Json2Ldap 2.3 Lightweight JSON-RPC 2.0 web service providing access to LDAP v3 compatible directory servers. Copyright (c) Vladimir Dzhuvinov, 2009-2012 Set to "true" to require all Json2Ldap clients to authenticate to the directories at connection time through one of the available bind mechanisms (simple, plain SASL, etc.); any requests for an anonymous rebind thereafter will be refused. If the initial bind request fails the LDAP connection will be closed immediately. Set to "false" to allow the relay of anonymous and unauthenticated LDAP requests to the directory servers. You can use this setting to block the relay of anonymous LDAP requests to the directory servers. In addition, this allows to guard against denial-of-service (DoS) attacks by malicious unauthenticated clients which may otherwise saturate the LDAP servers with too many open anonymous connections. json2ldap.clients.requireAuthentication false Set to "true" to require HTTP secure (HTTPS) for all client connections to Json2Ldap. Requests received via plain HTTP will be refused. Set to "false" to allow unsecured client connections to Json2Ldap. The purpose of enforcing HTTPS access is to guard against eavesdropping on sensitive data exchanged between Json2Ldap and its web clients. json2ldap.clients.requireSecureAccess false Set to "true" to refuse all requests for LDAP write operations such as add, delete and modify. Set to "false" to allow write requests to be relayed to the LDAP servers. You can disable write access if the Json2Ldap clients are not expected to modify data on the directory servers. json2ldap.clients.denyWriteRequests false Set to "true" to refuse all requests for LDAP read operations such as get entry, compare and search. Set to "false" to allow read requests to be relayed to the LDAP servers. You may disable read access in special cases when the Json2Ldap clients will be using the directories for authentication only (via a bind operation). json2ldap.clients.denyReadRequests false Set to "true" to refuse all requests for LDAP bind (authentication) to the directory servers. Set to "false" to allow bind requests to be relayed to the LDAP servers. You can disable LDAP bind request relay if the Json2Ldap clients will be using the directories for retrieval of public information only and also want to guard against potential password guessing attacks. json2ldap.clients.denyBindRequests false Set to "true" to refuse all "ldap.ext.passwordModify" requests for the Password Modify extended operation (RFC 3062). Set to "false" to allow Password Modify requests to be relayed to the LDAP servers. You may choose to block "Password Modify" requests to prevent Json2Ldap clients from changing their directory passwords. Note that clients might still be able to alter their password with a regular LDAP modify request, see json2ldap.clients.denyWriteRequests for refusing LDAP write operations. json2ldap.clients.denyPasswordModifyRequests false Set to "true" to refuse all "ldap.ext.whoAmI" requests for the "Who am I?" extended operation (RFC 4532). Set to "false" to allow "Who am I?" requests to be relayed to the LDAP servers. json2ldap.clients.denyWhoAmIRequests false Specifies the maximum number of LDAP connections originating from a single client IP address. Further connection requests from the same IP address will be denied until an existing connection is closed or expires. Set to 0 to lift this restriction. You can use this setting as a protection against denial-of-service (DoS) attacks by malicious clients which may otherwise saturate the LDAP servers with too many open connections. json2ldap.clients.connectionQuotaPerIP 10 Specifies the maximum number of LDAP connections per authenticated user identity (user DN). Further connection requests will be denied until an existing connection is closed or expires. Set to 0 to lift this restriction. You can use this setting as a protection against denial-of-service (DoS) attacks by malicious clients which may otherwise saturate the LDAP servers with too many open connections. json2ldap.clients.connectionQuotaPerUser 10 Specifies the maximum idle time in minutes for LDAP connections. Connections that remain unused for longer will be automatically closed. Note that the LDAP server may enforce a shorter idle time, causing an inactive connection to be closed before that. Recommended value 15 minutes. json2ldap.clients.maxIdleTime 15 Specifies the maximum LDAP connection time in minutes. Connections that exceed this time limit will be automatically closed. Note that the LDAP server may enforce a shorter connection time, causing a connection to be closed before that. Recommended value 600 minutes (10 hours). json2ldap.clients.maxConnectionTime 600 Sets the value of the HTTP "Content-Type" header for the JSON-RPC 2.0 responses. The character set option must be explicitly set to UTF-8. Set to "text/plain;charset=utf-8" if you intend to support browser CORS requests, else set to "application/json;charset=utf-8". json2ldap.clients.responseContentType text/plain;charset=utf-8 Set to "true" to enable reporting of request processing time by appending a non-standard "xProcTime" attribute to the JSON-RPC 2.0 responses. Intended for debugging and testing purposes. Disabled by default to prevent parse exceptions by clients which don't allow unexpected JSON attributes in the JSON-RPC 2.0 response messages. json2ldap.clients.reportRequestProcTime false List of the LDAP servers that Json2Ldap will allow connecting to, specified as whitespace separated LDAP URLs containing a hostname/IP address and an optional port number. If the port number is left out, a default value will be assumed, typically 389 for plain and TLS connections (ldap://) or 636 for SSL connections (ldaps://). Connect requests to servers not contained in this list will be refused. Set to "*" (asterisk, without the quotes) to allow connect requests to any LDAP server. Example: List 3 LDAP servers by name or IP address, the last one specifying a non-default port number: ldap://directory.mydomain.com ldap://192.168.0.1 ldap://ds.mydomain.com:1389 The purpose of this whitelist is to prevent clients from establishing connections to arbitrary LDAP servers. json2ldap.ldap.allowedServers * Set to "true" to require all connections from Json2Ldap to the LDAP servers to be secured by means of TLS/SSL. Requests for unencrypted LDAP connections will be refused. Set to "false" to allow unencrypted connections from Json2Ldap to the LDAP servers. Enable this setting to guard against eavesdropping on sensitive data between the Json2Ldap and the LDAP servers. json2ldap.ldap.requireSecureAccess false Set to "true" to attempt to automatically reconnect to the LDAP server if the connection is lost. This feature is only available for authenticated connections that support re-binding on a new connection. Set to "false" to disable automatic reconnecting. json2ldap.ldap.autoReconnect true Set to "true" to enable clients to connect to a default LDAP server (by making an "ldap.connect" request with omitted "host" parameter). Otherwise set to "false". If you set this to "true" you must also specify the connections details for the default LDAP server (see below). json2ldap.defaultConnection.enable true The LDAP server for default "ldap.connect" requests. The value must be an LDAP URL specifying the server hostname/IP address and port number. Valid ports are integers from 1 to 65535, if omitted a default value is taken, typically port 389 for plain and TLS connections or port 636 for SSL connections. Example: ldap://ds.mydomain.com:10389 json2ldap.defaultConnection.server ldap://localhost:10389 The timeout in milliseconds for default "ldap.connect" requests. Set to 0 to let the underlying LDAP client library and operating system determine the connection request timeouts. json2ldap.defaultConnection.timeout 0 The transport security for default "ldap.connect" requests. Accepted values are "none", "SSL" and "StartTLS". Set to "none" to establish a plain unsecured connection. Set to "SSL" to establish a secure connection over SSL. Set to "StartTLS" to establish a secure connection using the StartTLS protocol (recommended method). json2ldap.defaultConnection.security none Set to "true" to trust self-signed certificates presented by the default LDAP server (applies to default connections with security set to "SSL" or "StartTLS"). Normally, only certificates signed by a trusted certificate authority (CA) should be accepted; self-signed certificates should be rejected. json2ldap.defaultConnection.trustSelfSignedCerts false Set to "true" to use your custom trust store file for determining the acceptable security certificates presented by remote LDAP servers. Set to "false" to use the default trust store of the web server / host system (if one has been provided and correctly configured). If you set this to "true" you must also specify a trust store file, type and password (see the corresponding parameters below). json2ldap.ldap.customTrustStore.enable false The location of the custom trust store file. json2ldap.ldap.customTrustStore.file WEB-INF/truststore.jks The type of the trust store file, typically "JKS" or "PKCS12". Set to an empty string to assume the system default type. json2ldap.ldap.customTrustStore.type JKS The password required to unlock the trust store file. Set to an empty string if none is required. json2ldap.ldap.customTrustStore.password secret Set to "true" to use your custom key store file for client security certificates to be presented to remote LDAP servers requiring such authentication. Set to "false" to use the default key store of the web server / host system (if one has been provided and correctly configured). If you set this to "true" you must also specify a key store file, type and password (see the corresponding parameters below). json2ldap.ldap.customKeyStore.enable false The location of the custom key store file. json2ldap.ldap.customKeyStore.file WEB-INF/keystore.jks The type of the trust store file, typically "JKS" or "PKCS12". Set to an empty string to assume the system default type. json2ldap.ldap.customKeyStore.type JKS The password required to unlock the key store file. Set to an empty string if none is required. json2ldap.ldap.customKeyStore.password secret Set to true to enable SRP-6a authentication for default LDAP connections. Set to false to disable SRP-6a authentication. Default value: false json2ldap.x.srp6.enable true The distinguished name (DN) under which the SRP extension will operate. It must be granted the following directory privileges: 1. Read and modify access to the directory attribute holding the SRP-6a user credentials; 2. Perform proxied authentication for all SRP-6a users by means of a plain SASL bind operation. json2ldap.x.srp6.dn uid=alice,ou=people,dc=wonderland,dc=net The password for the distinguished name (DN) under which the SRP extension will operate. json2ldap.x.srp6.password secret The directory attribute for storing the SRP-6a user credentials: the salt 's' and the password verifier 'v'. The credentials will be stored in the following format: salt-hex-string;verifier-hex-string Default value: srp6Verifier json2ldap.x.srp6.attribute srp6Verifier The preferred bitsize of the prime number used for the modulus 'N' parameter. Json2Ldap supports a set of precomputed safe primes with 256, 512, 768 and 1024 bits. Default value: 256 json2ldap.x.srp6.primeSize 256 The preferred byte size of the salt 's'. Default value: 16 json2ldap.x.srp6.saltSize 16 The preferred hash algorithm. Must be supported by the underlying Java runtime. Standard algorithms: MD5, SHA-1, SHA-256, SHA-384, SHA-512. Default value: SHA-1 json2ldap.x.srp6.hashAlgorithm SHA-1 The SRP-6a authentication session timeout in seconds. If an authenticating client fails to respond within the specified time the session must be closed by Json2Ldap. Default value: 300 seconds (5 minutes) json2ldap.x.srp6.timeout 300 Set to true to enable a simple in-memory directory server for Json2Ldap demonstration and testing purposes. Access is limited to read and bind (authenticate) only. Set to false to disable the in-memory directory server. The default value is false. inMemoryDirectoryServer.enable true The port number on which the in-memory directory server accepts LDAP client connections. SSL and StartTLS connections are not supported at present. Set to zero to let the server automatically select an available port which will be recorded in the Json2Ldap log. The default port number is 10389. Note that the server may require a special OS permission to use a privileged port number below 1024. inMemoryDirectoryServer.port 10389 Specifies an alternative schema for the in-memory directory server. The alternative schema must be supplied in a single LDIF file. Its location must be an absolute path or relative to the web application home directory. If undefined the default built-in server schema will be used. inMemoryDirectoryServer.schema WEB-INF/schema.ldif The base distinguished name (DN) of the directory information tree. It must match the top level entry of the content LDIF (if supplied). inMemoryDirectoryServer.baseDN dc=wonderland,dc=net Reads entries from the specified LDIF file to populate the directory. The location of the file must be an absolute path or relative to the web application home directory. If undefined the directory will be left empty. inMemoryDirectoryServer.content WEB-INF/demo.ldif The location of the Log4j properties file, as an absolute path or relative to the web application home directory. If no file location is specified logging is disabled. Json2Ldap comes with a default Log4j properties file "WEB-INF/log4j.properties". json2ldap.log4j.configurationFile WEB-INF/log4j.properties Json2LdapServlet The entry point for JSON-RPC 2.0 requests to the Json2Ldap web service. com.nimbusds.json2ldap.Json2LdapServlet Json2LdapServlet / Provides transparent Cross-Origin Resource Sharing (CORS) for supporting web browsers. See http://software.dzhuvinov.com/cors-filter.html CORS com.thetransactioncompany.cors.CORSFilter Set to "true" to allow generic HTTP requests, else only valid and accepted CORS requests will be allowed (strict CORS filtering). Recommended value: "true" cors.allowGenericHttpRequests true Lists the allowed CORS origins. They must be specified as whitespace-separated URLs. Requests from origins not included here will be refused with an HTTP 403 "Forbidden" response. If set to "*" all origins will be allowed. cors.allowOrigin * Lists the supported HTTP methods. Requests for methods not included here will be refused by the CORS filter with an HTTP 405 "Method not allowed" response. Json2Ldap supports HTTP GET and POST only. Do not change this parameter. cors.supportedMethods GET, POST Lists the supported non-simple (according to the CORS standard) header names. Applications that wish to specify an "application/json" request content type should be allowed to do so. Recommended value: "Content-Type" cors.supportedHeaders Content-Type Lists the non-simple headers (according to the CORS standard) that the web client (browser) should expose. Json2Ldap sets a custom "X-Web-Service" header to identify itself. Do not change this parameter. cors.exposedHeaders X-Web-Service Indicates whether user credentials, such as cookies, HTTP authentication or client-side certificates, are supported. Json2Ldap doesn't support such user credentials. Do not change this parameter. cors.supportsCredentials false Indicates how long the results of a CORS preflight request can be cached by the web client, in seconds. If -1 unspecified. Recommended value: 1 day (86400 seconds). cors.maxAge 86400 CORS Json2LdapServlet com.nimbusds.json2ldap.LoggingConfigurator com.nimbusds.json2ldap.InMemoryDS