HCL Workload Automation, Version 9.4

Advanced LDAP Panel

Complete this panel if configuring for an LDAP user registry.

################################################################
Advanced LDAP Panel
################################################################
LDAPUserEntityType=PersonAccount
LDAPUserObjectClasses=
LDAPUserSearchBases=
LDAPUserSearchFilter=
LDAPUserRDNAttributes=
LDAPGroupEntityType=Group
LDAPGroupObjectClasses=
LDAPGroupSearchBases=
LDAPGroupSearchFilter=
LDAPGroupSearchFilter=
LDAPGroupRDNAttributes=
LDAPOrgContainerEntityType=OrgContainer
LLDAPOrgContainerObjectClasses=
LDAPOrgContainerSearchBases=
LDAPOrgContainerSearchFilter=
LDAPOrgContainerRDNAttributes=
LDAPGroupConfigName=ibm-allGroups
LDAPGroupConfigScope=all
LDAPGroupConfigMemberNames=member;uniqueMember
LDAPGroupConfigMemberClasses=groupOfNames;groupOfUniqueNames
LDAPGroupConfigMemberScopes=direct;direct
LDAPGroupConfigMemberDummies=uid=dummy;

Note to users of previous versions of HCL Workload Automation: It is not a new panel, but is different from previous versions.

LDAPUserEntityType=<value>
Specifies the PersonAccount entity type name that is supported by the member repositories. By default, this value is "PersonAccount"
LDAPUserObjectClasses=<entity_type_list>
Specifies the object classes that are mapped to the PersonAccount entity type. You can specify multiple values delimited by a semicolon (;) LDAP entries that contain one or more of the object classes belong to this entity type. You cannot map multiple entity types to the same LDAP object class.
LDAPUserSearchBases=<search_base_list>
Specifies the search bases that are used to search the PersonAccount entity type. The search bases specified must be subtrees of the base entry in the repository.
For example, you can specify the following search bases, where o=ibm,c=us is the base entry in the repository:
  • o=ibm,c=us
  • cn=users,o=ibm,c=us
  • ou=austin,o=ibm,c=us
In the preceding example, you cannot specify search bases c=us or o=ibm,c=uk.

Delimit multiple search bases with a semicolon (;). For example: ou=austin,o=ibm,c=us;ou=raleigh,o=ibm,c=us

LDAPUserSearchFilter=<name>
Specifies the LDAP search filter that is used to search the PersonAccount entity type. If a search filter is not specified, the object classes and the relative distinguished name (RDN) properties are used to generate the search filter.
LDAPUserRDNAttributes=<rdn_attributes_list>
Specifies the relative distinguished name (RDN) properties that are used to generate the search filter for the PersonAccount entity type. You can specify multiple values delimited by a semicolon (;). Specify this value in the form <rdn_attribute_name>:<object_class>. object_class is optional; if you specify it, this value is used by the PersonAccount entity type to map the corresponding rdn_attribute_name.
LDAPGroupEntityType=<name>
Specifies the Group entity type name that is supported by the member repositories. By default, this value is Group.
LDAPGroupObjectClasses=<object_classes_list>
Specifies the object classes that are mapped to the Group entity type. You can specify multiple values delimited by a semicolon (;) LDAP entries that contain one or more of the object classes belong to this entity type. You cannot map multiple entity types to the same LDAP object class.
LDAPGroupSearchBases=<search_base_list>
Specifies the search bases that are used to search the Group entity type. The search bases specified must be subtrees of the base entry in the repository. See "LDAPUserSearchBases" for more information.
LDAPGroupSearchFilter=<name>
Specifies the LDAP search filter that is used to search the Group entity type. If a search filter is not specified, the object classes and the relative distinguished name (RDN) properties are used to generate the search filter.
LDAPGroupRDNAttributes=<rdn_attributes_list>
Specifies the relative distinguished name (RDN) properties that are used to generate the search filter for the Group entity type. You can specify multiple values delimited by a semicolon (;). Specify this value in the form <rdn_attribute_name>:<object_class>. object_class is optional; if you specify it, this value is used by the Group entity type to map the corresponding rdn_attribute_name.
LDAPOrgContainerEntityType=<name>
Specifies the OrgContainer entity type name that is supported by the member repositories. By default, this value is "OrgContainer".
LDAPOrgContainerObjectClasses=<object_classes_list>
Specifies the object classes that are mapped to the OrgContainer entity type. You can specify multiple values delimited by a semicolon (;) LDAP entries that contain one or more of the object classes belong to this entity type. You cannot map multiple entity types to the same LDAP object class.
LDAPOrgContainerSearchBases=<search_base_list>
Specifies the search bases that are used to search the OrgContainer entity type. The search bases specified must be subtrees of the base entry in the repository. See "LDAPUserSearchBases" for more information.
LDAPOrgContainerSearchFilter=<name>
Specifies the LDAP search filter that is used to search the OrgContainer entity type. If a search filter is not specified, the object classes and the relative distinguished name (RDN) properties are used to generate the search filter.
LDAPOrgContainerRDNAttributes=<rdn_attributes_list>
Specifies the relative distinguished name (RDN) properties that are used to generate the search filter for the OrgContainer entity type. You can specify multiple values delimited by a semicolon (;). Specify this value in the form rdn_attribute_name>:<object_class>. object_class is optional; if you specify it, this value is used by the OrgContainer entity type to map the corresponding rdn_attribute_name.
LDAPGroupConfigName=<value>
Specifies the name of the group membership attribute. Only one membership attribute can be defined for each LDAP repository. Every LDAP entry must have this attribute to indicate the groups to which this entry belongs.

For example, memberOf is the name of the membership attribute that is used in Active Directory. Ibm-allGroups is the name of the membership attribute that is used in IBM® Tivoli® Directory Server. The group membership attribute contains values that reference groups to which this entry belongs. If User belongs to Group, then the value of the memberOf attribute of User must contain the distinguished name of Group. If your LDAP server does not support the group membership attribute, then do not specify this attribute. The LDAP repository can look up groups by searching the group member attributes, though the performance might be slower.

LDAPGroupConfigScope=<value>
Specifies the scope of the group membership attribute. The default value is direct. For IBM Tivoli Directory Server the value to specify is "all". For Active Directory the value to specify is "direct" Allowed values:
direct
The membership attribute contains direct groups only. Direct groups are the groups that contain the member.

For example, if Group1 contains Group2 and Group2 contains User1, then Group2 is a direct group of User1, but Group1 is not a direct group of User1.

nested
The membership attribute contains both direct groups and nested groups.
all
The membership attribute contains direct groups, nested groups, and dynamic members.
LDAPGroupConfigMemberNames=<names_list>
Specifies the names of the "member attributes" in LDAP. You can specify more "member attributes" separating them with ";".

For example, member and uniqueMember are two commonly used names of member attributes. The member attribute is used to store the values that reference members that the group contains. For example, a group type with an object class groupOfNames has a member attribute named member; group type with object class groupOfUniqueNames has a member attribute named uniqueMember.

An LDAP repository supports multiple group types if multiple member attributes and their associated group object classes are specified.

LDAPGroupConfigMemberClasses=groupOfNames;groupOfUniqueNames
Specifies the object class of the group that uses these member attributes. If this field is not defined, this member attribute applies to all group object classes. You can specify more "member classes" separating them with ";".

If you specify more than one value in "LDAPGroupConfigMemberNames", then you can specify the class related to the specific member name defining the right value in the right position.

Example:
LDAPGroupConfigMemberNames=member;uniqueMember 
LDAPGroupConfigMemberClasses=groupOfNames;groupOfUniqueNames   
LDAPGroupConfigMemberScopes
Specifies the scope of the members attribute. You can specify more "member scopes" separating them with ";". The default value is direct. If you specify more than one value in "LDAPGroupConfigMemberNames", then you can specify the scope related to the specific member name defining the right value in the right position. Allowed values:
direct
The member attribute contains direct members only. Direct members are members that are directly contained by the group. For example, if Group1 contains Group2 and Group2 contains User1, then User1 is a direct member of Group2, but User1 is not a direct member of Group1.
nested
The member attribute contains both direct members and nested members.
all
The member attribute contains direct members, nested members, and dynamic members.
Example:
LDAPGroupConfigMemberNames=member;uniqueMember 
LDAPGroupConfigMemberScopes=direct;all
LDAPGroupConfigMemberDummies=uid=dummy;
Indicates that if you create a group without specifying a member a dummy member is filled in to avoid creating an exception about missing a mandatory attribute. Allowed value is "uid=dummy" If you specify more than one value in "LDAPGroupConfigMemberNames", then you can specify the dummy member related to the specific member name defining the right value in the right position.
Example:
LDAPGroupConfigMemberNames=member;uniqueMember 
LDAPGroupConfigMemberDummies=uid=dummy;
It means that only "member" have a "dummy member", while "uniqueMember" do not have a "dummy member" enabled.