External authentication configuration property reference

Edge for Private Cloud v. 4.17.01

The following table provides a comparison view of management-server.properties attributes required for direct and indirect binding for external authentication.

In the following table, values are provided in between " ". When editing the management-server.properties file, include the value between the quotes (" ") but do not include the actual quotes.

Property

DIRECT bind

INDIRECT bind

conf_security_externalized.authentication.implementation.class=com.apigee.rbac.impl.LdapAuthenticatorImpl

This property is always required to enable the external authorization feature. Do not change it.

conf_security_externalized.authentication.bind.direct.type=

Set to "true".

Set to "false".

conf_security_externalized.authentication.direct.bind.user.directDN=

If the username is an email address, set to "${userDN}".

If the username is an ID, set to "CN=${userDN},CN=Users,DC=apigee,DC=com", replacing the CN=Users, DC=apigee,DC=com with appropriate values for your external LDAP.

Not required, comment out.

conf_security_externalized.authentication.indirect.bind.server.admin.dn=

Not required, comment out.

Set to the username/email address of a user with search privileges on the external LDAP.

conf_security_externalized.authentication.indirect.bind.server.admin.password=

Not required, comment out.

Set to the password for the above user.

conf_security_externalized.authentication.indirect.bind.server.admin.password.encrypted=

Not required, comment out.

Set to "false" if using a plain-text password (NOT RECOMMENDED)

Set to "true" if using an encrypted password (RECOMMENDED) as described in Indirect binding only: Encrypting the external LDAP user’s password.

conf_security_externalized.authentication.server.url=

Set to "ldap://localhost:389", replacing "localhost" with the IP or domain for your external LDAP instance.

conf_security_externalized.authentication.server.version=

Set to your external LDAP server version, e.g. "3".

conf_security_externalized.authentication.server.conn.timeout=

Set to a timeout (number in milliseconds) that is appropriate for your external LDAP.

conf_security_externalized.authentication.user.store.baseDN=

Set to the baseDN value to match your external LDAP service. This value will be provided by your external LDAP administrator. E.g. in Apigee we might use "DC=apigee,DC=com"

conf_security_externalized.authentication.user.store.search.query=(&(${userAttribute}=${userId}))

Do not change this search string. It is used internally.

conf_security_externalized.authentication.user.store.user.attribute=

This identifies the external LDAP property you want to bind against. Set to whichever property contains the username in the format that your users use to log into Apigee Edge. For example:

If users will log in with an email address and that credential is stored in "userPrincipalName", set above to "userPrincipalName".

If users will log in with an ID and that is stored in "sAMAccountName", set above to "sAMAccountName".

conf_security_externalized.authentication.user.store.user.email.attribute=

This is the LDAP attribute where the user email value is stored. This is typically "userPrincipalName" but set this to whichever property in your external LDAP contains the user’s email address that is provisioned into Apigee’s internal authorization LDAP.