be for example 'ou=users,dc=example,dc=com' assuming that your typical user will have DN like 'uid='john',ou=users,dc=example,dc=com'.
Username LDAP attributeYName of the LDAP attribute, which is mapped as the Identity Access Manager username.
For many LDAP server vendors it can be 'uid'.
For Active directory it can be 'sAMAccountName' or 'cn'.
The attribute should be filled for all LDAP user records you want to import from LDAP to the Identity Access Manager.
Default: cn
RDN LDAP attributeYName of the LDAP attribute, which is used as RDN (top attribute) of typical user DN.
Usually it's the same as the Username LDAP attribute, however it is not required.
For example for Active directory, it is common to use 'cn' as RDN attribute when username attribute might be 'sAMAccountName'.
Default: cn
UUID LDAP attributeYName of the LDAP attribute, which is used as a unique object identifier (UUID) for objects in LDAP.
For many LDAP server vendors, it is 'entryUUID'; however some are different.
For example, for Active directory it should be 'objectGUID'.
If your LDAP server does not support the notion of UUID, you can use any other attribute that is supposed to be unique among LDAP users in tree.
For example 'uid' or 'entryDN'.
Default: objectGUID
User object classesYAll values of LDAP objectClass attribute for users in LDAP, divided by commas.
For example: 'inetOrgPerson, organizationalPerson'.
Newly created Identity Access Manager users will be written to LDAP with all those object classes and existing LDAP user records are found just if they contain all those object classes.
Default: person, organizationalPerson, user
User LDAP filterNAdditional LDAP filter for filtering searched users.
Leave this empty if you don't need an additional filter. Make sure that it starts with '(' and ends with ')'.
Search scopeNFor one level, the search applies only for users in the DNs specified by User DNs. For subtree, the search applies to the whole subtree. See LDAP documentation for more details.
Default: One Level
Read timeoutNLDAP read timeout in milliseconds. This timeout applies for LDAP read operations.
PaginationNWhether the LDAP server supports pagination.
Default: Off

Synchronization settings

FieldIs it required?Description
Import usersNIf true, LDAP users will be imported into the Identity Access Manager DB and synced by the configured sync policies.
Default: On
Sync RegistrationsNShould newly created users be created within LDAP store? Priority effects which provider is chosen to sync the new user. This setting is effectively applied only with WRITABLE edit mode.
Default: On
Batch sizeNCount of LDAP users to be imported from LDAP to the Identity Access Manager within a single transaction.
Default: empty
Periodic full syncNSet whether periodic full synchronization of LDAP users to the Identity Access Manager should be enabled or not.
Default: Off
Periodic changed users syncNSet whether periodic synchronization of changed or newly created LDAP users to the Identity Access Manager should be enabled or not.
Default: Off

Kerberos integration

FieldIs it required?Description
Allow Kerberos authenticationNEnable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data about authenticated users will be provisioned from this LDAP server.
Default: Off
Use Kerberos for password authenticationNUser Kerberos login module for authenticating username/password against Kerberos server instead of authenticating against LDAP server with Directory Service API
Default: Off

Cache settings

FieldIs it required?Description
Cache policyNCache Policy for this storage provider.

- DEFAULT is whatever the default settings are for the global cache.
- EVICT_DAILY is a time of day every day that the cache will be invalidated.
- EVICT_WEEKLY is a day of the week and time the cache will be invalidated.
- MAX_LIFESPAN is the time in milliseconds that will be the lifespan of a cache entry.
- NO_CACHE: choose this option if you do not want the cache to be enabled.
Default: DEFAULT

Advanced settings

FieldIs it required?Description
Enable the LDAPv3 password modify extended operationNUse the LDAPv3 Password Modify Extended Operation (RFC-3062). The password modify extended operation usually requires that LDAP user already has password in the LDAP server. So when this is used with 'Sync Registrations', it can be good to add also 'Hardcoded LDAP attribute mapper' with randomly generated initial password.
Default: Off
Validate password policyNDetermines if the Identity Access Manager should validate the password with the realm password policy before updating it.
Default: Off
Trust emailNIf enabled, email provided by this provider is not verified even if verification is enabled for the realm.
Default: Off

Use the Query Supported Extensions button to verify the connection to Kerberos.