Accessible and manageable by roles that have the “Manage Authentication Services” permission such as “Project Owner”.
| Field | Description |
|---|---|
| Name | Name information of the LDAP/Active Directory Identity Provider for the created Identity Provider. |
| Description | A description can be written to facilitate management related to the created LDAP/Active Directory Identity Provider. |
| LDAP Connection Pool Definition (LDAP Connection Pool Definition) | The pool from which the LDAP connection will be obtained is selected or created. |
| LDAP Authentication Type (LDAP Authentication Type) | One of two methods can be used when making Identity Provider with LDAP/Active Directory: 1. Simple Authentication: Username/password pair is sent to the LDAP server, and it is checked whether such a user exists. 2. Advanced Authentication: Features such as user memberships and permissions are used using the username/password pair. |
| User Configuration Expression (User Configuration Expression) | When Authentication Type is selected as Simple Authentication, User Configuration Expression is entered. The username coming in the request message is verified by being placed in place of {{username}} in the expression below. Accordingly, you should enter the expression below in a way that will create the LDAP search criteria according to the structure of the username that will come in the request message.For example, let the DN value of a user using the username1 be uid={{username}},ou=People,dc=example,dc=com on the LDAP server.Example 1: If the value “username1” comes as username in the request message, the expression should be written as: uid={{username}},ou=People,dc=example,dc=comExample 2: If the value “uid=username1” comes as username in the request message, the expression should be written as: {{username}},ou=People,dc=example,dc=comExample 3: If the value “uid=username1,ou=People,dc=example,dc=com” comes as user in the request message, the expression should be written as: {{username}} |
| User Object Class Definition (User Object Class Definition) | When Authentication Type is selected as Advanced Authentication, User Object Class Definition(s) are created. |
| Group Object Class Definition (Group Object Class Definition) | When Authentication Type is selected as Advanced Authentication, Group Object Class Definition(s) are created. |
Advanced Settings - User Object Class Definition
An image containing User Object Class Definition settings from advanced settings in connection settings for user verification with LDAP is shown below:
| Field | Description |
|---|---|
| User Object Class Definition (User Object Class Definition) | The class name to be used to filter users is entered. Default value: inetOrgPerson |
| Custom Filter Attribute (Custom Filter Attribute) | Filter value that can be used in addition to the filter in the connection when retrieving users is entered. Example: (&(objectCategory=Person)(sAMAccountName=*)) |
| User Base DN Attribute (User Base DN Attribute) | If this value is filled, this Base DN is used when searching and loading users instead of the Base DN in the connection. If no value is provided, the Base DN in the connection becomes valid. Example: cn=users,dc=ad,dc=example,dc=com |
| Search Scope (Search Scope) | Specifies at what level the search operation will be performed on the base DN. |
| Full Name Attribute (Full Name Attribute) | The name of the attribute to be used to find the user’s full name is entered. Default value: cn |
| Login Name Attribute (Login Name Attribute) | The name of the attribute (login name) to be used for the user’s system login is entered. Default value: uid |
| First Name Attribute (First Name Attribute) | The name of the attribute indicating the user’s first name is entered. Default value: givenName |
| Last Name Attribute (Last Name Attribute) | The name of the attribute indicating the user’s last name is entered. Default value: sn |
| E-mail Attribute (E-mail Attribute) | The name of the attribute indicating the user’s e-mail address is entered. Default value: mail |
| Membership Attribute (Membership Attribute) | The name of the attribute indicating the user’s group memberships is entered. Default value: isMemberOf |
| Attributes To Fetch (Attributes To Fetch) | When authentication is performed with LDAP, it specifies which information about the user will be retrieved in addition to authentication. When the Advanced Settings option is enabled on the LDAP Authentication Provider page, the “Attributes to Fetch” field appears. Attributes entered in this field, if present in the LDAP user, are retrieved with their values and: • If the LDAP provider is used in JWT generation, these attributes and their values (except null ones) are added to the JWT as claims. • If the LDAP provider is used in plaintext, basic, or digest authorization methods, these attributes and their values are added to the message context as custom variables. At this time, the #clientLDAPAttribute#. prefix is added to the beginning of the key value. For example, if the mail attribute is retrieved from LDAP, the key value is #clientLDAPAttribute#mail, and the value is [email protected]. |
Advanced Settings - Group Object Class Definition
An image containing Group Object Class Definition settings from advanced settings in connection settings for user verification with LDAP is shown below:
| Field | Description |
|---|---|
| Group Object Class Name (Group Object Class Name) | The class name to be used to filter groups is entered. Default value: groupOfUniqueNames |
| Custom Filter Attribute (Custom Filter Attribute) | Filter value that can be used in addition to the filter in the connection when retrieving groups. |
| Group Base DN Attribute (Group Base DN Attribute) | If there is a value in this field, this Base DN is used when searching and loading groups instead of the Base DN in the connection. If no value is provided, the Base DN in the connection becomes valid. |
| Search Scope (Search Scope) | Specifies at what level the search operation will be performed on the base DN. |
| Group Name Attribute (Group Name Attribute) | The name of the attribute that holds the group name is entered. |
| Member Attribute (Member Attribute) | The name of the attribute that holds group members is entered. |
| Member Strategy (Member Strategy) | The method to be used to determine group members is selected. Default value: USER DNValues it can take: • USER DN • USER LOGIN |