LDAP options:
This is list of options regarding Admin section, these options can be set from admin tab in LDAP Configuration subsection.
These options are saved inside ldap configuration file. The filename depends on the name of the configuration → nameOfConfiguration.conf.
⚠️ Note: You can use SHIFT with mouse scroll to scroll horizontally!
| Key | Required | Requirements | Conf File field | Description | Example value | Possible values | Default |
|---|---|---|---|---|---|---|---|
| LDAP(S) URL | yes | - | ldapUrl | Specifies URL of LDAP server. Instead of just one URL, you can also supply a space-separated list of URLs. In this case, the LDAP provider will attempt to use each URL in turn until it is able to create a successful connection. | ldaps://server.example.com:636 | String | - |
| Server Type | yes | - | ldapServerType | LDAP Server Type. Types are: Active Directory, Redhat IDM (FreeIPA), OpenLDAP, JumpCloud, Okta, Other. | RedHat IDM (FreeIPA) | String (From list, see desc.) | Other |
| Simple LDAP Mode | no | - | ldapSimpleMode | If Simple LDAP Mode should be used, otherwise use Search+Bind mode | - | Boolean | false |
| LDAP Prefix | yes (simple mode) | Simple LDAP Mode = true | ldapPrefix | LDAP Prefix used in Simple LDAP Mode | uid= | String | - |
| LDAP Suffix | yes (simple mode) | Simple LDAP Mode = true | ldapSuffix | LDAP Suffix used in Simple LDAP Mode | ,cn=users,cn=accounts,dc=lab,dc=heimdalldata,dc=com | String | - |
| LDAP Security Principal | yes | Simple LDAP Mode = false | ldapSecurityPrincipal | Specifies name of user used to search for authenticated user | uid=admin,cn=users,cn=accounts,dc=lab,dc=heimdalldata,dc=com | String | - |
| Secret (LDAP Security Principal) | no | Simple LDAP Mode = false | ldapSecurityPrincipalUseSecret | Determines if secret will be used for LDAP Security Principal | - | Boolean | false |
| Secrets Manager (LDAP Security Principal) | no | Simple LDAP Mode = false AND Secret (LDAP Security Principal) = true | ldapSecurityPrincipalSecretsManagerConfigName | Specify the Secrets Manager Configuration that will be used for this secret. List values are secrets managers configured in heimdall. | - | String (From list) | - |
| LDAP Security Principal Secret Name | yes (secret) | Simple LDAP Mode = false | ldapSecurityPrincipalSecretName | Specify a Secret name | - | String | - |
| LDAP Search User Password | yes | Simple LDAP Mode = false AND Secret (LDAP Security Principal) = false | ldapSearchPassword | Specifies password for LDAP Security Principal user used to search for authenticated user. | adminpassword123 | String | - |
| LDAP Sec. Security Principal | no | Simple LDAP Mode = false | ldapSecondarySecurityPrincipal | Specifies name of user used to search for authenticated user in case the primary search with LDAP Security Principal fails. | id=second-admin,cn=users,cn=accounts,dc=lab,dc=heimdalldata,dc=com | String | - |
| Secret (LDAP Sec.Security Principal) | no | Simple LDAP Mode = false | ldapSecondarySecurityPrincipalUseSecret | Determines if secret will be used for LDAP Sec. Security Principal | - | String | - |
| Secrets Manager (LDAP Sec. Security Principal) | no | Simple LDAP Mode = false AND Secret (LDAP Sec.Security Principal) = true | ldapSecondarySecurityPrincipalSecretsManagerConfigName | Specify the Secrets Manager Configuration that will be used for this secret. | - | String | - |
| LDAP Sec. Security Principal Secret Name | yes (secret) | Simple LDAP Mode = false | ldapSecondarySecurityPrincipalSecretName | Specify a Secret name | - | String | - |
| LDAP Sec.Search User Password | no | Simple LDAP Mode = false | ldapSecondarySearchPassword | Specifies password for LDAP Sec. Security Principal. | secondadminpassword123 | String | - |
| LDAP Search Domain | yes | Simple LDAP Mode = false | ldapSearchDomain | Specifies LDAP search domain, the domain in which authenticated user's groups will be searched. | dc=lab,dc=heimdalldata,dc=com | String | - |
| LDAP User Search Base | yes | Simple LDAP Mode = false | ldapSearchBase | Specified LDAP user search base in which authenticated user will be searched. | cn=users,cn=accounts,dc=lab,dc=heimdalldata,dc=com | String | - |
| LDAP Name Attribute | yes | Simple LDAP Mode = false | ldapSearchAttribute | Specifies name attribute by which authenticated user | uid | String | - |
| LDAP Group Name Attribute | no | Simple LDAP Mode = false | ldapGroupSearchAttribute | Optional, specifies group's name attribute which should be read during extracting authenticated user's groups. If not provided, LDAP Name Attribute will be used instead. | cn | String | - |
| LDAP Group Filter | no | Simple LDAP Mode = false | ldapGroupFilter | Optional, option used during searching for authenticated user. Setting this option limits the number of groups to search user into them, only to particular group inside server. Setting this option makes it required to extract at least one group to authenticate the user. | (cn=*) | String | - |
| Use Raw Group Filter | - | Simple LDAP Mode = false | ldapUseRawGroupFilter | Uses the LDAP Group Filter value as provided. No default group filters (e.g., objectCategory/objectClass), no security-group constraints (e.g., sAMAccountType), and no membership clauses (e.g., member/memberUid or nested membership) will be appended. You must provide a complete LDAP group filter, using ${user}, ${dn} . | false | Boolean | false |
| Use nested groups filter | - | Simple LDAP Mode = false AND Server Type = Active Directory / Redhat IDM (FreeIPA) | ldapSearchNestedGroups | Specifies if parent groups should be included, when searching for user's groups. | - | Boolean | false |
| Ignore LDAP cert | - | Simple LDAP Mode = false | ldapCaOverride | Value assigned to this keyword can define if TLS validation of LDAP server certificate should be performed. | - | Boolean | false |
| LDAP Healthcheck | no | Simple LDAP Mode = false | ldapHealthcheck | Performs LDAP Healthcheck automatically every minute. An appropriate alert will be shown if the server goes down (Similarly, once the server is back online). Moreover, the account expiration date of the LDAP Security Principal will be checked once every 24 hours. | - | Boolean | true |
| Cache groups' emails | no | Simple LDAP Mode = false | ldapGroupsEmailsCaching.cacheEnabled | Specifies whether emails for LDAP groups should be cached (applies only if LDAP configuration is linked to the portal configuration). | - | Boolean | true |
| Cache Time | - | Cache groups' emails | ldapGroupsEmailsCaching.cacheTime | Specifies the interval at which emails in the cache should be updated. On GUI you can select the unit. The value stored in configuration will be in minutes. | - | Integer (minutes) | 60 (1h from GUI) |
| Management privileges | no | Simple LDAP Mode = false | ldapManagementPrivileges | Determines whether it entitles a user to use admin/read only privileges by requiring membership in a specific group. | - | Boolean | false |
| Admin privilege group | - | Simple LDAP Mode = false AND Management privileges = true | ldapAdminPrivilegeGroup | To be authorized to use the Management Privilege: Admin, the user must be a member of the selected group | - | String | - |
| Read Only privilege group | - | Simple LDAP Mode = false AND Management privileges = true | ldapReadOnlyPrivilegeGroup | To be authorized to use the Management Privilege: Read Only, the user must be a member of the selected group | - | String | - |
| ( enabled ) | - | - | enabled | Specifies if this ldap config is enabled | - | Boolean | true |
| ( filename ) | - | - | file | The name of the file that holds ldap config | - | String | - |
| Configuration Name | yes | - (On GUI requires clicking the Rename button for field to appear) | name | Specifies name of the current configuration. Value of this field can be seen just above and it needs to be unique to differentiate configuration. It can be used for switching and choosing between multiple configuration options. To rename it you need to click button to the right of ,,Create New,, and choose rename | HEIMDALL_LDAP_CONFIGURATION | String | - |