##############################################################################

1.  
2. ###############################################################################
3. # #
4. # Configuration for LDAP-Based Authentication to the #
5. # Administrative Console/API and/or role assignment #
6. # #
7. ###############################################################################
8.  
9. #
10. # This file is used to configure LDAP for authenticating users and granting
11. # them permissions in PingFederate based on their role assignment(s) in LDAP.
12. #
13. # Note: It can also be used only for defining permissions when RADIUS is used
14. # as the authentication mechanism (see radius.properties). In this case, LDAP
15. # Group-Based Permissions should be used to define such permissions.
16. #
17.  
18. # *****************************************************************************
19. # Basic Connection Properties
20. # *****************************************************************************
21.  
22. # ===================
23. # Required Attributes
24. # ===================
25.  
26. # Note that the following are all required attributes, regardless of the
27. # method that you are using for permission management--LDAP User or LDAP
28. # Group:
29. #
30. # - LDAP server address (ldap.url)
31. # - LDAP credentials (ldap.username, and ldap.password), if anonymous
32. # binding to the LDAP server is not set, or is set to false
33. # - Search Base (search.base)
34. # - Search Filter (search.filter)
35.  
36.  
37. # ------------------------------
38. # LDAP server address (REQUIRED)
39. # ------------------------------
40.  
41. # For failover configuration, you may supply multiple URLs in the following
42. # property, separated by a space. PingFederate will attempt to make a
43. # connection to each server in the order listed until a successful connection
44. # is obtained. Please note that if multiple servers are specified, they must
45. # all use the same credentials and the same protocol.
46. #
47. # To enable SSL for a particular connection, use the LDAPS protocol.
48. #
49. # Example (using multiple URLs):
50. # ldap.url=ldaps://server1:636 ldaps://server2:636
51. #
52. # Note: For LDAPS, the SSL certificate or any portion of the certificate
53. # chain must be trusted either as part of cacerts in the Java runtime or
54. # as a Trusted CA in PingFederate.
55. #
56. ldap.url=ldaps://ldap.int.wal-ping.com:636
57.  
58.  
59. # -------------------------------
60. # LDAP Binding for Authentication
61. # -------------------------------
62. # Uncomment the property below to use anonymous binding for user-search
63. # operations. Otherwise, credentials must be provided below.
64. #
65. # Note: The directory server must be set to allow anonymous access, and
66. # anonymous access rights in the LDAP server must include user-search
67. # privileges.
68. #
69. # The allowed values for the following property are true|false. The default
70. # value is false if unspecified.
71. #
72. #ldap.anonymousBinding=true
73.  
74.  
75.  
76. # ------------------------------------------------------------
77. # LDAP credentials (REQUIRED, if anonymous binding is not set)
78. # ------------------------------------------------------------
79.  
80. # Set credentials if the ldap.anonymousBinding property above is not used or
81. # set to false.
82.  
83. # ----------------------------------------------------
84. # Username (REQUIRED, if anonymous binding is not set)
85. # ----------------------------------------------------
86. # This is the username for an account within the LDAP Directory Server
87. # that can be used to perform user lookups for authentication and other
88. # user level search operations.
89. #
90. # Example for Oracle Directory Server:
91. # ldap.username=UID=user1,OU=People,DC=domain,DC=com
92. #
93. # Example for Microsoft Active Directory:
94. # ldap.username=CN=user1,CN=Users,DC=domain,DC=com
95. #
96. ldap.username=cn=Administrator,DC=wal-ping,DC=com
97.  
98.  
99. # ----------------------------------------------------
100. # Password (REQUIRED, if anonymous binding is not set)
101. # ----------------------------------------------------
102. # This is the password for the Username specified above.
103. #
104. # The password property should be obfuscated using one the following
105. # utilities in this directory (../bin):
106. #
107. # On Windows:
108. # >obfuscate.bat <password>
109. #
110. # On Linux:
111. # >./obfuscate.sh <password>
112. #
113. # Example:
114. # obfuscate.bat secret
115. # Result:
116. # OBF:JWE:eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2Iiwia2lkIjoiVEU0dVZjcU1wayIsInZlcnNpb24iOiI3LjEuMjAwLjQtU05BUFNIT1QifQ..8Zf_xQ4PuXuYkdE0culPpA.E2Lh_zAne5YpaJo9wbl39A.Z8wVd6SFB8lcQbvutU1u-Q
117. # Copy complete result into property value, as shown in the example below:
118. # ldap.password=OBF:JWE:eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2Iiwia2lkIjoiVEU0dVZjcU1wayIsInZlcnNpb24iOiI3LjEuMjAwLjQtU05BUFNIT1QifQ..8Zf_xQ4PuXuYkdE0culPpA.E2Lh_zAne5YpaJo9wbl39A.Z8wVd6SFB8lcQbvutU1u-Q
119. #
120. ldap.password=OBF:JWE:eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2Iiwia2lkIjoiRXUyZHNEQ0dGdSIsInZlcnNpb24iOiI4LjMuMC4xIn0..p8RohE_u7rVyJ5prrp4NIQ.ifiucAHw-_081VQalRzQAw.V0pSuAcq_RDqa32ZTJV1NQ
121.  
122. # -------
123. # Timeout
124. # -------
125.  
126. # Connection creation timeout period in milliseconds. This is the amount of
127. # time the PF server will wait before failing the connection. If the value
128. # is 0, the PF server will wait indefinitely for a response from
129. # the LDAP server.
130. #
131. ldap.connectTimeout=10000
132.  
133. # Read timeout period in milliseconds. This is the amount of time in milliseconds
134. # that PF will wait for a response from the server. If the value
135. # is 0, the PF server will wait indefinitely for a read response from
136. # the LDAP server.
137. ldap.readTimeout=3000
138.  
139. # ----------------------
140. # Search Base (REQUIRED)
141. # ----------------------
142.  
143. # This is the location in the LDAP directory server from which the search
144. # begins. This is used for both initial user authentication, as well as for
145. # determining LDAP Username based permissions.
146. #
147. # Example for Oracle Directory Server:
148. # search.base=OU=People,DC=domain,DC=com
149. #
150. # Example for Microsoft Active Directory:
151. # search.base=CN=Users,DC=domain,DC=com
152. #
153. search.base=DC=wal-ping,DC=com
154.  
155.  
156. # ------------------------
157. # Search Filter (REQUIRED)
158. # ------------------------
159.  
160. # This is the mapping from the Username entered in the login form to the
161. # attribute in the User object that contains the value of the Username that
162. # matches. This is used for both initial user authentication, as well as for
163. # determining LDAP Username based permissions.
164. #
165. # The form of this entry is <attribute>={<value>}, where <attribute> is the
166. # name of the attribute in the user object that is used to compare to the
167. # name that is entered on the login page for authentication.
168. #
169. # In most cases, {<value>} should be {0}, which is the value of a variable
170. # that contains the Username entered by the administrator in the login form.
171. #
172. # Example for Oracle Directory Server:
173. # search.filter=uid={0}
174. # In this case, the uid attribute in the user object will be used for
175. # username matching.
176. #
177. # search.filter=CN={0}
178. # In this case, the CN attribute in the user object will be used for
179. # username matching.
180. #
181. # Example for Microsoft Active Directory:
182. # search.filter=sAMAccountName={0}
183. # In this case, sAMAccountName is the attribute in the user object that
184. # will be used for username matching.
185. #
186. search.filter=CN={0}
187.  
188.  
189. # *****************************************************************************
190. # Assignment of Permissions
191. # *****************************************************************************
192.  
193. # There are two ways that role assignments (and the permissions associated
194. # with those roles) may be managed:
195. # 1) based solely on an explicit mapping between PingFederate roles and
196. # individual user accounts, and
197. # 2) based on a mapping between PingFederate roles and LDAP Groups
198. #
199. # Notes:
200. # - At least one of the above methods must be used, although both may be used.
201. # - When LDAP user-based assignment is used, users may be assigned to multiple
202. # roles. In this event, the permissions associated with each of the assigned
203. # roles are merged.
204. # - When LDAP Group-based assignment is used, if a user belongs to
205. # multiple LDAP Groups and each Group is assigned separate roles within
206. # PingFederate, then permissions for that user are merged based on the
207. # individual assignments of roles to Groups
208. # - If permissions are specified using both LDAP user- and Group-based (a.k.a.:
209. # "role-based") assignments, the permissions associated with resolution of all
210. # of the assignments are merged.
211. # - The PingFederate auditor role supersedes all other roles. If a user
212. # is assigned multiple roles (regardless of the mechanism used) and one of those
213. # roles is auditor, the user will retain only those privileges that are
214. # associated with the auditor role.
215.  
216.  
217. # ===========================
218. # LDAP User-Based Permissions
219. # ===========================
220.  
221. # In this mode, you assign LDAP user accounts directly to PingFederate
222. # administrative roles to specify who has access and what permissions
223. # they have. For more information on PingFederate roles, see the PingFederate
224. # Administrator's Manual).
225. #
226. # If multiple users are assigned to a single role, each subsequent user must
227. # be separated from the preceding user by a comma (i.e., comma-separated
228. # values).
229. #
230. # Any special characters in the username must be double-escaped
231. # (e.g., "\\," for ","). See RFC 2253 for a list of characters that need
232. # escaping.
233. #
234. # Example:
235. # role.admin=user1, user2
236. # role.cryptoManager=user2
237. # role.auditor=user3
238. # role.userAdmin=user1
239. # In this example, user1 will have permissions associated with the "admin" and "userAdmin"
240. # roles, and user2 will have permissions associated with both the "admin" role
241. # role and the "cryptoManager" role, while user3 will have permissions
242. # associated only with the "auditor" role. (Note: the auditor role overrides
243. # the privileges associated with assignment of any other role for the same
244. # user.)
245. #
246. role.admin=
247. role.cryptoManager=
248. role.auditor=
249. role.userAdmin=
250.  
251.  
252.  
253. # ============================
254. # LDAP Group-Based Permissions
255. # ============================
256.  
257. # There are two ways to map roles from LDAP:
258. # A) By mapping an attribute stored in the LDAP User object to the PF Admin
259. # role. This occurs if the role.search.user.attribute is set. This is
260. # more useful for those directory servers that support a two-way mapping
261. # between the User objects and the Group objects (such as Microsoft Active
262. # Directory).
263. # B) By mapping an attribute stored in the LDAP Group object in the LDAP
264. # Directory to the PF Admin role. This occurs if the role.search.attribute
265. # is set. This is more useful for those directory servers that support only
266. # a one-way mapping from the Group object to the User object (such as Oracle
267. # Directory Server).
268. #
269. # If neither of the properties above is set, then only the simple username to
270. # role mapping (LDAP User-Based Permissions defined above) is used.
271. #
272. # If you use option A above for LDAP Group-based permissions,
273. # then each of the following attributes need to be specified:
274. # - Role Attribute Stored in LDAP User Object (role.search.user.attribute)
275. # - Role Mapping (the role.map.* attributes, based on the role assignments
276. # that need to be made).
277. # In this case, the role mapping(s) must be specified using the Group DN
278. # of the Group that is assigned the role. In addition, if multiple Groups are
279. # assigned to a given role, each Group assignment must be defined on its own
280. # line, using the numbering convention defined below under "Role Mapping."
281. #
282. # If you use option B above for LDAP Group-based permissions,
283. # then all of the following attributes must be specified:
284. # - Role Attribute Stored in LDAP Group Object (role.search.attribute)
285. # - LDAP Group Base DN (role.search.base)
286. # - LDAP Group Subtree Search (role.search.subtree).
287. # - LDAP Group Search Filter (role.search.filter)
288. # - Role Mapping (the role.map.* attributes, based on the role assignments
289. # that need to be made)
290. #
291. # If both options A and B are used, option A takes precedence; properties
292. # associated with option B are ignored.
293.  
294.  
295. # -----------------------------------------
296. # Role Attribute Stored in LDAP User Object
297. # -----------------------------------------
298.  
299. # This is the attribute name on the user object that contains the mapping to
300. # the LDAP Group object(s) used to determine access to the PF Admin
301. # Console/API. If the user object contains any of the LDAP Groups that are
302. # mapped in the Role Mapping below, then the user will be given access and
303. # the associated permissions based on that mapping.
304. #
305. # This property must be a string and can have multiple values.
306. #
307. # Example for Active Directory
308. # role.search.user.attribute=memberOf
309. #
310. role.search.user.attribute=
311.  
312.  
313.  
314. # ------------------------------------------
315. # Role Attribute Stored in LDAP Group Object
316. # ------------------------------------------
317.  
318. # This property is the name of an attribute contained within the LDAP Group
319. # object(s) returned from the search (as specified in the role.search.filter
320. # property) that will be used to map to the Role Mapping as specified below.
321. # This is typically the DN for the LDAP Group object.
322. #
323. # This property can have multiple values, but it must be a string. It can be the
324. # special four-character string "<DN>" which means that the Group entry DN should
325. # be used instead of the value of a specific named attribute.
326. #
327. # NOTE: If the DN is used, then the value of the DN for the LDAP Group object
328. # needs to be specified in the Role Mapping below. Similarly, if another
329. # attribute is used, then any of the values for each of the LDAP Group objects
330. # returned from the search should be used in the Role Mapping below.
331. #
332. # Example 1:
333. # role.search.attribute=<DN>
334. #
335. # Example 2:
336. # role.search.attribute=uid
337. #
338. role.search.attribute=<DN>
339.  
340.  
341.  
342. # ------------------
343. # LDAP Group Base DN
344. # ------------------
345.  
346. # This is the Base DN for searching the directory for the LDAP Group Objects.
347. #
348. # Example for Oracle Directory Server:
349. # role.search.base=OU=People,DC=domain,DC=com
350. #
351. role.search.base=OU=groups,DC=wal-ping,DC=com
352.  
353.  
354.  
355. # -------------------------
356. # LDAP Group Subtree Search
357. # -------------------------
358.  
359. # This attribute defines whether the search should stay at the level of the
360. # node defined by the role.search.base attribute, or whether it should also
361. # search subnodes of the node defined by the role.search.base attribute.
362. # Allowed values for this property are true|false. The default value is true
363. # if it is unspecified.
364. #
365. role.search.subtree=false
366.  
367.  
368.  
369. # ------------------------
370. # LDAP Group Search Filter
371. # ------------------------
372.  
373. # This is the search filter that should be used to determine Group membership.
374. # Typically, this can be set to the attribute in the Group object that is used
375. # to store the list of users that belong to that Group. This is of the form
376. # <attribute>=<value>. <attribute> should be the name of the attribute in the
377. # LDAP Group object that maintains membership information for that LDAP Group.
378. # <value> is the value that will be matched to determine membership. <value>
379. # can be set to either of the following:
380. # {0} - username. This means that the LDAP Group stores its membership
381. # information in the form of the username entered
382. # at the time that authentication occurs.
383. # {1} - user entry DN. This means that the LDAP Group Object stores its
384. # membership information in the form of the DN of each
385. # of the LDAP User objects that belong to that LDAP
386. # Group. In this case, the username entered
387. # at the time authentication occurs will be used to
388. # look up the DN for the associated User Object, which
389. # will subsequently be used to look up that DN within
390. # each LDAP Group object that contains it.
391. #
392. # Example 1:
393. # role.search.filter=member={1}
394. # In this example, the search will be for all objects that contain an
395. # attribute named member, with the value based on the User Object DN.
396. #
397. # Example 2:
398. # role.search.filter=(&(member={1})(objectClass=group))
399. # This example is similar to Example 1. However, the search is restricted
400. # to only those objects where the objectClass is Group. This allows for
401. # a further refinement of search filters for more efficient lookups.
402. #
403. role.search.filter=(&(member={1})(objectClass=groupOfNames))
404.  
405.  
406.  
407. # ------------
408. # Role Mapping
409. # ------------
410.  
411. # This set of properties map the membership information to the
412. # associated role(s) and permissions defined within PingFederate.
413. # Please note that trailing white spaces are not trimmed, so care should be
414. # taken when entering this information. Unless specifically identified
415. # as a DN (i.e., via role.search.attribute above), DNs are not parsed and
416. # will be compared exactly as entered.
417. #
418. # Any special characters in the value that needs to be evaluated
419. # must be escaped (e.g., "\ " for " "). This is also true for spaces that
420. # occur at the beginning of the string. See the Javadoc for the load method
421. # for the java.util.Properties class for a definitive description of what
422. # characters need to be escaped and how escaping should occur.
423. #
424. # The configuration values are case-sensitive.
425. #
426. # Only one value can be entered per line. If multiple LDAP Groups map to one
427. # PingFederate role, then multiple properties must be created using a numeric,
428. # incremental suffix, starting with 1. For example:
429. # role.map.admin.1=
430. # role.map.admin.2=
431. # role.map.admin.3=
432. #
433. # Example Mapping:
434. # role.map.admin=CN=PFAdminGroup,OU=People,DC=domain,DC=com
435. # role.map.cryptoManager=CN=PFCryptoGroup,OU=People,DC=domain,DC=com
436. # role.map.auditor=CN=PFAuditorGroup,OU=People,DC=domain,DC=com
437. # role.map.userAdmin=CN=PFUserAdminGroup,OU=People,DC=domain,DC=com
438. #
439. # Note:the auditor role overrides the privileges associated with assignment of
440. # any other role for the same user.
441. role.map.admin=CN=administrator,OU=groups,DC=wal-ping,DC=com
442. role.map.cryptoManager=CN=administrator,OU=groups,DC=wal-ping,DC=com
443. role.map.auditor=CN=manager,OU=groups,DC=wal-ping,dc=com
444. role.map.userAdmin=