accessmanagerLdap

<ldap

>

required

AccessManager_Ldap provides the connection of Cadenza to a LDAP server.

supportsAutoLogin

optional

=

boolean

Specifies whether the auto-login mechanism is supported. The default value is `false`. The value must be set to `true` for event-driven notification in http://example.com[job scheduling] for the subscription function.

Default: false

<server

>

required

Server settings.

referral

optional

=

xsd:string

ignore

LDAP references are ignored.

follow

LDAP references are followed.

throw

An error message is thrown.

Specification for handling LDAP references: With the value `follow` the references are followed, with the value `ignore` they are ignored. The default value is `throw` (error message).

Default: throw

<url

>

requiredstring

URL of the LDAP server. An LDAPS URL is also possible.

</url>

<fallback-url

>

optionalstring

URL (can be an LDAPS URL) to an alternative LDAP server for all further accesses, if accessing the regular LDAP server results in errors due to malfunctions, failures or maintenance work. The alternative URL is used until the next restart. The alternative LDAP server must be analogous to the regular LDAP server: The same credentials and context paths must be valid and, if applicable, the same LDAP references must be configured.

</fallback-url>

<context-base

>

requiredstring

Context base: the part of the LDAP DN that represents the root element or domain in the directory tree.

</context-base>

Choice: Choose only ONE of the following

<one-step-authentication

>

required

DEPRECATED: No longer supported. Please use the two-step-authentication instead.

<login

>

optional

DEPRECATED: No longer supported.

<username

>

requiredstring

DEPRECATED: No longer supported.

</username>

<password

>

requiredstring

DEPRECATED: No longer supported.

</password>

</login>

<userid-pattern-list

>

required

DEPRECATED: No longer supported.

<userid-pattern

>

requiredmax. unboundedstring

DEPRECATED: No longer supported.

</userid-pattern>

</userid-pattern-list>

</one-step-authentication>

<two-step-authentication

>

required

Authentication to the LDAP server is performed in two steps. In the first step, the LDAP DN for the user name entered in the GUI is looked up using the specified technical user. In the second step, the login is performed using the DN found and the password entered in the GUI.

<login

>

required

Access settings for the technical user of the LDAP server.

Choice: Choose only ONE of the following

<username

>

requiredstring

DN of the technical user without context base.

</username>

<fullDN

>

requiredstring

Full DN of the technical user.

</fullDN>

Choice End

<password

>

requiredstring

Encoded password of the technical user. Use the Cadenza encoder for the encoding.

</password>

</login>

<user-lookup-attribute

>

requiredstring

Name of the DN attribute in which the user name entered in the GUI should be looked up. Usually sAMAccountName in Microsoft Active Directory (MSAD). From this, the complete DN of the user can be determined.

</user-lookup-attribute>

</two-step-authentication>

Choice End

<user-mail-attribute

>

requiredstring

LDAP attribute with the e-mail addresses of the users. Its respective value is transferred to Cadenza after authentication and can be retrieved there via the user variable common:email. The email attribute must also be specified if job scheduling is used. Important: The attribute must also be defined in the `<attributes>` block.

Default: mail

</user-mail-attribute>

<user-real-name-attribute

>

optionalstring

LDAP attribute with the real names of the users. Its respective value is transferred to Cadenza after authentication and can be retrieved there via the user variable common:realName. Important: The attribute must also be defined in the `<attributes>` block.

Default: realname

</user-real-name-attribute>

<rule

>

optionalmax. unbounded

Settings for a fixed rule to assign users to groups. Fixed rules: The user is assigned to the given Cadenza group if a certain condition is met for one of the DN attributes. Dynamic rules: If Cadenza groups and LDAP groups have identical names, the user can be assigned to all groups in Cadenza he also belongs to in LDAP. Multiple rules can be specified, and the user will be assigned to the groups from all rules.

Example: Check whether a particular attribute of the LDAP DN associated with the user meets certain specifications. <rule> <group-name>Example</group-name> <context>${UserDn}</context> <filter>mail=*@example.com</filter> </rule> If the LDAP DN belonging to the user uid=my_username,dc=example,dc=com has an attribute mail ending with @example.com, the user shall be assigned to the Cadenza group Example.

Example: Check whether the LDAP user belongs to an LDAP group. <rule> <group-name>public</group-name> <context>cn=team-a,ou=groups</context> <filter>member=${UserDn}</filter> </rule> If the LDAP object with the LDAP DN cn=team-a,ou=groups,dc=example,dc=com has an attribute member which is assigned with the LDAP DN of the user, this user shall be assigned to the Cadenza group public.

Example: Check whether a particular LDAP object has a particular attribute assigned with the user's login name. <rule> <group-name>water</group-name> <context>ou=people</context> <filter>uid=${LoginName}</filter> </rule> If an LDAP object below the LDAP object with the LDAP DN ou=people,dc=example,dc=com has the attribute uid assigned with the login name of the user, this user shall be assigned to the Cadenza group water.

<group-name

>

requiredstring

Name of the group in the Cadenza user management to which the user will be assigned if the conditions of the rule are met and the group exists. Example: Disy.

</group-name>

<context

>

requiredstring

LDAP search context. For DNs without context base, it will be added automatically. Examples: ${UserDn}, cn=team-a,ou=groups.

</context>

<filter

>

requiredstring

Attribute-value pair to be checked within the LDAP object that is defined by the search context. Example: mail=*@example.com. Complex filters over multiple attributes can also be entered directly in LDAP notation, except for the & character, which must be specified as &. Examples: AND: &(attribute1=value1)(attribute2=value2) OR: |(attribute1=value1)(attribute2=value2) NEGATION: !(attribute1=value1).

</filter>

</rule>

<dynamic-group-rule

>

optionalmax. unbounded

Settings for a dynamic rule to assign groups to users. Fixed rules: The user is assigned to the given Cadenza group if a certain condition is met for one of the DN attributes. Dynamic rules: If Cadenza groups and LDAP groups have identical names, the user can be assigned to all groups in Cadenza he also belongs to in LDAP. Multiple rules can be specified, and the user will be assigned to the groups from all rules.

<context

>

requiredstring

LDAP search context. For DNs without context base, it will be added automatically. Example: ou=cadenza,ou=groups,ou=iam2,dc=disy,dc=net.

</context>

<filter

>

requiredstring

Attribute-value pair to be checked within the LDAP object that is defined by the search context. Example: uniqueMember=${UserDn}.

</filter>

</dynamic-group-rule>

<attributes

>

optional

LDAP attribute whose respective value is to be transferred to Cadenza after authentication so that it can be used there via a user variable. The user variable has the prefix `user` (`user.<ldap-attributname_or_cadenzaName>`, see below).

<attribute

>

optionalmax. unbounded

LDAP attribute to be passed to Cadenza as a user property after authentication, so that it can be used via a user variable (if <propertyMapping> is configured in accessmanager-config.xml and used for this user).

xsd:string

cadenzaName

optional

=

string

Name of the user variable if it is to differ from the name of the LDAP attribute. The original name cannot then be used. This option can be helpful, for example, when switching between LDAP servers on which the attributes are named differently.

</attribute>

</attributes>

</server>

</ldap>