This page has additional attributes for the LDAP X509 Identity Assertion provider:
Note: $subj indicates the Subject attribute in the certificate. For example: CN=meyer.beasys.com, ou=CCE, o=BEASYS, L=SFO, C=US.
User Filter Attributes—Specifies how to select the LDAP object for the user from the LDAP objects beneath the base LDAP DN defined in the Certificate Mapping attribute. This attribute defines how to find the LDAP object from the certificate's Subject DN.
The LDAP object's class must be person. This attribute contains an array of strings, each of which is an attribute that the LDAP object must match.
Typically, the value of this attribute is the LDAP object that matches the value of an attribute in the certificate's Subject DN.
For example:
The uid attribute of the LDAP user object matches the Subject DN attribute, if the syntax is:
LDAPATTRNAME=$subj.SUBJECDNATTRNAME
Therefore, uid=$subj.DN
This attribute is very similar to the User Name Filter attribute on LDAP Authentication providers which maps a username to a search filter. The differences are:
This attribute maps a certificate's Subject DN to a filter and the LDAP Authentication provider uses a single string giving the system administrator complete control over the filter.
The LDAP X509 Authentication provider adds objectclass=person to the filter and uses an array of strings that are combined.
Username Attribute—Specifies the attribute on the LDAP object for the user that contains the user's name. The user's name should appear in the Subject. This attribute defines how to find the user's name. Typically, this attribute matches the User Name attribute of the LDAP Authentication provider
Certificate Attribute—Specifies the attribute on the LDAP object for the user that contains the user's certificate. This attribute defines how to find the certificate.Valid values are userCertificate and userCertificate;binary. The default is userCertificate.
If you use the LDAP browser to load a certificate into the LDAP directory, an attribute userCertificate of type binary is created. To access the certificate, define the Certificate attribute as userCertificate.
If you use ldapmodify to create the new attribute (for example, using the following command):
An attribute userCertificate;binary is created when the certificate data is loaded in the LDAP directory. To access the certificate, define the Certificate attribute as userCertificate;binary.
Certificate Mapping—Specifies how to construct the base LDAP DN used to locate the LDAP object for the user. This attribute defines how to find the object from the certificate's Subject DN.
Typically, this value is the same as the User Base DN attribute in the LDAP Authentication providers. You may include the fields from the Subject DN in this base DN.
For example: if the Certificate subject is CN=meyer.beasys.com, ou=fred, o=BEASYS, L=SFO, C=US and the mapping is ou=people, ou=$subj.ou, WebLogic Server uses ou=people, ou=fred, o=BEASYS, c=US as the DN when locating the user.Base64 Decoding Required—Determines whether the request header value or cookie value must be Base64 Decoded before sending it to the Identity Assertion provider. The setting is enabled by default for purposes of backward compatibility, however, most Identity Assertion providers will disable this attribute.
Host—The host name of the computer on which the LDAP server is running.
Port—The port number on which the LDAP server is listening. If you want WebLogic Server to connect to the LDAP server using the SSL protocol, use the LDAP server's SSL port in this attribute.
SSL Enabled—Option for enabling the SSL protocol to protect communications between the LDAP server and WebLogic Server. Disable this attribute if the LDAP server is not configured to use the SSL protocol.
Principal—The Distinguished name (DN) of the LDAP user used by WebLogic Server to connect to the LDAP server. Generally, this user is the system administrator of the LDAP directory server. If you want to change passwords, this attribute must be the system administrator.
Credential—Password that authenticates the LDAP user defined in the Principal attribute.
Cache Enabled—Enables the use of a data cache with the LDAP server.
Cache Size—Maximum size of lookups in cache. The default is 32kb.
Cache TTL—Number of seconds to retain the results of an LDAP lookup.
Follow Referrals—Specifes that a search for a user or group within the LDAP X509 Identity Assertion provider will follow referrals to other LDAP servers or branches within the LDAP directory. By default, this attribute is enabled.
Bind Anonymously On Referrals—By default, the LDAP X509 Identity Assertion provider uses the same DN and password used to connect to the LDAP server when following referrals during a search. If you want to connect as an anonymous user, enable this attribute. Contact your LDAP system administrator for more information.
Results Time Limit—The maximum number of milliseconds for the LDAP server to wait for results before timing out. If this attribute is set to 0, there is not maximum time limit. The default is 0.
Connect Timeout—The maximum time in seconds to wait for the connection to the LDAP server to be established. If this attribute is set to 0, there is not a maximum time limit. The default is 0.
Parallel Connect Delay—The delay in seconds when making concurrent attempts to attempt to multiple LDAP servers. If this attribute is set to 0, connection attempts are serialized. An attempt is made to connect to the first server in the list. The next entry in the list is tried only if the attempt to connect to the current host fails. If this attribute is not set and an LDAP server is unavailable, an application may be blocked for a long time. If this attribute is greater than 0, another connection is started after the specified time.
