Configuring iHub security : Understanding LDAP configuration : Setting ldapconfig_<volume>.xml parameters
 
Setting ldapconfig_<volume>.xml parameters
The RSSE application uses a mapping file, ldapconfig_<volume>.xml, to map Encyclopedia volume management information to LDAP objects and object attributes.
In the Actuate ldapconfig_<volume>.xml file, a parameter is an XML element. Specify the value for a parameter as shown in the following example:
<parameter-name>value 1, value 2</parameter-name>
where
*The parameter name is one of the valid parameter names specified in ldapconfig_<volume>.xml.
*A comma separates multiple parameter values.
ldapconfig_<volume>.xml can contain comments. Enclose comments in <- - and - -> tags, as shown in the following example:
<
--This is the port number on which the LDAP server is listening.-->
Table 11‑2 contains example values for parameters that appear in ldapconfig_<volume>.xml.
Table 11‑2 ldapconfig_<volume>.xml parameters
Parameter
Description and example
AdminRole
Actuate role attribute value that indicates that an LDAP user object can perform Encyclopedia volume management.
<AdminRole>
actuateAdmin
</AdminRole>
AllRole
LDAP role object name that maps to the All role in the Encyclopedia volume.
Use the All role to grant privileges to all Encyclopedia volume users.
<AllRole>
actuateAll
</AllRole>
GroupBase
DN
Base LDAP distinguished name used to locate the LDAP Actuate notification group object in queries of notification group names.
<GroupBaseDN>
ou=Groups, dc=actuate, dc=com
</GroupBaseDN>
Group
Object
LDAP object class that the RSSE application uses to find Actuate notification group names.
<GroupObject>
groupofuniquenames
</GroupObject>
GroupTo
Notify
Name of the LDAP notification group that receives notification about all iHub requests in the manner of the administrator user when the Encyclopedia volume uses default, internal security. The GroupBaseDN parameter defines the base DN of this group name.
<GroupToNotify>
specialGroup
</GroupToNotify>
 
When combined with the GroupBaseDN value, this parameter specifies the LDAP Actuate notification group object. iHub uses that object for LDAP notification. For example:
"cn=AdminGroup, ou=Actuate Groups, o=actuate.com"
Operator
Role
LDAP role object name that maps to the Encyclopedia volume Operator role. A user must have this role name to perform Encyclopedia volume Operator functions, such as configuring autoarchive operations.
<OperatorRole>
actuateOperator
</OperatorRole>
Port
Internet port on which the LDAP server listens.
The default value is 389.
<Port>
389
</Port>
Query
Account
LDAP account that the RSSE application uses for query operations to the LDAP server.
<QueryAccount>
uid=actuate, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
</QueryAccount>
 
The RSSE application uses this account to validate users, roles, ACLs, and other Encyclopedia volume user information. For example:
"uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
Query
Password
Password for the LDAP account specified by the QueryAccount parameter.
<QueryPassword>
Actu8
</QueryPassword>
RoleBaseDN
Base LDAP distinguished name that the RSSE application uses to locate the LDAP role object in queries of roles.
<RoleBaseDN>
ou=AcRoles, dc=actuate, dc=com
</RoleBaseDN>
RoleObject
LDAP object class that the RSSE application uses to find Actuate role names.
<RoleObject>
groupofuniquenames
</RoleObject>
Server
Name of the LDAP server that the RSSE application and iHub use. Use the fully qualified name, including the domain name. You can use the server’s IP address.
The default value is the name of the machine.
<Server>
helium.actuate.com
</Server>
UserBaseDN
LDAP distinguished name that the RSSE application uses to locate the LDAP user object. When you add a user’s name as a prefix to a base-distinguished name, the resulting name uniquely identifies the user in the external data source. Most base-distinguished names consist of the organizational unit or a series of organizational units and an organization.
<UserBaseDN>
ou=People, dc=actuate, dc=com
</UserBaseDN>
Channel
Subscription
ListAttr
LDAP attribute that specifies the channels to which an Actuate user subscribes.
In the LDAP directory server, the attribute has multiple values with a single channel name for each value.
<ChannelSubscriptionListAttr>
actuateChannelList
</ChannelSubscriptionListAttr>
Channel
Subscription
ListDefault
Value to use for ChannelSubscriptionListAttr when LDAP does not contain a value for that attribute.
<ChannelSubscriptionListDefault>
portfolio update, sales forecasts
</ChannelSubscriptionListDefault>
 
The value is a comma-separated list of channel names. For example:
"portfolio update, sales forecasts"
Privilege
Template
Attr
LDAP attribute that specifies which privilege template to use for files and folders that an Encyclopedia volume user creates.
<PrivilegeTemplateAttr>
actuateDefaultPriv
</PrivilegeTemplateAttr>
Privilege
Template
Default
Value to use for PrivilegeTemplateAttr when LDAP does not contain a value for that attribute.
The value is a comma-separated list of user or role privileges. This example gives read and visible privileges to a role called viewing only and gives read, write, execute, and delete privileges to a user named jbob.
<PrivilegeTemplateDefault>
viewing only~rv, jbob=rwed
</PrivilegeTemplateDefault>
 
A user permission is a user login name followed by "=" and a zero (0) or more permission characters. A role permission is a role name followed by tilde (~) followed by a zero or more permission characters. The following table is a list of the privilege characters and their meanings:
r = read
w = write
e = execute
d = delete
v = visible
s = secure read
g = grant
To specify a privilege template that lists multiple users or roles in the LDAP directory server, the attribute must be multi‑valued with a single user or role for each value.
Attach
Report
InEmailAttr
LDAP attribute that specifies an Actuate user’s preferred form of e‑mail notification.
<AttachReportInEmailAttr>
actuateEmailForm
</AttachReportInEmailAttr>
 
The e‑mail can contain either a copy of the document or a link to the document.
Attach
Report
InEmail
Default
Value to use for AttachReportInEmailAttr when LDAP does not contain a value for that attribute. The value is either included or linked. If the value is included, the user receives the document as an attachment to the notice, if possible. If the value is linked, the user receives a link to the document. The default value in ldapconfig_<volume>.xml is linked.
<AttachReportInEmailDefault>
linked
</AttachReportInEmailDefault>
Email
Address
Attr
Name of the LDAP user attribute that specifies an Encyclopedia volume user’s e‑mail address that iHub uses to send e‑mail. For some object classes, such as inetorgperson, an e‑mail attribute exists in the standard LDAP schema.
<EmailAddressAttr>
mail
</EmailAddressAttr>
SendEmail
Attr
LDAP user attribute that specifies when to send an e‑mail notification message to notify an Actuate user of the completion of a job.
<SendEmailAttr>
actuateEmailWhen
</SendEmailAttr>
SendEmail
Default
Value to use for SendEmailAttr when the LDAP directory server does not contain a value for that attribute.
<SendEmailDefault>
never
</SendEmailDefault>
 
Use one of the following values: never, always, failures, or successes.
never—Do not modify.
always—Notify of failures and successes.
failures—Notify of failures only.
successes—Notify of successes only.
The default value in ldapconfig_<volume>.xml is never.
Failure
Notice
Expiration
Attr
LDAP attribute that specifies how long iHub keeps a user’s notices about failed jobs in the completed notice folder of the Encyclopedia volume. The value is a number of minutes. A value of 0 (zero) means that iHub does not keep notices about failed jobs. A value of ‑1 means that iHub keeps the notices indefinitely.
Failure
Notice
Expiration
Default
Value to use for FailureNoticeExpirationAttr when LDAP does not contain a value for that attribute.
The value is a number of minutes. The default value in ldapconfig_<volume>.xml is 0.
SendNotice
Attr
LDAP user attribute that specifies when to notify a user about the completion of a job by placing a notice in the completed notice folder of the Encyclopedia volume.
SendNotice
Default
Value to use for SendNoticeAttr when LDAP does not contain a value for that attribute.
Use one of the following values: never, always, successes, or failures.
never—Do not modify.
always—Notify of failures and successes.
failures—Notify of failures only.
successes—Notify of successes only.
The default value in ldapconfig_<volume>.xml is always.
Home
Folder
Attr
LDAP attribute that specifies a user’s home folder in the Encyclopedia volume.
There is no default value.
<HomeFolderAttr>
actuateHomeFolder
</HomeFolderAttr>
MaxJob
PriorityAttr
LDAP attribute that specifies a user’s maximum request priority.
The value is the maximum request priority that the user can set for a document print or generation request in the Encyclopedia volume.
In LDAP, the value must be an integer between 0 and 1000.
<MaxJobPriorityAttr>
actuateMaxPriority
</MaxJobPriorityAttr>
MaxJob
Priority
Default
Value to use for MaxJobPriorityAttr when LDAP does not contain a value for that attribute.
The value must be an integer between 0 and 1000.
The default value in ldapconfig_<volume>.xml is 500.
<MaxJobPriorityDefault>
500
</MaxJobPriorityDefault>
UserObject
Name of the LDAP object class that the RSSE application uses to find Actuate user names.
An example of an LDAP object class is inetorgperson.
<UserObject>
inetorgperson
</UserObject>
Success
Notice
Expiration
Attr
LDAP attribute that specifies how long to keep a user’s success completion notices in the completed notice folder of the Encyclopedia volume.
The value is a number of minutes. A value of 0 (zero) discards notices about successful jobs. A value of ‑1 keeps success notices indefinitely.
<SuccessNoticeExpirationAttr>
actuateSuccessNoticeExpiration
</SuccessNoticeExpirationAttr>
Success
Notice
Expiration
Default
Value to use for SuccessNoticeExpirationAttr when LDAP does not contain a value for that attribute.
The value is a number of minutes. The default value in ldapconfig_<volume>.xml is 0.
<SuccessNoticeExpirationDefault>
0
</SuccessNoticeExpirationDefault>
View
Preference
Attr
LDAP attribute that specifies the user’s default viewing preference.
Use one of the following values: default or dhtml.
<ViewPreferenceAttr>
actuateViewingPref
</ViewPreferenceAttr>
View
Preference
Default
Value to use for ViewPreferenceAttr when LDAP does not contain a value for that attribute.
Specify the default viewing mode using one of the following values: default or dhtml.
The default value in ldapconfig_<volume>.xml is default.
<ViewPreferenceDefault>
default
</ViewPreferenceDefault>
Connection
PropertyList
Values to use for information object pass-through security. When using pass‑through security, iHub requires a database user name and password.
The ConnectionPropertyList element contains two ConnectionProperty elements. Each ConnectionProperty element contains a Name and Value element.
The values for the ConnectionProperty Name elements are username and password.
The value for username is the LDAP user attribute that contains the database user name.
 
ConnectionProperty Value for password is the LDAP user attribute that contains the database password.
<ConnectionPropertyList>
  <ConnectionProperty>
    <Name>username</Name>
    <Value>dbname</Value>
</ConnectionProperty>
<ConnectionProperty>
<Name>password</Name>
<Value>dbpassword</Value>
</ConnectionProperty>
</ConnectionPropertyList>