Specifies the way the proxy server binds to the remote LDAP server. Possible values are "use-specific-identity", "use-client-identity" and "use-proxy-auth". Note that the value "use-proxy-auth" is deprecated. Use the "use-specific-identity" mode instead, and set the "use-proxy-auth" flag to true.
Default Value
None
Allowed Values
use-client-identity - This Proxy LDAP Workflow Element forwards the requests with the identity of the client.
use-proxy-auth - This Proxy LDAP Workflow Element adds a proxy authorization control to the request. The authorization ID of this control is the bind DN of the incoming request. The requests are forwarded with the identity of the user specified with the parameters remote-ldap-server-bind-dn and remote-ldap-server-bind-password. This bind mode is deprecated (it is present only for backward compatibility reason). To replace the use-proxy-auth bind mode, use the use-specific-identity bind mode and set the use-proxy-auth flag to true.
use-specific-identity - This Proxy LDAP Workflow Element forwards the requests with the identity of the user specified with the parameters remote-ldap-server-bind-dn and remote-ldap-server-bind-password.
Multi-valued
No
Required
Yes
Admin Action Required
None
Advanced Property
No
Read-only
No
enabled
Description
Indicates whether the Workflow Element is enabled for use in the server. If a Workflow Element is not enabled, then its contents are not accessible when processing operations.
Default Value
None
Allowed Values
true
false
Multi-valued
No
Required
Yes
Admin Action Required
None
Advanced Property
No
Read-only
No
ldap-server-extension
Description
Identifies the LDAP server extension configured for this Proxy LDAP Workflow Element. Specifies the remote server extension to forward requests to.
Default Value
None
Allowed Values
The DN of any Extension. The referenced LDAP server must be enabled.
Multi-valued
No
Required
Yes
Admin Action Required
None
Advanced Property
No
Read-only
No
remote-ldap-server-bind-dn
Description
DN which will be used to connect to a remote server. This DN must exist on the remote server. This must be a valid DN.
Default Value
None
Allowed Values
A String
Multi-valued
No
Required
No
Admin Action Required
None
Advanced Property
No
Read-only
No
remote-ldap-server-bind-password
Description
Password which will be used to connect to the remote server. This is a string.
Default Value
None
Allowed Values
Unknown
Multi-valued
No
Required
No
Admin Action Required
None
Advanced Property
No
Read-only
No
remote-ldap-server-bind-password-file
Description
File which contains the password which will be used to connect to the remote server. This must be a valid path.
Default Value
None
Allowed Values
A String
Multi-valued
No
Required
No
Admin Action Required
None
Advanced Property
No
Read-only
No
remote-root-dn
Description
The root DN which will be used to perform internal operations on a remote server. This DN must exist on the remote server. The value "" denotes the anonymous credentials. If "" is provided then the remote-ldap-server-bind-password property is ignored. Components such as virtual ACI and identity mappers perform internal searches that require a root connection to the remote server. If a remote root dn is not provided, an internal operation will fail with an error message.
Default Value
None
Allowed Values
A String
Multi-valued
No
Required
No
Admin Action Required
None
Advanced Property
No
Read-only
No
remote-root-password
Description
Password which will be used by the root DN to connect to the remote server. This is a string.
Default Value
None
Allowed Values
Unknown
Multi-valued
No
Required
No
Admin Action Required
None
Advanced Property
No
Read-only
No
use-proxy-auth
Description
This flag indicates whether the LDAP connector can use the proxy authorization control. When the LDAP connector has made a connection using the proxy credentials, it can pass the client identity to the remote backend using the proxy authorization control, along with the requests. To use the proxy authorization control set the use-proxy-auth flag to true.
Default Value
false
Allowed Values
true
false
Multi-valued
No
Required
No
Admin Action Required
None
Advanced Property
No
Read-only
No
Advanced Properties
exclude-list
Description
The list contains a set of DNs. If the client bind DN is a descendant of one DNs on the exclude list, then the authentication against the remote server will be performed using the proxy credentials, regardless of the content of the include list.
Default Value
By default, the exclude list is empty, meaning that the exclude list will not prevent the authentication against the remote server from using the client credentials, as long as the client bind DN is a descendant of one DN on the include list, or the include list is empty.
Allowed Values
A String
Multi-valued
Yes
Required
No
Admin Action Required
None
Advanced Property
Yes
Read-only
No
include-list
Description
The list contains a set of DNs. If the client bind DN is a descendant of one of the DNs in the list, or if the list is empty, then the client credentials can be used to perform authentication against the remote server (as long as the client bind DN is not a descendant of any DN on the exclude list). If the never-bind flag is disabled then a silent-bind is performed for the authentication. If the never-bind flag is enabled, the user's entry is retrieved from the remote server and the credentials are checked locally.
Default Value
By default, the include list is empty, meaning that the client credentials are always used to perform the authentication against the remote server, unless the client bind DN is a descendant of a DN on the exclude list.
Allowed Values
A String
Multi-valued
Yes
Required
No
Admin Action Required
None
Advanced Property
Yes
Read-only
No
java-class
Description
Specifies the fully-qualified name of the Java class that provides the Proxy LDAP Workflow Element implementation.
A java class that implements or extends the class(es) :
org.opends.server.workflowelement.WorkflowElement
Multi-valued
No
Required
Yes
Admin Action Required
None
Advanced Property
Yes
Read-only
No
log-silent-bind-response-controls
Description
Indicates whether the logging of the silent-bind response controls is enabled. This flag determines whether the controls contained in the responses of silent-bind operations are logged in the access log or not. When the flag is enabled, an extra field is added in the log entry. This field is named 'controls' and contains at least the OID of all controls present in the silent-bind responses. Each control information is enclosed between '(' and ')' and controls are separated with comma.
Default Value
false
Allowed Values
true
false
Multi-valued
No
Required
No
Admin Action Required
None
Advanced Property
Yes
Read-only
No
never-bind
Description
Indicates whether the never-bind flag is enabled. This flag determines whether the user's password should be checked locally. When the never-bind flag is enabled then the Bind operations and silent binds are intercepted and local validations of the user's password are performed. A search operation is executed to retrieve the user's password from the remote peer and the credentials are checked locally. By default the never-bind flag is disabled and Bind operations are forwarded to the remote Ldap server identified by the associated Ldap server extension.
Default Value
false
Allowed Values
true
false
Multi-valued
No
Required
No
Admin Action Required
None
Advanced Property
Yes
Read-only
No
never-bind-user-password-attribute
Description
This attribute defines the description of the attribute that identifies the user's credentials on the remote server. It is relevant only when the never-bind flag is enabled. When this attribute is omitted the default value "userPassword" is used instead. A string defining the attribute description denoting the user's credentials on the remote server.