10.7 ldap.properties configuration file reference

The ldap.properties file contains the settings for communicating with and building LDAP queries to a directory service. This file is located as follows:

Windows: %NNM_SHARED_CONF%\ldap.properties
UNIX: $NNM_SHARED_CONF/ldap.properties

In the ldap.properties file, the following conventions apply:

To comment out a line, begin the line with a hash mark (#).
The following rules apply to special characters:
- To specify a backslash character (\), comma (,), semicolon (;), plus sign (+), less than sign (<), or greater than sign (>), escape the character with a backslash character (example: \\or \+).
- To include a single-byte space character as the first or last character in a string, escape the space character with a backslash character (\).
- To include a hash mark (#) as the first character in a string, escape the hash mark with a backslash character (\).
  
  Reference note
  
  After editing the ldap.properties file, force NNMi to re-read the LDAP configuration by executing the following command:
  
  nnmldap.ovpl -reload

The following table describes the parameters in the ldap.properties file.

Table 10‒5: Parameters in the ldap.properties file
Parameter	Description
`java.naming.provider.url`	Specifies the URL for accessing the directory service. The format is the protocol (`ldap`), followed by the fully-qualified host name of the directory server, optionally followed by the port number. Example: java.naming.provider.url=ldap://ldap.example.com:389/ If the port number is omitted, the following default applies: For non-SSL connections, the default port is `389`. For SSL connections, the default port is `636`. If you specify multiple directory service URLs, NNMi uses the first directory service when possible. If that directory service is not accessible, NNMi queries the next directory service in the list, and so forth. Delimit multiple URLs with a single space character. Example: java.naming.provider.url=ldap://ldap1.example.com/ ldap://ldap2.example.com/ Configuring this parameter enables LDAP communication between NNMi and the directory service. To disable LDAP communication, comment out this parameter and then save the file. NNMi ignores the configuration in the `ldap.properties` file.
`java.naming.security.protocol`	Specifies the connection protocol specification. If the directory service is configured to use LDAP over SSL, set this parameter to `ssl`. Example: `java.naming.security.protocol=ssl` If the directory service does not require SSL, leave this parameter commented out. For details, see 8.8 Configuring an SSL connection to the directory service.
`bindDN`	For a directory service (such as Active Directory) that does not permit anonymous access, this parameter specifies the user name for accessing the directory service. Because passwords are saved to the `Idap.properties` file in plain text, specify to the directory service a user name with read-only access. Example: bindDN=region1\\john.doe@example.com
`bindCredential`	When `bindDN` is set, this parameter specifies the password for the user name that `bindDN` identifies. Example: bindCredential=PasswordForJohnDoe
`baseCtxDN`	Specifies the portion of the directory service domain that stores user records. The format is a comma-separated list of directory service attribute names and values. Example: `baseCtxDN=CN=Users,DC=ldapserver,DC=example,DC=com` `baseCtxDN=ou=People,o=example.com` For details, see 10.4.4 User identification.
`baseFilter`	Specifies the format of user names for signing in to NNMi. The format is the name of the directory service user name attribute and a string that relates the entered user sign-in name to the format of names in the directory service. The user name string contains the expression `{0}` (to denote the user name entered for sign-in) and any other characters that are needed to match the directory service formatting of user names. If the user name entered for NNMi sign-in is the same as the user name stored in the directory service, the value is the replacement expression. Example: - `baseFilter=CN={0}` - `baseFilter=uid={0}` If the user name entered for NNMi sign-in is a subset of the user name stored in the directory service, include the additional characters in the value. Example: - `baseFilter=CN={0}@example.com` - `baseFilter=uid={0}@example.com` For details, see 10.4.4 User identification.
`defaultRole`	(Optional) Specifies a default role that applies to any directory service user who signs in to NNMi through LDAP. The value of this parameter applies regardless of where user group mappings are stored (in the NNMi database or in the directory service). If a user is directly configured for a predefined NNMi user group, NNMi grants the user the superset of privileges for the default role and the assigned user group. Valid values are `admin`, `level2`, `level1`, and `guest`. These names are the unique names of the predefined NNMi user group names. For details about the unique names of the predefined NNMi user group names, see Table 10-4 NNMi user group name mappingin 10.4.5 User group identification. Example: `defaultRole=guest` If commented out or omitted, NNMi does not use a default value.
`rolesCtxDN`	Specifies the portion of the directory service domain that stores group records. The format is a comma-separated list of directory service attribute names and values. Example: `rolesCtxDN=CN=Users,DC=ldapserver,DC=example,DC=com` `rolesCtxDN=ou=Groups,o=example.com` In other directory services (not Active Directory), for a faster search, you can identify one or more directory service groups that contain NNMi user groups. If the group names form a pattern, you can specify a wildcard. For example, if the directory service includes groups named `USERS-NNMi-administrators`, `USERS-NNMi-level1Operators`, and so forth, you could use a search context similar to: rolesCtxDN=cn=USERS-NNMi-*,ou=Groups,o=example.com Configuring this parameter enables directory service queries for NNMi user group assignments through LDAP. To disable directory service queries for NNMi user group assignments through LDAP, comment out this parameter and then save the file. NNMi ignores the remaining user group-related values in the `ldap.properties` file. For details, see 10.4.5 User group identification.
`roleFilter`	Specifies the format of group member names in the directory service group definitions. The format is the name of the directory service group attribute for user ID and a string that relates the entered user sign-in name to the format of user IDs in the directory service. The user name string contains one of the following expressions and any other characters that are needed to match the directory service formatting of group member names. The expression `{0}` denotes the user name entered for sign-in (for example, `john.doe`). The following shows an example role filter that matches on the (short) user name entered for sign-in. Example: `roleFilter=member={0}` The expression `{1}` denotes the distinguished name of the authenticated user as returned by the directory service (for example, `CN=john.doe@example.com,OU=Users,` `OU=Accounts,DC=example,DC=com` or `uid=john.doe@example.com,ou=People,o=example.com`). The following shows an example role filter that matches on the (full) authenticated user name. Example: `roleFilter=member={1}` For details, see 10.4.5 User group identification.
`uidAttributeID`	Specifies the group attribute that stores the directory service user ID. Example: uidAttributeID=member For details, see 10.4.5 User group identification.
`userRoleFilterList`	(Optional) Limits the NNMi user groups whose associated users can be assigned incidents in the NNMi console. The user groups in this list apply only to directory service user names authenticated through LDAP. This parameter provides functionality that is not available when NNMi user groups are assigned in the NNMi console and stored in the NNMi database. The format is a semicolon-separated list of the unique names for one or more predefined NNMi user group names. For details about the unique names for predefined NNMi user groups, see Table 10-4 NNMi user group name mapping in 10.4.5 User group identification. Example: `userRoleFilterList=admin;level2;level1`
`searchTimeLimit`	(Optional) Specifies the timeout value in milliseconds. The default value is `10000` (10 seconds). If you are encountering timeouts during NNMi user sign-in, increase this value. Example: `searchTimeLimit=10000`

Legend:: : Single-byte space

Note: The initial ldap.properties file might not include all parameters that are listed in this table. Add the parameters you need.

Organization of this section

10.7.1 Examples of the properties configuration file

To Page Top