The LDAP Store Adapter provides a data store interface to a remote directory service over LDAP. Multiple directory servers containing the same data may be configured using a load balancing algorithm to provide high availability. The SCIM schema URN for all attributes produced by this adapter is "urn:unboundid:schemas:scim:ldap:1.0".
↓Parent Component
↓Relations To this Component
↓Properties
↓dsconfig Usage
The LDAP Store Adapter component inherits from the Store Adapter
The following components have a direct aggregation relation from LDAP Store Adapters:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | ↓ modifies-as-creates |
| ↓ correlation-attribute-urn | ↓ include-operational-attribute |
| ↓ load-balancing-algorithm | |
| ↓ include-ldap-objectclass | |
| ↓ include-base-dn | |
| ↓ include-filter | |
| ↓ scim-id-attribute | |
| ↓ user-metadata-attribute | |
| ↓ user-large-metadata-attribute | |
| ↓ create-dn-pattern |
| Description | A description for this Store Adapter |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the SCIM attribute to use as the correlation between resources when multiple Store Adapters are configured in a DataView. The attribute defined here MUST be a primary key for the resources exposed by this Store Adapter (i.e. there can only be one and only one resource with a given value for this attribute). Furthermore, the value must exactly match the value of the correlation attributes for other Store Adapters defined within the same DataView. This is how the DataView aggregates resources from multiple Store Adapters during a search operation. For example, an LDAP Store Adapter might specify the 'uid' attribute here, (i.e. "urn:unboundid:schemas:scim:ldap:1.0:uid"), and a Third Party Store Adapter might specify its "acmeID" attribute (i.e. "urn:acme:schemas:scim:1.0:acmeID"). This implies that 'uid' and 'acmeID' are equivalent and are able to uniquely identify a single resource on their respective Store Adapters. It is not required that the correlation attribute actually be persisted. For LDAP Store Adapters, it may be derived via a virtual attribute. Likewise for Third Party Store Adapters, it may be constructed via a transformation or using any information available in the Server SDK extension. However, it is required that this attribute is always available, so if it depends on another attribute created by a different Store Adapter, then pay careful attention to the order you define the Store Adapters in the DataView. |
| Default Value | urn:scim:schemas:core:1.0:id |
| Allowed Values | A SCIM attribute URN (using the standard attribute dot notation). This may reference a sub-attribute. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | The LDAP Store Adapter must be disabled and re-enabled for changes to this setting to take effect. Changes to this property will not take effect until the associated DataView is disabled and then re-enabled, or until the server is restarted. |
| Description | Specifies the default load-balancing algorithm that will be used to select the backend server for each operation processed through this LDAP Store Adapter. |
| Default Value | None |
| Allowed Values | The DN of any Load Balancing Algorithm. Load-balancing algorithms associated with LDAP Store Adapters must be enabled. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | The LDAP Store Adapter must be disabled and re-enabled for changes to this setting to take effect. Changes to this property will not take effect until the associated DataView is disabled and then re-enabled, or until the server is restarted. |
| Description | Specifies the LDAP object class that should be exposed by this LDAP Store Adapter. |
| Default Value | None |
| Allowed Values | The name or OID of the objectclass to expose. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | The LDAP Store Adapter must be disabled and re-enabled for changes to this setting to take effect. Changes to this property will not take effect until the associated DataView is disabled and then re-enabled, or until the server is restarted. |
| Description | Specifies the base DNs for the branches of the LDAP directory that can be accessed by this LDAP Store Adapter. Along with the include-filter property, this property determines whether an entry is included in this LDAP Store Adapter. If no DNs are specified, then only the include-filter property is used to determine if an entry is included. |
| Default Value | The location of the entry in the DIT is not taken into account when determining whether an entry is managed by this LDAP Store Adapter. |
| Allowed Values | A valid DN. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | The LDAP Store Adapter must be disabled and re-enabled for changes to this setting to take effect. Changes to this property will not take effect until the associated DataView is disabled and then re-enabled, or until the server is restarted. |
| Description | The set of LDAP filters that define the LDAP entries that should be included in this LDAP Store Adapter. Along with the include-base-dn property, this property determines whether an entry is included in this LDAP Store Adapter. If the include-base-dn property does not exclude an entry, then it will be included if it matches any of the filters specified here. If no filters are specified, then only the include-base-dn property is used to determine if an entry is included by this LDAP Store Adapter. |
| Default Value | All entries are included by this LDAP Store Adapter. |
| Allowed Values | A valid LDAP search filter |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | The LDAP Store Adapter must be disabled and re-enabled for changes to this setting to take effect. Changes to this property will not take effect until the associated DataView is disabled and then re-enabled, or until the server is restarted. |
| Description | Specifies the LDAP attribute to use as the SCIM ID when returning entries in SCIM format. |
| Default Value | entryUUID |
| Allowed Values | An LDAP attribute name or OID |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | The LDAP Store Adapter must be disabled and re-enabled for changes to this setting to take effect. Changes to this property will not take effect until the associated DataView is disabled and then re-enabled, or until the server is restarted. |
| Description | Specifies the LDAP attribute which should be used to store user metadata, such as consents and OAuth tokens. This data is generally small and is accessed frequently. This must be a multi-valued attribute that is allowed on the objectclass exposed by this LDAP Store Adapter (specified by the include-ldap-objectclass property). If no value is specified, this LDAP Store Adapter will not support user operations such as authentication or authorization. |
| Default Value | None |
| Allowed Values | An LDAP attribute name or OID |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The LDAP Store Adapter must be disabled and re-enabled for changes to this setting to take effect. Changes to this property will not take effect until the associated DataView is disabled and then re-enabled, or until the server is restarted. |
| Description | Specifies the LDAP attribute which should be used to store larger metadata for users, such as consent history. This data can be large and is accessed less frequently. This must be a multi-valued attribute that is allowed on the objectclass exposed by this LDAP Store Adapter (specified by the include-ldap-objectclass property). If no value is specified, this LDAP Store Adapter will not support user operations such as authentication or authorization. |
| Default Value | None |
| Allowed Values | An LDAP attribute name or OID |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The LDAP Store Adapter must be disabled and re-enabled for changes to this setting to take effect. Changes to this property will not take effect until the associated DataView is disabled and then re-enabled, or until the server is restarted. |
| Description | Specifies the template to use for the DN when creating new entries. If no value is specified, this LDAP Store Adapter will not support create operations. The template may reference any LDAP attribute that is present in the mapped entry by using bracket notation. For example, the pattern "uid={uid},dc=example,dc=com" will substitute the entry's 'uid' value as the RDN. Substitutions are allowed for any DN components, not just the RDN. |
| Default Value | None |
| Allowed Values | The pattern to use to construct the DN value. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The LDAP Store Adapter must be disabled and re-enabled for changes to this setting to take effect. Changes to this property will not take effect until the associated DataView is disabled and then re-enabled, or until the server is restarted. |
modifies-as-creates (Advanced Property)
| Description | If set to true, this property allows this Store Adapter to process a modify operation as a create operation if the target resource does not exist. This setting can be useful for lazily creating resources in one or more Store Adapters, or filling in where resources are missing. For example, if you have existing users in one data store and would like to store the Identity Broker user metadata (i.e. consents, tokens, etc) in a separate data store without having to manually copy all the user entries over to that separate store, you could use this option to have the Identity Broker create them for you on the fly. Note that this option only applies when there is enough information between the modify request and the data in other Store Adapters to create the new resource on this Store Adapter. This also depends which attributes are marked as 'required' in the native schema for this adapter, and the attribute mappings for those required attributes. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The LDAP Store Adapter must be disabled and re-enabled for changes to this setting to take effect. Changes to this property will not take effect until the associated DataView is disabled and then re-enabled, or until the server is restarted. |
include-operational-attribute (Advanced Property)
| Description | Specifies the set of operational LDAP attributes to include in the native SCIM schema that is provided by this LDAP Store Adapter. By default, operational attributes are not provided by the LDAP Store Adapter. However, there may be cases where you wish to create an attribute mapping that depends on an operational attribute from the LDAP server. Specifying it here will cause it to show up as a mappable attribute in the SCIM schema. |
| Default Value | None |
| Allowed Values | An LDAP attribute name or OID |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | The LDAP Store Adapter must be disabled and re-enabled for changes to this setting to take effect. Changes to this property will not take effect until the associated DataView is disabled and then re-enabled, or until the server is restarted. |
To list the configured Store Adapters:
dsconfig list-store-adapters
[--property {propertyName}] ...
To view the configuration for an existing Store Adapter:
dsconfig get-store-adapter-prop
--adapter-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Store Adapter:
dsconfig set-store-adapter-prop
--adapter-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new LDAP Store Adapter:
dsconfig create-store-adapter
--adapter-name {name}
--type ldap
--set load-balancing-algorithm:{propertyValue}
--set include-ldap-objectclass:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Store Adapter:
dsconfig delete-store-adapter
--adapter-name {name}