LDAP options:
This is list of options regarding Admin section, these options can be set from admin tab in LDAP Configuration subsection.
These options are saved inside ldap configuration file. The filename depends on the name of the configuration → nameOfConfiguration.conf.
⚠️ Note: You can use SHIFT with mouse scroll to scroll horizontally!
| Key | Requirements | Conf File field | Description | Possible values | Default |
|---|---|---|---|---|---|
| LDAP(S) URL | - | ldapUrl | AD LDAP/LDAPS URL for authentication | String | - |
| Server Type | - | ldapServerType | LDAP Server Type. Types are: Other, Active Directory, Redhat IDM (FreeIPA), OpenLDAP, JumpCloud, Okta. | String (From list, see desc.) | Other |
| Simple LDAP Mode | - | ldapSimpleMode | If Simple LDAP Mode should be used, otherwise use Search+Bind mode | Boolean | false |
| LDAP Prefix | Simple LDAP Mode = true | ldapPrefix | LDAP Prefix used in Simple LDAP Mode | String | - |
| LDAP Suffix | Simple LDAP Mode = true | ldapSuffix | LDAP Suffix used in Simple LDAP Mode | String | - |
| LDAP Security Principal | Simple LDAP Mode = false | ldapSecurityPrincipal | AD Security Principal, including domain for bind authentication | String | - |
| Secret (LDAP Security Principal) | Simple LDAP Mode = false | ldapSecurityPrincipalUseSecret | Determines if secret will be used for LDAP Security Principal | Boolean | false |
| Secrets Manager (LDAP Security Principal) | Simple LDAP Mode = false AND Secret (LDAP Security Principal) = true | ldapSecurityPrincipalSecretsManagerConfigName | Specify the Secrets Manager Configuration that will be used for this secret. List values are secrets managers configured in heimdall. | String (From list) | - |
| LDAP Security Principal Secret Name | Simple LDAP Mode = false | ldapSecurityPrincipalSecretName | Specify a Secret name | String | - |
| Ldap Search User Password | Simple LDAP Mode = false AND Secret (LDAP Security Principal) = false | ldapSearchPassword | AD Password for the search user | String | - |
| LDAP Sec. Security Principal | Simple LDAP Mode = false | ldapSecondarySecurityPrincipal | Optional Secondary Security Principal. In case the LDAP Search with the Primary one fails, Heimdall will attempt to make a successful connection with Secondary. | String | - |
| Secret (LDAP Sec.Security Principal) | Simple LDAP Mode = false | ldapSecondarySecurityPrincipalUseSecret | Determines if secret will be used for LDAP Sec. Security Principal | String | - |
| Secrets Manager (LDAP Sec. Security Principal) | Simple LDAP Mode = false AND Secret (LDAP Sec.Security Principal) = true | ldapSecondarySecurityPrincipalSecretsManagerConfigName | Specify the Secrets Manager Configuration that will be used for this secret. | String | - |
| LDAP Sec. Security Principal Secret Name | Simple LDAP Mode = false | ldapSecondarySecurityPrincipalSecretName | Specify a Secret name | String | - |
| LDAP Sec.Search User Password | Simple LDAP Mode = false | ldapSecondarySearchPassword | AD Password for the search user | String | - |
| LDAP Search Domain | Simple LDAP Mode = false | ldapSearchDomain | LDAP Search Domain, such as 'DC=heimdalldata,DC=com' | String | - |
| LDAP User Search Base | Simple LDAP Mode = false | ldapSearchBase | LDAP Search Base, such as 'CN=Users,DC=heimdalldata,DC=com' | String | - |
| LDAP Name Attribute | Simple LDAP Mode = false | ldapSearchAttribute | LDAP User Attribute, typically sAMAccountName for Active Directory | String | - |
| LDAP Group Name Attribute | Simple LDAP Mode = false | ldapGroupSearchAttribute | LDAP Group Name Attribute, typically sAMAccountName for Active Directory. If not provided, LDAP Name Attribute will be used instead. | String | - |
| LDAP Group Filter | Simple LDAP Mode = false | ldapGroupFilter | Restricts the groups extracted when checking a user's groups membership. Setting this option makes it required to extract at least one group to authenticate the proxy user | String | - |
| Use nested groups filter | Simple LDAP Mode = false AND Server Type = Active Directory / Redhat IDM (FreeIPA) | ldapSearchNestedGroups | Use nested groups filter during retrieving groups info | Boolean | false |
| - | Simple LDAP Mode = false | ldapCaOverride | Value assigned to this keyword can define if TLS validation of LDAP server certificate should be performed. | Boolean | false |
| LDAP Healthcheck | Simple LDAP Mode = false | ldapHealthcheck | Perform LDAP Healthcheck. The ability to connect to the server will be checked once a minute. The account expiration date of the LDAP Security Principal will be checked once every 24 hours. | Boolean | true |
| Cache groups' emails | Simple LDAP Mode = false | ldapGroupsEmailsCaching.cacheEnabled | Cache groups and email addresses connected to them | Boolean | true |
| Cache Time | Cache groups' emails | ldapGroupsEmailsCaching.cacheTime | The time interval for clearing and updating the cache. ON GUI you can select the unit. The value stored in configuration will be in minutes. | Integer (minutes) | 60 (1h from GUI) |
| Management privileges | Simple LDAP Mode = false | ldapManagementPrivileges | Determines whether it entitles a user to use admin/read only privileges by requiring membership in a specific group. | Boolean | false |
| Admin privilege group | Simple LDAP Mode = false AND Management privileges = true | ldapAdminPrivilegeGroup | To be authorized to use the Management Privilege: Admin, the user must be a member of the selected group | String | - |
| Read Only privilege group | Simple LDAP Mode = false AND Management privileges = true | ldapReadOnlyPrivilegeGroup | To be authorized to use the Management Privilege: Read Only, the user must be a member of the selected group | String | - |
| ( enabled ) | - | enabled | Specifies if this ldap config is enabled | Boolean | true |
| ( filename ) | - | file | The name of the file that holds ldap config | String | - |
| Configuration Name | - (On GUI requires clicking the Rename button for field to appear) | name | Name of given ldap configuration, used to identify it. | String | - |