If you have determined that the Active Directory authentication manager plug-in meets your ABL application's requirements, configure the required and optional plug-in properties in the oeablSecurity.properties file for your web application as explained in this topic.

Required properties

Property Description
ad.ldap.url

The fully-qualified URL of the LDAP connection to the Active Directory host using the following syntax:

{ldap|ldaps}://host-name[:port]

Use the ldaps URL scheme if your organization requires the Active Directory connection to use a secure TLS connection. (Use ldap only if the Active Directory host does not support TLS connections.)

To facilitate fail-over high availability, you may specify multiple LDAP URLs as space-delimited values in a single string.
ad.ldap.rootdn

The rootDN of the Active Directory service that contains the user accounts and group information that will be used for authentication.
ad.user.domain

The userPrincipalName domain value that becomes automatically appended to the client's login user ID if the client does not provide one.

For example, if the user ID supplied by the client is jsmith, the string @acme.com could be appended as the userPrincipalName value.

The default value is "", which corresponds to the blank domain. However, if you specify this property, but enter no corresponding value for it, then no userPrincipalName domain is appended to the input user ID and the client is forced to specify a fully-qualified domain. For example, jsmith@acme.com.

Optional properties

Property Description
ad.AuthoritiesMapper.prefix

The prefix that is used to distinguish a Spring role name from a user account name when validating URL access to an application resource.

The ROLE_ prefix is used to remove ambiguity between a user ID name and a role name. (It is a Spring Security default convention, but its use is not a requirement.)
ad.AuthoritiesMapper.convertToUpperCase

Property that forces Active Directory group object names to be converted to uppercase when Spring Security creates a role name.

Note that the uppercase conversion of the LDAP group attribute name is a default convention and is not a requirement.

Example

The following shows an example of the configuration of the Active Directory authentication manager plug-in:

http.all.authmanager=ad
ad.user.domain=acme.com
ad.ldap.url=ldap://vm-pasoeldap:389
ad.ldap.rootdn=dc=anytown,dc=acme,dc=com

In this example, note the property descriptions in the preceding configuration:

Property Description
http.all.authmanager ad.
ad.user.domain Specifies the userPrincipalName domain, acme.com, that gets automatically appended to the client-supplied user ID, if one is not provided by the client.
ad.ldap.url Specifies the fully-qualified URL of the LDAP connection to the Active Directory host, including port number: ldap://vm-pasoeldap:389
ad.ldap.rootdn Specifies the rootDN of the Active Directory service where user account information is defined: dc=anytown,dc=acme,dc=com.

The effect of this example configuration is to search the Active Directory service for the client-supplied user ID, starting at the specified rootDN, dc=anytown,dc=acme,dc=com. If the client does not provide a domain specification, then acme.com is appended.