10.7 ldap.properties configuration file reference
The ldap.properties file contains the settings for communicating with and building LDAP queries to a directory service. This file is located as follows:
-
Windows: %NNM_SHARED_CONF%\ldap.properties
-
UNIX: $NNM_SHARED_CONF/ldap.properties
In the ldap.properties file, the following conventions apply:
-
To comment out a line, begin the line with a hash mark (#).
-
The following rules apply to special characters:
-
To specify a backslash character (\), comma (,), semicolon (;), plus sign (+), less than sign (<), or greater than sign (>), escape the character with a backslash character (example: \\or \+).
-
To include a single-byte space character as the first or last character in a string, escape the space character with a backslash character (\).
-
To include a hash mark (#) as the first character in a string, escape the hash mark with a backslash character (\).
- Reference note
-
After editing the ldap.properties file, force NNMi to re-read the LDAP configuration by executing the following command:
nnmldap.ovpl -reload
-
The following table describes the parameters in the ldap.properties file.
Parameter |
Description |
---|---|
java.naming.provider.url |
Specifies the URL for accessing the directory service. The format is the protocol (ldap), followed by the fully-qualified host name of the directory server, optionally followed by the port number. Example: java.naming.provider.url=ldap://ldap.example.com:389/ If the port number is omitted, the following default applies:
If you specify multiple directory service URLs, NNMi uses the first directory service when possible. If that directory service is not accessible, NNMi queries the next directory service in the list, and so forth. Delimit multiple URLs with a single space character. Example: java.naming.provider.url=ldap://ldap1.example.com/ ldap://ldap2.example.com/ Configuring this parameter enables LDAP communication between NNMi and the directory service. To disable LDAP communication, comment out this parameter and then save the file. NNMi ignores the configuration in the ldap.properties file. |
java.naming.security.protocol |
Specifies the connection protocol specification.
For details, see 8.8 Configuring an SSL connection to the directory service. |
bindDN |
For a directory service (such as Active Directory) that does not permit anonymous access, this parameter specifies the user name for accessing the directory service. Because passwords are saved to the Idap.properties file in plain text, specify to the directory service a user name with read-only access. Example: bindDN=region1\\john.doe@example.com |
bindCredential |
When bindDN is set, this parameter specifies the password for the user name that bindDN identifies. Example: bindCredential=PasswordForJohnDoe |
baseCtxDN |
Specifies the portion of the directory service domain that stores user records. The format is a comma-separated list of directory service attribute names and values. Example:
For details, see 10.4.4 User identification. |
baseFilter |
Specifies the format of user names for signing in to NNMi. The format is the name of the directory service user name attribute and a string that relates the entered user sign-in name to the format of names in the directory service. The user name string contains the expression {0} (to denote the user name entered for sign-in) and any other characters that are needed to match the directory service formatting of user names.
For details, see 10.4.4 User identification. |
defaultRole |
(Optional) Specifies a default role that applies to any directory service user who signs in to NNMi through LDAP. The value of this parameter applies regardless of where user group mappings are stored (in the NNMi database or in the directory service). If a user is directly configured for a predefined NNMi user group, NNMi grants the user the superset of privileges for the default role and the assigned user group. Valid values are admin, level2, level1, and guest. These names are the unique names of the predefined NNMi user group names. For details about the unique names of the predefined NNMi user group names, see Table 10-4 NNMi user group name mappingin 10.4.5 User group identification.
If commented out or omitted, NNMi does not use a default value. |
rolesCtxDN |
Specifies the portion of the directory service domain that stores group records. The format is a comma-separated list of directory service attribute names and values. Example:
In other directory services (not Active Directory), for a faster search, you can identify one or more directory service groups that contain NNMi user groups. If the group names form a pattern, you can specify a wildcard. For example, if the directory service includes groups named USERS-NNMi-administrators, USERS-NNMi-level1Operators, and so forth, you could use a search context similar to: rolesCtxDN=cn=USERS-NNMi-*,ou=Groups,o=example.com Configuring this parameter enables directory service queries for NNMi user group assignments through LDAP. To disable directory service queries for NNMi user group assignments through LDAP, comment out this parameter and then save the file. NNMi ignores the remaining user group-related values in the ldap.properties file. For details, see 10.4.5 User group identification. |
roleFilter |
Specifies the format of group member names in the directory service group definitions. The format is the name of the directory service group attribute for user ID and a string that relates the entered user sign-in name to the format of user IDs in the directory service. The user name string contains one of the following expressions and any other characters that are needed to match the directory service formatting of group member names.
For details, see 10.4.5 User group identification. |
uidAttributeID |
Specifies the group attribute that stores the directory service user ID. Example: uidAttributeID=member For details, see 10.4.5 User group identification. |
userRoleFilterList |
(Optional) Limits the NNMi user groups whose associated users can be assigned incidents in the NNMi console. The user groups in this list apply only to directory service user names authenticated through LDAP. This parameter provides functionality that is not available when NNMi user groups are assigned in the NNMi console and stored in the NNMi database. The format is a semicolon-separated list of the unique names for one or more predefined NNMi user group names. For details about the unique names for predefined NNMi user groups, see Table 10-4 NNMi user group name mapping in 10.4.5 User group identification.
|
searchTimeLimit |
(Optional) Specifies the timeout value in milliseconds. The default value is 10000 (10 seconds). If you are encountering timeouts during NNMi user sign-in, increase this value.
|
Note: The initial ldap.properties file might not include all parameters that are listed in this table. Add the parameters you need.
- Organization of this section