Home Verkennen Help
Registreren Inloggen
GlobalCube
/
analytics
3
0
Vork 0
Bestanden Issues 0 Pull-aanvragen 0 Wiki
Aftakking: master
Aftakkingen Labels
analytics
/
templates
/
AAA
/
LDAP.xml

LDAP.xml 18 KB
Permalink Geschiedenis Ruwe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289 
  1. <!-- LDAP-general: Defines a group of properties that allows the product to access an 
    2. 

  2.              LDAP server for user authentication.  -->
    3. 

  3. <!-- Use this group of properties to provide access to an existing LDAP server.  -->
    4. 

  4. <crn:instance name="MANDATORY" class="LDAP">
    5. 

  5. 	<!-- id: Specifies a unique identifier for the authentication namespace.  -->
    6. 

  6. 	<!-- Use the namespace identifier to distinguish between multiple namespaces. Each namespace 
    7. 

  7.                must have a unique identifier. When you select a namespace to use for authentication 
    8. 

  8.                in the run-time environment, the identifier is used by the IBM Cognos components. 
    9. 

  9.                Changing the namespace ID after the service has been started may invalidate the object 
    10. 

  10.                security policies and the Cognos group and role memberships. The use of the colon 
    11. 

  11.                in the Namespace ID is not supported.  -->
    12. 

  12. 	<crn:parameter name="id">
    13. 

  13. 		<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
    14. 

  14. 	</crn:parameter>
    15. 

  15. 	<!-- connection: Specifies the host name and port of the directory server.  -->
    16. 

  16. 	<!-- Use the following syntax to specify the host name and port for the directory server: 
    17. 

  17.                host:port; for example, localhost:389. Ensure that if you use a fully qualified name 
    18. 

  18.                for your computer that your DNS is set up to resolve it. Otherwise, you can also 
    19. 

  19.                use the IP address.  -->
    20. 

  20. 	<crn:parameter name="connection">
    21. 

  21. 		<crn:value xsi:type="cfg:hostPort">MANDATORY</crn:value>
    22. 

  22. 	</crn:parameter>
    23. 

  23. 	<!-- baseDN: Specifies the base distinguished name of the LDAP server.  -->
    24. 

  24. 	<!-- The product uses the base DN to identify the top level of your directory server structure. 
    25. 

  25.                The root of the hierarchal directory structure is the starting place for all searches. 
    26. 

  26.                You restrict searches by specifying a base DN.  -->
    27. 

  27. 	<crn:parameter name="baseDN">
    28. 

  28. 		<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
    29. 

  29. 	</crn:parameter>
    30. 

  30. 	<!-- userLookup: Specifies the user lookup used for binding to the LDAP directory server.  -->
    31. 

  31. 	<!-- Use this property to specify the string that is used to construct the fully qualified 
    32. 

  32.                DN for authentication. All instances of '${userID}' in this string are replaced by 
    33. 

  33.                the value typed in by the user at the logon prompt. If the string does not begin 
    34. 

  34.                with an open parenthesis, the result of the substitution is assumed to be a DN which 
    35. 

  35.                can be used for authentication. For example, 'uid=${userID},ou=people, base DN', 
    36. 

  36.                where base DN is the Base Distinguished Name parameter value. If the value begins 
    37. 

  37.                with an open parenthesis '(', the result of the substitution is assumed to be a search 
    38. 

  38.                filter. Before binding, the provider uses the filter to get the DN for authentication. 
    39. 

  39.                For example, '(userPrincipalName=${userID})'. A filter should be used if you have 
    40. 

  40.                a hierarchical directory structure.  -->
    41. 

  41. 	<crn:parameter name="userLookup">
    42. 

  42. 		<crn:value xsi:type="xsd:string">${userID}</crn:value>
    43. 

  43. 	</crn:parameter>
    44. 

  44. 	<!-- useExternalIdentity: Specifies whether to use the identity from an external source 
    45. 

  45.                for user authentication.  -->
    46. 

  46. 	<!-- If this property is set to true, the user is authenticated by an external source 
    47. 

  47.                and the user's identity is provided to the product from the external source. For 
    48. 

  48.                example, if SSL is configured to use client certificates, the Web server sets the 
    49. 

  49.                REMOTE_USER environment variable to the user's identity. If you set this property 
    50. 

  50.                to true, ensure that you set the "External Identity Mapping" property.  -->
    51. 

  51. 	<crn:parameter name="useExternalIdentity">
    52. 

  52. 		<crn:value xsi:type="xsd:boolean">false</crn:value>
    53. 

  53. 	</crn:parameter>
    54. 

  54. 	<!-- externalIdentityMapping: Specifies the mapping used to locate a user in the LDAP 
    55. 

  55.                directory server.  -->
    56. 

  56. 	<!-- This property is used only if you enable the "Use External identity" property. This 
    57. 

  57.                mapping is used to construct a DN or a search filter to locate a user in the LDAP 
    58. 

  58.                directory server. All instances of '${environment("ENVIRONMENT_VARIABLE_NAME")' in 
    59. 

  59.                this string are replaced by the value of the environment variable provided by the 
    60. 

  60.                Web server. If the string does not begin with an open parenthesis, the result of 
    61. 

  61.                the substitution is assumed to be the user's DN. For example, 'uid=${environment("REMOTE_USER")},ou=people, 
    62. 

  62.                base DN', where base DN is the Base Distinguished Name parameter value. If the value 
    63. 

  63.                begins with an open parenthesis '(', the result of the substitution is assumed to 
    64. 

  64.                be a search filter. For example, '(userPrincipalName=${environment("REMOTE_USER")})'. 
    65. 

  65.                Note that you must either enable anonymous access to the LDAP directory server or 
    66. 

  66.                set the 'Bind user DN and password' property.  -->
    67. 

  67. 	<crn:parameter name="externalIdentityMapping">
    68. 

  68. 		<crn:value xsi:type="xsd:string">${environment("REMOTE_USER")}</crn:value>
    69. 

  69. 	</crn:parameter>
    70. 

  70. 	<!-- bindCredentials: Specifies the credentials used for binding to the LDAP server when 
    71. 

  71.                performing a search using the user lookup property, or when performing all operations 
    72. 

  72.                using the external identity mapping.  -->
    73. 

  73. 	<!-- This value corresponds to an LDAP user who has read and search access to the user 
    74. 

  74.                branch of the LDAP directory server.  -->
    75. 

  75. 	<crn:parameter name="bindCredentials">
    76. 

  76. 		<crn:value xsi:type="cfg:credential" encrypted="true"></crn:value>
    77. 

  77. 	</crn:parameter>
    78. 

  78. 	<!-- sizeLimit: Specifies the maximum number of responses permitted for a search request.  -->
    79. 

  79. 	<!-- The value depends on your environment. As a general rule, the minimum value for this 
    80. 

  80.                setting should be greater than the maximum number of groups or users plus 100. When 
    81. 

  81.                the size limit is reached the directory server stops searching. The default value 
    82. 

  82.                of -1 indicates that the value on the LDAP server will be used.  -->
    83. 

  83. 	<crn:parameter name="sizeLimit">
    84. 

  84. 		<crn:value xsi:type="xsd:int">-1</crn:value>
    85. 

  85. 	</crn:parameter>
    86. 

  86. 	<!-- timeOut: Specifies the number of seconds permitted to perform a search request.  -->
    87. 

  87. 	<!-- The product uses this value when it requests authentication from the namespace on 
    88. 

  88.                your directory server. The value depends on your reporting environment. If the duration 
    89. 

  89.                is exceeded, the search is timed out. The default value -1 indicates that the value 
    90. 

  90.                on the LDAP server will be used.  -->
    91. 

  91. 	<crn:parameter name="timeOut">
    92. 

  92. 		<crn:value xsi:type="xsd:int">-1</crn:value>
    93. 

  93. 	</crn:parameter>
    94. 

  94. 	<!-- useBindCredentialsForSearch: Specifies whether to use the bind credentials to perform 
    95. 

  95.                a search.  -->
    96. 

  96. 	<!-- This property only affects users who don't use the external identity mapping. If 
    97. 

  97.                this property is set to true, the bind credentials provided in the namespace configuration 
    98. 

  98.                will be used to perform a search in the LDAP directory server. If this flag is false 
    99. 

  99.                or bind credentials are not presented, the authenticated user credentials will be 
    100. 

  100.                used for searching.  -->
    101. 

  101. 	<crn:parameter name="useBindCredentialsForSearch">
    102. 

  102. 		<crn:value xsi:type="xsd:boolean">false</crn:value>
    103. 

  103. 	</crn:parameter>
    104. 

  104. 	<!-- allowEmptyPswd: Specifies whether empty passwords are allowed for user authentication.  -->
    105. 

  105. 	<!-- Set this property to true only if you specifically wish to allow empty passwords. 
    106. 

  106.                When a user is not required to specify a password, he is authenticated as an anonymous 
    107. 

  107.                user on the LDAP namespace, but as a named user on the Cognos namespace. Requiring 
    108. 

  108.                passwords for authentication increases security and makes it more difficult to forge 
    109. 

  109.                identities. By default, this property is set to false.  -->
    110. 

  110. 	<crn:parameter name="allowEmptyPswd">
    111. 

  111. 		<crn:value xsi:type="xsd:boolean">false</crn:value>
    112. 

  112. 	</crn:parameter>
    113. 

  113. 	<!-- camidAttribute: Specifies the value used to uniquely identify objects stored in the 
    114. 

  114.                LDAP directory server.  -->
    115. 

  115. 	<!-- Specify either an attribute name or the value of 'dn' to use as the unique identifier. 
    116. 

  116.                If an attribute is used, it must exist for all objects, such as users, groups, folders. 
    117. 

  117.                If the 'dn' is used, more resources are used as you search deeper in the LDAP directory 
    118. 

  118.                server hierarchy and policies may be affected if the 'dn' is renamed.  -->
    119. 

  119. 	<crn:parameter name="camidAttribute">
    120. 

  120. 		<crn:value xsi:type="xsd:string">dn</crn:value>
    121. 

  121. 	</crn:parameter>
    122. 

  122. 	<!-- dataEncoding: Specifies the encoding of the data stored in the LDAP directory server.  -->
    123. 

  123. 	<!-- If this property is set to an encoding other than UTF-8, then the data is converted 
    124. 

  124.                from UTF-8 to the encoding you specify. The encoding must follow IANA (RFC 1700) 
    125. 

  125.                or MIME character set specifications. For example, use windows-1252, iso-8859-1, 
    126. 

  126.                iso-8859-15, Shift_JIS, utf-16, or utf-8.  -->
    127. 

  127. 	<crn:parameter name="dataEncoding">
    128. 

  128. 		<crn:value xsi:type="xsd:string">UTF-8</crn:value>
    129. 

  129. 	</crn:parameter>
    130. 

  130. 	<!-- sslCertificateDatabase: Specifies the location of the certificate database used by 
    131. 

  131.                the directory server for SSL connections.  -->
    132. 

  132. 	<!-- Use this property to point to the location of the SSL certificate database for your 
    133. 

  133.                LDAP server.  -->
    134. 

  134. 	<crn:parameter name="sslCertificateDatabase">
    135. 

  135. 		<crn:value xsi:type="cfg:filePath"/>
    136. 

  136. 	</crn:parameter>
    137. 

  137. 	<!-- selectableForAuth: Specifies whether the namespace is selectable for authentication.  -->
    138. 

  138. 	<!-- If this property is set to true, the namespace will be available for authentication 
    139. 

  139.                in the logon page namespace selection prompt. Set this value to false if the namespace 
    140. 

  140.                should not be available for selection on the logon page.  -->
    141. 

  141. 	<crn:parameter name="selectableForAuth">
    142. 

  142. 		<crn:value xsi:type="xsd:boolean">true</crn:value>
    143. 

  143. 	</crn:parameter>
    144. 

  144. 	<!-- advancedProperties: Specifies a set of advanced properties.  -->
    145. 

  145. 	<!-- The user needs to provide the name and the value for each advanced property.  -->
    146. 

  146. 	<crn:parameter name="advancedProperties" opaque="true">
    147. 

  147. 		<crn:value xsi:type="cfg:array"/>
    148. 

  148. 	</crn:parameter>
    149. 

  149. 	<!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs.  -->
    150. 

  150. 	<!-- Specifying a value for this parameter enables multitenancy. The tenant ID for a user 
    151. 

  151.                can be determined using a pattern or a tenant provider class. The pattern is a AAA 
    152. 

  152.                service search path to a property which defines a tenant ID. The search path must 
    153. 

  153.                be relative to a user account. For example: '~/ancestors[2]/defaultName'. A tenant 
    154. 

  154.                provider class is Java class which implements the the ITenantProvider interface. 
    155. 

  155.                For more details please consult the installation and configuration guide.  -->
    156. 

  156. 	<crn:parameter name="tenantIdMapping" opaque="true">
    157. 

  157. 		<crn:value xsi:type="cfg:tenancyInfo">
    158. 

  158.           <crn:item name="pattern" xsi:type="xsd:string"></crn:item>
    159. 

  159.         </crn:value>
    160. 

  160. 	</crn:parameter>
    161. 

  161. 	<!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined for 
    162. 

  162.                a user.  -->
    163. 

  163. 	<!-- This parameter is used when multitenancy is enabled. The tenant bounding set for 
    164. 

  164.                a user can be determined using a pattern or a tenant bounding set provider class. 
    165. 

  165.                The pattern is a AAA service search path to a property which defines a tenant bounding 
    166. 

  166.                set. The search path must be relative to a user account. For example: '˜/parameters/boundingSet'. 
    167. 

  167.                A tenant bounding set provider class is Java class which implements the the IBoundingSetProvider 
    168. 

  168.                interface. For more details please consult the installation and configuration guide.  -->
    169. 

  169. 	<crn:parameter name="tenantBoundingSetMapping" opaque="true">
    170. 

  170. 		<crn:value xsi:type="cfg:tenancyInfo">
    171. 

  171. 			<crn:item name="pattern" xsi:type="xsd:string"></crn:item>
    172. 

  172. 		</crn:value>
    173. 

  173. 	</crn:parameter>
    174. 

  174. 	<!-- folderObjectClass: Specifies the name of the LDAP object class used to identify a 
    175. 

  175.                folder.  -->
    176. 

  176. 	<crn:parameter name="folderObjectClass">
    177. 

  177. 		<crn:value xsi:type="xsd:string">organizationalunit</crn:value>
    178. 

  178. 	</crn:parameter>
    179. 

  179. 	<!-- folderDescription: Specifies the LDAP attribute used for the "description" property 
    180. 

  180.                of a folder.  -->
    181. 

  181. 	<crn:parameter name="folderDescription">
    182. 

  182. 		<crn:value xsi:type="xsd:string">description</crn:value>
    183. 

  183. 	</crn:parameter>
    184. 

  184. 	<!-- folderName: Specifies the LDAP attribute used for the "name" property of a folder.  -->
    185. 

  185. 	<crn:parameter name="folderName">
    186. 

  186. 		<crn:value xsi:type="xsd:string">ou</crn:value>
    187. 

  187. 	</crn:parameter>
    188. 

  188. 	<!-- groupObjectClass: Specifies the name of the LDAP object class used to identify a 
    189. 

  189.                group.  -->
    190. 

  190. 	<crn:parameter name="groupObjectClass">
    191. 

  191. 		<crn:value xsi:type="xsd:string">groupofuniquenames</crn:value>
    192. 

  192. 	</crn:parameter>
    193. 

  193. 	<!-- groupDescription: Specifies the LDAP attribute used for the "description" property 
    194. 

  194.                of a group.  -->
    195. 

  195. 	<crn:parameter name="groupDescription">
    196. 

  196. 		<crn:value xsi:type="xsd:string">description</crn:value>
    197. 

  197. 	</crn:parameter>
    198. 

  198. 	<!-- groupMembers: Specifies the LDAP attribute used to identify the members of a group.  -->
    199. 

  199. 	<crn:parameter name="groupMembers">
    200. 

  200. 		<crn:value xsi:type="xsd:string">uniquemember</crn:value>
    201. 

  201. 	</crn:parameter>
    202. 

  202. 	<!-- groupName: Specifies the LDAP attribute used for the "name" property of a group.  -->
    203. 

  203. 	<crn:parameter name="groupName">
    204. 

  204. 		<crn:value xsi:type="xsd:string">cn</crn:value>
    205. 

  205. 	</crn:parameter>
    206. 

  206. 	<!-- accountObjectClass: Specifies the name of the LDAP object class used to identify 
    207. 

  207.                an account.  -->
    208. 

  208. 	<crn:parameter name="accountObjectClass">
    209. 

  209. 		<crn:value xsi:type="xsd:string">inetorgperson</crn:value>
    210. 

  210. 	</crn:parameter>
    211. 

  211. 	<!-- accountBusinessPhone: Specifies the LDAP attribute used for the "businessPhone" property 
    212. 

  212.                for an account.  -->
    213. 

  213. 	<crn:parameter name="accountBusinessPhone">
    214. 

  214. 		<crn:value xsi:type="xsd:string">telephonenumber</crn:value>
    215. 

  215. 	</crn:parameter>
    216. 

  216. 	<!-- accountContentLocale: Specifies the LDAP attribute used for the "contentLocale" property 
    217. 

  217.                for an account.  -->
    218. 

  218. 	<crn:parameter name="accountContentLocale">
    219. 

  219. 		<crn:value xsi:type="xsd:string">preferredlanguage</crn:value>
    220. 

  220. 	</crn:parameter>
    221. 

  221. 	<!-- accountDescription: Specifies the LDAP attribute used for the "description" property 
    222. 

  222.                for an account.  -->
    223. 

  223. 	<crn:parameter name="accountDescription">
    224. 

  224. 		<crn:value xsi:type="xsd:string">description</crn:value>
    225. 

  225. 	</crn:parameter>
    226. 

  226. 	<!-- accountEmail: Specifies the LDAP attribute used for the "email" address of the account.  -->
    227. 

  227. 	<crn:parameter name="accountEmail">
    228. 

  228. 		<crn:value xsi:type="xsd:string">mail</crn:value>
    229. 

  229. 	</crn:parameter>
    230. 

  230. 	<!-- accountFaxPhone: Specifies the LDAP attribute used for the "faxPhone" property for 
    231. 

  231.                an account.  -->
    232. 

  232. 	<crn:parameter name="accountFaxPhone">
    233. 

  233. 		<crn:value xsi:type="xsd:string">facsimiletelephonenumber</crn:value>
    234. 

  234. 	</crn:parameter>
    235. 

  235. 	<!-- accountGivenName: Specifies the LDAP attribute used for the "givenName" property 
    236. 

  236.                for an account.  -->
    237. 

  237. 	<crn:parameter name="accountGivenName">
    238. 

  238. 		<crn:value xsi:type="xsd:string">givenname</crn:value>
    239. 

  239. 	</crn:parameter>
    240. 

  240. 	<!-- accountHomePhone: Specifies the LDAP attribute used for the "homePhone" property 
    241. 

  241.                for an account.  -->
    242. 

  242. 	<crn:parameter name="accountHomePhone">
    243. 

  243. 		<crn:value xsi:type="xsd:string">homephone</crn:value>
    244. 

  244. 	</crn:parameter>
    245. 

  245. 	<!-- accountMobilePhone: Specifies the LDAP attribute used for the "mobilePhone" property 
    246. 

  246.                for an account.  -->
    247. 

  247. 	<crn:parameter name="accountMobilePhone">
    248. 

  248. 		<crn:value xsi:type="xsd:string">mobile</crn:value>
    249. 

  249. 	</crn:parameter>
    250. 

  250. 	<!-- accountName: Specifies the LDAP attribute used for the "name" property for an account.  -->
    251. 

  251. 	<crn:parameter name="accountName">
    252. 

  252. 		<crn:value xsi:type="xsd:string">cn</crn:value>
    253. 

  253. 	</crn:parameter>
    254. 

  254. 	<!-- accountPagerPhone: Specifies the LDAP attribute used for the "pagerPhone" property 
    255. 

  255.                for an account.  -->
    256. 

  256. 	<crn:parameter name="accountPagerPhone">
    257. 

  257. 		<crn:value xsi:type="xsd:string">pager</crn:value>
    258. 

  258. 	</crn:parameter>
    259. 

  259. 	<!-- accountPassword: Specifies the LDAP attribute used for the "password" property for 
    260. 

  260.                an account.  -->
    261. 

  261. 	<crn:parameter name="accountPassword">
    262. 

  262. 		<crn:value xsi:type="xsd:string">userPassword</crn:value>
    263. 

  263. 	</crn:parameter>
    264. 

  264. 	<!-- accountPostalAddress: Specifies the LDAP attribute used for the "postalAddress" property 
    265. 

  265.                for an account.  -->
    266. 

  266. 	<crn:parameter name="accountPostalAddress">
    267. 

  267. 		<crn:value xsi:type="xsd:string">postaladdress</crn:value>
    268. 

  268. 	</crn:parameter>
    269. 

  269. 	<!-- accountProductLocale: Specifies the LDAP attribute used for the "productLocale" property 
    270. 

  270.                for an account.  -->
    271. 

  271. 	<crn:parameter name="accountProductLocale">
    272. 

  272. 		<crn:value xsi:type="xsd:string">preferredlanguage</crn:value>
    273. 

  273. 	</crn:parameter>
    274. 

  274. 	<!-- accountSurname: Specifies the LDAP attribute used for the "surname" property for 
    275. 

  275.                an account.  -->
    276. 

  276. 	<crn:parameter name="accountSurname">
    277. 

  277. 		<crn:value xsi:type="xsd:string">sn</crn:value>
    278. 

  278. 	</crn:parameter>
    279. 

  279. 	<!-- accountUserName: Specifies the LDAP attribute used for the "userName" property for 
    280. 

  280.                an account.  -->
    281. 

  281. 	<crn:parameter name="accountUserName">
    282. 

  282. 		<crn:value xsi:type="xsd:string">uid</crn:value>
    283. 

  283. 	</crn:parameter>
    284. 

  284. 	<!-- customProperties: Specifies a set of custom properties.  -->
    285. 

  285. 	<!-- Use this set of custom properties to define additional account information.  -->
    286. 

  286. 	<crn:parameter name="customProperties" opaque="true">
    287. 

  287. 		<crn:value xsi:type="cfg:array"/>
    288. 

  288. 	</crn:parameter>
    289. 

  289. </crn:instance>
    290.