Setup items in the exauth.properties file for LDAP authentication

In the exauth.properties file, set the type of the external authentication server to be used, the server identification name, and the machine information about the external authentication server.

Common properties
See "Setup items in the exauth.properties file for LDAP authentication (common items)"
Properties for an external authentication server and an external authorization server
Setup items in the exauth.properties file vary depending on whether information about the LDAP direx server being connected to is directly specified or looked up by using the DNS server.
- When directly specifying information about the LDAP direx server:
  See "Setup items in the exauth.properties file for LDAP authentication (when directly specifying information about the external authentication server)" or "Setup items in the exauth.properties file for LDAP authentication (when an external authentication server and StartTLS are used for communication)"
- When using the DNS server to look up information about the LDAP direx server:
  See "Setup items in the exauth.properties file for LDAP authentication (when using the DNS server to look up information about the external authentication server)"

Note:

Make sure to distinguish between uppercase and lowercase letters for property settings.
To use StartTLS for communication between the management server and the LDAP direx server, you must directly specify information about the LDAP direx server to connect to in the exauth.properties file.
If you use the DNS server to look up the LDAP direx server to connect to, it might take longer for users to log in.
If the LDAP direx server to which you want to connect is in a multidomain configuration, you will not be able to look up the LDAP direx server by using the DNS server.

Table. Setup items in the exauth.properties file for LDAP authentication (common items)
Property	Details
auth.server.type	Specify an external authentication server type. Specify `ldap`. Default value: `internal` (used when not linking to an external authentication server)
auth.server.name	Specify the server identification names of LDAP direx servers. You can specify any name for this property to identify which LDAP direx servers the settings such as the port number and the protocol for connecting to the LDAP direx server to which they are applied. (see "Setup items in the exauth.properties file for LDAP authentication (when directly specifying information about the external authentication server)" or "Setup items in the exauth.properties file for LDAP authentication (when using the DNS server to look up information about the external authentication server)". `ServerName` has been set as the initial value. You must specify at least one name. To specify multiple server identification names, delimit the server identification names by using commas (,). Do not register the same server identification name more than once. Specifiable values: No more than 64 bytes of the following characters: `A` to `Z` a to z `0` to `9` `! # ( ) + - . = @ [ ] ^ _ { } ~` Default value: none
auth.ldap.multi_domain	When specifying multiple server identification names for LDAP direx servers, specify, for each server, the configuration to be used. Specify `true` to use a multi-domain configuration. Specify `false` to use a redundant configuration. Default value: `false`
auth.group.mapping	Specify whether to also link to an external authorization server. Specify `true` to link to an external authorization server. Specify `false` to not to link to an external authorization server. Default value: `false`

Table. Setup items in the exauth.properties file for LDAP authentication (when directly specifying information about the external authentication server)
Attributes	Details
`protocol`	Specify the protocol for connecting to the LDAP direx server. This attribute is required. When communicating in plain text format, specify `ldap`. When using StartTLS communication, specify `tls`. For StartTLS, TLS 1.2 and TLS 1.3 are supported. Before specifying `tls`, make sure that one of the following encryption methods can be used on the LDAP direx server: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 You can specify `ldap` or `tls`. Default value: none When communicating by using StartTLS as the protocol for connecting to the LDAP direx server, you must specify the security settings of Common Component.
`host`	Specify the host name or IP address of the LDAP direx server. If you specify the host name, make sure that the host name can be resolved to an IP address. If you specify the IP address, you can use either an IPv4 or IPv6 address. When specifying an IPv6 address, enclose it in square brackets ([]). This attribute is required. Default value: none When using StartTLS as the protocol for connecting to the LDAP direx server, in the `host` attribute specify the same host name as the value of CN in the LDAP direx server certificate. You cannot use an IP address.
`port`	Specify the port number of the LDAP direx server. Make sure that the port you specify is set as the listen port number on the LDAP direx server. Specifiable values: 1 to 65535 Default value: 389
`timeout`	Specify the amount of time to wait before timing out when connecting to the LDAP direx server. If you specify `0`, the system waits until a communication error occurs without timing out. Specifiable values: 0 to 120 (seconds) Default value: 15
`attr`	Specify the attribute (Attribute Type) to use as the user ID during authentication. For the hierarchical structure model Specify the name of the attribute containing the unique value to be used for identifying the user. The value stored in this attribute will be used as the user ID for Common Component products. The specified attribute must not include characters that cannot be used in a user ID of the Common Component product. For example, if you are using Active Directory and you want to use the Windows logon ID for the user ID of a Common Component product, specify the attribute name `sAMAccountName` in which the Windows logon ID has been defined. For the flat model Specify the RDN attribute name of the user entry. For example, if the user's DN is `uid=John,ou=People,dc=example,dc=com`, specify the `uid` that is the attribute name of the `uid=John`. `sAMAccountName` has been set as the initial value. This attribute is required. Default value: none
`basedn`	Specify the BaseDN, which is the DN of the entry that will be used as the start point when searching for LDAP user information on the LDAP direx server. The user entries that are located in the hierarchy after this DN will be verified during authentication. If characters that must be escaped are included in the specified BaseDN, escape all of those characters correctly because the specified value will be passed to the LDAP direx server without change. For the hierarchical structure model Specify the DN of the hierarchy that includes all of the user entries to be searched. For the flat model Specify the DN of the hierarchy just before the user entries to be searched. This attribute is required. Specify the DN by following the rules defined in RFC4514. For example, if any of the following characters are included in a DN, you must use a backslash (\) to escape each character. Spaces # + ; , < = > \ Default value: none
`retry.interval`	Specify the interval (in seconds) a failed connection to the LDAP direx server and the next try. Specifiable values: 1 to 60 (seconds) Default value: 1
`retry.time`	Specify the number of times to try to connect to the LDAP direx server. If you specify 0, no further tries occur. Specifiable values: 0 to 50 Default value: 20
`domain.name`	Specify the name of a domain for external authentication servers managed by the LDAP direx server. This item is required when an external authorization server is also linked to. Default value: none
`domain`	Specify the name of a domain for multi-domain configurations managed by the LDAP direx server. If you log in by using a user ID that includes the domain name specified in this attribute, the LDAP direx server that belongs to the specified domain will be used as the authentication server. When specifying a domain name for the server identification name of each LDAP direx server, do not specify the same domain name more than once. This value is not case sensitive. This item is required when a multi-domain configuration is used. Default value: none
`dns_lookup`	Specify `false`. Default value: `false`
Note: To specify the attributes, use the following syntax: auth.ldap.`auth.server.name-property-value`.attribute=`value`

Table. Setup items in the exauth.properties file for LDAP authentication (when an external authentication server and StartTLS are used for communication)
Property	Details
`auth.ocsp.enable`	Specify whether to verify the validity of an LDAP direx server's electronic signature certificate by using an OCSP responder when the LDAP direx server and StartTLS are used for communication. To verify the validity of certificates, specify `true`. To not verify the validity of certificates, specify `false`. Default value: `false`
`auth.ocsp.responderURL`	Specify the URL of an OCSP responder to use an OCSP responder that is not the one written in the AIA field of the electronic signature certificate to verify the validity of the electronic signature certificate. If this value is omitted, the OCSP responder written in the AIA field is used. Default value: none

Table. Setup items in the exauth.properties file for LDAP authentication (when using the DNS server to look up information about the external authentication server)
Attributes	Details
`protocol`	Specify the protocol for connecting to the LDAP direx server. This attribute is required. Specifiable values: `ldap` Default value: `none`
`port`	Specify the port number of the LDAP direx server. Make sure that the port you specify is set as the listen port number on the LDAP direx server. Specifiable values: 1 to 65535 Default value: 389
`timeout`	Specify the amount of time to wait before timing out when connecting to the LDAP direx server. If you specify `0`, the system waits until a communication error occurs without timing out. Specifiable values: 0 to 120 (seconds) Default value: 15
`attr`	Specify the attribute (Attribute Type) to use as the user ID during authentication. For the hierarchical structure model Specify the name of the attribute containing the unique value to be used for identifying the user. The value stored in this attribute will be used as the user ID for Common Component products. The specified attribute must not include characters that cannot be used in a user ID of the Common Component product. For example, if you are using Active Directory and you want to use the Windows logon ID for the user ID of a Common Component product, specify the attribute name `sAMAccountName` in which the Windows logon ID has been defined. For the flat model Specify the RDN attribute name of the user entry. For example, if the user's DN is `uid=John,ou=People,dc=example,dc=com`, specify the `uid` that is the attribute name of the `uid=John`. `sAMAccountName` has been set as the initial value. This attribute is required. Default value: none
`basedn`	Specify the BaseDN, which is the DN of the entry that will be used as the start point when searching for LDAP user information on the LDAP direx server. The user entries that are located in the hierarchy after this DN will be verified during authentication. If characters that must be escaped are included in the specified BaseDN, escape all of those characters correctly because the specified value will be passed to the LDAP direx server without change. For the hierarchical structure model Specify the DN of the hierarchy that includes all of the user entries to be searched. For the flat model Specify the DN of the hierarchy just before the user entries to be searched. This attribute is required. Specify the DN by following the rules defined in RFC4514. For example, if any of the following characters are included in a DN, you must use a backslash (\) to escape each character. Spaces # + ; , < = > \ Default value: none
`retry.interval`	Specify the interval (in seconds) between tries to connect to the LDAP direx server. Specifiable values: 1 to 60 (seconds) Default value: 1
`retry.time`	Specify the number of tries to connect to the LDAP direx server. If you specify 0, no further tries occur. Specifiable values: 0 to 50 Default value: 20
`domain.name`	Specify the name of a domain for external authentication servers managed by the LDAP direx server. Default value: none
`dns_lookup`	Specify `true`. However, if the following attribute values are already set, the LDAP direx server will be connected to by using the user specified values instead of by using the DNS server to look up the information. `auth.ldap.auth.server.name-property-value.host` `auth.ldap.auth.server.name-property-value.port` Default value: `false`
Note: To specify the attributes, use the following syntax: auth.ldap.`auth.server.name-property-value`.attribute=`value`