Appendix J. Advanced LDAP Configuration

Table of Contents

J.1. LDAP Server Default Configuration
J.1.1. OpenLDAP
J.1.2. Apple Open Directory
J.1.3. Novell eDirectory Defaults
J.1.4. Microsoft Active Directory Defaults

SavaPage supports the following LDAP server types out-of-the-box:

The basic configuration options for these types are discussed at Section 4.10.1.2, “LDAP”. However, other server/schema types can be supported by defining the fields to query and the LDAP searches to perform. These options are configured by adjusting entries in the Config Editor of the Admin Web App. The following configuration properties are available:

Configuration propertyDescription

ldap.schema.user-name-field

The LDAP field that contains the user's username.

ldap.schema.user-full-name-field

The LDAP field that contains the user's full name.

ldap.schema.user-email-field

The LDAP field that contains the user's email address.

ldap.schema.user-department-field

The LDAP field that contains the user's department.

ldap.schema.user-office-field

The LDAP field that contains the user's office location.

ldap.schema.user-name-search

The LDAP search to retrieve the user. The {0} in the search is replaces with * when listing all users, and [username] when searching for a specific user.

If no search is defined the default is ([userNameField]={0}).

IMPORTANT: The search must include the {0} value.

ldap.schema.group-name-field

The LDAP field that contains the group's name.

ldap.schema.group-full-name-field

The LDAP field that contains the group's full name.

ldap.schema.group-member-field

The LDAP field that contains the group members.

ldap.schema.group-search

The LDAP search to retrieve the group. The {0} in the search is replaced with * for all group searches.

If no search is defined, the default is ([groupMemberField]={0}), which means get all entries with at least one member.

IMPORTANT: The search must include the {0} value.

ldap.schema.posix-groups

If Y, then the group member field contains the user's username. If N, then the group member field contains the user's DN.

Table J.1. LDAP Configuration Properties


J.1. LDAP Server Default Configuration

When a particular LDAP server type is selected (e.g. Novell eDirectory), SavaPage uses the following defaults to query the LDAP server. These defaults can be used as a starting point for customizing the LDAP searches or for supporting other server types.

J.1.1. OpenLDAP

If the LDAP server is configured to support OpenLDAP based authentication then this schema type can be used. The following defaults are used.

Configuration propertyDefault value

ldap.schema.user-name-field

uid

ldap.schema.user-full-name-field

cn

ldap.schema.user-email-field

mail

ldap.schema.user-department-field

departmentNumber

ldap.schema.user-office-field

This item is not set.

 

ldap.schema.user-name-search

(uid={0})

ldap.schema.group-name-field

cn

ldap.schema.group-full-name-field

displayName

ldap.schema.group-member-field

member

ldap.schema.group-search

(&(cn={0})(objectClass=groupOfNames))

ldap.schema.posix-groups

N

Table J.2. OpenLDAP Default Settings


J.1.2. Apple Open Directory

If the LDAP server is configured to support Apple Open Directory based authentication then this schema type can be used. The following defaults are used.

Configuration propertyDefault value

ldap.schema.user-name-field

uid

ldap.schema.user-full-name-field

cn

ldap.schema.user-email-field

mail

ldap.schema.user-department-field

departmentNumber

ldap.schema.user-office-field

This item is not set.

 

ldap.schema.user-name-search

(uid={0})

ldap.schema.group-name-field

cn

ldap.schema.group-full-name-field

displayName

ldap.schema.group-member-field

memberUid

ldap.schema.group-search

(memberUid={0})

ldap.schema.posix-groups

Y

Table J.3. Apple Open Directory Default Settings


J.1.3. Novell eDirectory Defaults

If the LDAP server is a Novell eDirectory then the following defaults are used[42].

Configuration propertyDefault value

ldap.schema.user-name-field

cn

ldap.schema.user-full-name-field

fullName

ldap.schema.user-email-field

mail

ldap.schema.user-department-field

OU

ldap.schema.user-office-field

l

ldap.schema.user-name-search

(&(cn={0})(objectClass=person))

ldap.schema.group-name-field

cn

ldap.schema.group-full-name-field

fullName

ldap.schema.group-member-field

member

ldap.schema.group-search

(&(member={0})(objectClass=groupOfNames))

ldap.schema.posix-groups

N

Table J.4. Novell eDirectory Default Settings


J.1.4. Microsoft Active Directory Defaults

If the LDAP server is a Microsoft Active Directory then the following defaults are used[43].

Configuration propertyDefault value

ldap.schema.user-name-field

sAMAccountName

ldap.schema.user-full-name-field

displayName

ldap.schema.user-email-field

mail

ldap.schema.user-department-field

department

ldap.schema.user-office-field

physicalDeliveryOfficeName

ldap.schema.user-name-search

(&(sAMAccountName={0})(objectCategory=person) (objectClass=user)(sAMAccountType=805306368){1})

The extra {1} in the search is replaced with an optional filter to fetch enabled users only (see ldap.allow-disabled-users).

ldap.schema.group-name-field

sAMAccountName

ldap.schema.group-full-name-field

displayName

ldap.schema.group-member-field

member

ldap.schema.group-search

(&(sAMAccountName={0})(objectCategory=group))

ldap.schema.posix-groups

N

Table J.5. Microsoft Active Directory Default Settings


Configuration propertyDefault value / Description
ldap.disabled-users.allow

N

If Y, then disabled users are accepted in user name searches. If N, they are ignored.

ldap.schema.dn-field

distinguishedName

The LDAP field that contains the Distinguished Name (DN).

ldap.schema.user-name-group-search

(&(memberOf={0})(objectCategory=person) (objectClass=user)(sAMAccountType=805306368){1})

This is the LDAP search to retrieve the users from a group.

The {0} in the search is replaced with the DN of the user.

The {1} in the search is replaced with an optional filter to fetch enabled users only (see ldap.allow-disabled-users).

IMPORTANT: The search must include the {0} and {1} value.

ldap.schema.nested-group-search

(&(memberOf={0})(objectCategory=group))

This is the LDAP search to retrieve the nested groups from a group.

The {0} in the search is replaced with the DN of the group.

IMPORTANT: The search must include the {0} value.

Table J.6. Microsoft Active Directory Custom Settings


Important

Active Directory field names must be in the Ldap-Display-Name format. For example, if you want to use the Employee-Number field, then the field name entered should be employeeNumber as shown on the Employee-Number attribute page https://docs.microsoft.com/en-us/windows/desktop/ADSchema/a-employeenumber.



[42] The list of standard Novell eDirectory user fields can be found on NDK: Novell eDirectory Schema Reference.

[43] The list of standard Active Directory user fields can be found on the Microsoft Active Directory Schema web site .