{ "authorization": { // The authorization policies to use. Supported policies are "anonymous", "basic" and "oauth2". "policies": [ "basic" ], // Perform all operations using a pre-authorization connection. "anonymous": { // Specify the connection factory to use to perform LDAP operations. // If missing, "root" factory will be used. "ldapConnectionFactory": "root", // Enable proxied authorization using the specified user DN. // If empty, anonymous proxied authorization will be used. // If missing, connection from the ldapConnectionFactory will be used as-is. "userDN": "" }, // Use HTTP Basic authentication's information to bind to the LDAP server. "basic": { // Indicates whether the filter should allow alternative authentication // and, if so, which HTTP headers it should obtain the username and // password from. "supportAltAuthentication" : true, "altAuthenticationUsernameHeader" : "X-OpenIDM-Username", "altAuthenticationPasswordHeader" : "X-OpenIDM-Password", // Define which LDAP bind mechanism to use // Supported mechanisms are "simple", "sasl-plain", "search" "bind": "search", // Bind to the LDAP server using the DN built from the HTTP Basic's username "simple": { // Connection factory used to perform the bind operation. // If missing, "bind" factory will be used. "ldapConnectionFactory": "bind", // The Bind DN Template containing a single %s which will be replaced by the authenticating // user's name. (i.e: uid=%s,ou=People,dc=example,dc=com) // If missing, "%s" is used. "bindDNTemplate": "uid=%s,ou=People,dc=example,dc=com" }, // Bind to the LDAP server using a SASL Plain request "sasl-plain": { // Connection factory used to perform the bind operation. // If missing, "bind" factory will be used. "ldapConnectionFactory": "bind", // Authentication identity template containing a single %s which will be replaced by the authenticating // user's name. (i.e: u:%s) "authcIdTemplate": "u:%s" }, // Bind to the LDAP server using the resulting DN of a search request. "search": { // Connection factory used to perform the search operation. // If missing, "root" factory will be used. "searchLDAPConnectionFactory": "root", // Connection factory used to perform the bind operation. // If missing, "bind" factory will be used. "bindLDAPConnectionFactory": "bind", // The %s filter format parameters will be substituted with the client-provided username, // using LDAP filter string character escaping. "baseDN" : "ou=people,dc=example,dc=com", "scope" : "sub", // Or "one". "filterTemplate" : "(&(uid=%s)(objectClass=inetOrgPerson))" } // TODO: support for HTTP sessions? } }, // The REST APIs and their LDAP attribute mappings. "mappings" : { "/users" : { "baseDN" : "ou=people,dc=example,dc=com", "readOnUpdatePolicy" : "controls", "useSubtreeDelete" : false, "usePermissiveModify" : true, "etagAttribute" : "etag", "namingStrategy" : { "strategy" : "clientDNNaming", "dnAttribute" : "uid" }, "additionalLDAPAttributes" : [ { "type" : "objectClass", "values" : [ "top", "person", "organizationalPerson", "inetOrgPerson" ] } ], "attributes" : { "schemas" : { "constant" : [ "urn:scim:schemas:core:1.0" ] }, "_id" : { "simple" : { "ldapAttribute" : "uid", "isSingleValued" : true, "isRequired" : true, "writability" : "createOnly" } }, "_rev" : { "simple" : { "ldapAttribute" : "etag", "isSingleValued" : true, "writability" : "readOnly" } }, "userName" : { "simple" : { "ldapAttribute" : "mail", "isSingleValued" : true, "writability" : "readOnly" } }, "displayName" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "isRequired" : true } }, "name" : { "object" : { "givenName" : { "simple" : { "ldapAttribute" : "givenName", "isSingleValued" : true } }, "familyName" : { "simple" : { "ldapAttribute" : "sn", "isSingleValued" : true, "isRequired" : true } } } }, "manager" : { "reference" : { "ldapAttribute" : "manager", "baseDN" : "ou=people,dc=example,dc=com", "primaryKey" : "uid", "mapper" : { "object" : { "_id" : { "simple" : { "ldapAttribute" : "uid", "isSingleValued" : true, "isRequired" : true } }, "displayName" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "writability" : "readOnlyDiscardWrites" } } } } } }, "groups" : { "reference" : { "ldapAttribute" : "isMemberOf", "baseDN" : "ou=groups,dc=example,dc=com", "writability" : "readOnly", "primaryKey" : "cn", "mapper" : { "object" : { "_id" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true } } } } } }, "contactInformation" : { "object" : { "telephoneNumber" : { "simple" : { "ldapAttribute" : "telephoneNumber", "isSingleValued" : true } }, "emailAddress" : { "simple" : { "ldapAttribute" : "mail", "isSingleValued" : true } } } }, "meta" : { "object" : { "created" : { "simple" : { "ldapAttribute" : "createTimestamp", "isSingleValued" : true, "writability" : "readOnly" } }, "lastModified" : { "simple" : { "ldapAttribute" : "modifyTimestamp", "isSingleValued" : true, "writability" : "readOnly" } } } } } }, "/groups" : { "baseDN" : "ou=groups,dc=example,dc=com", "readOnUpdatePolicy" : "controls", "useSubtreeDelete" : false, "usePermissiveModify" : true, "etagAttribute" : "etag", "namingStrategy" : { "strategy" : "clientDNNaming", "dnAttribute" : "cn" }, "additionalLDAPAttributes" : [ { "type" : "objectClass", "values" : [ "top", "groupOfUniqueNames" ] } ], "attributes" : { "schemas" : { "constant" : [ "urn:scim:schemas:core:1.0" ] }, "_id" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "isRequired" : true, "writability" : "createOnly" } }, "_rev" : { "simple" : { "ldapAttribute" : "etag", "isSingleValued" : true, "writability" : "readOnly" } }, "displayName" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "isRequired" : true, "writability" : "readOnly" } }, "members" : { "reference" : { "ldapAttribute" : "uniqueMember", "baseDN" : "dc=example,dc=com", "primaryKey" : "uid", "mapper" : { "object" : { "_id" : { "simple" : { "ldapAttribute" : "uid", "isSingleValued" : true, "isRequired" : true } }, "displayName" : { "simple" : { "ldapAttribute" : "cn", "isSingleValued" : true, "writability" : "readOnlyDiscardWrites" } } } } } }, "meta" : { "object" : { "created" : { "simple" : { "ldapAttribute" : "createTimestamp", "isSingleValued" : true, "writability" : "readOnly" } }, "lastModified" : { "simple" : { "ldapAttribute" : "modifyTimestamp", "isSingleValued" : true, "writability" : "readOnly" } } } } } } } }