Configuration options

Edit online

The following table describes the configuration options for the Verify Identity Access Java API and the Registry Direct API.

Table 1. Configuration options

Java™ Option Name Existing Comparable Option Existence in current Java Config Default Valid Range Description
appsvr-servername Already present, Optional

(conditional)

string

Set this option if authz.enable-audit is enabled.

Use this option to segregate the application by using the new Registry Direct Java API in Java Logger name space for audit logging.

For example, if the audit names are com.tivoli.pd.rgy.authz. testapp-tam611.mgmt and com.tivoli.pd.rgy.authz.testapp-tam611.authn, then testapp-tam611 is the string passed.

Note: Although the audit logger is listed in the Java Logger name space, it outputs the records into its own file. You can enable or disable the output to the audit log file by increasing or decreasing the Java logging level for the audit logger names.
authz.audit-file-count New, Optional 1 1,8192 Passed to the Java java.util.logging.FileHandler constructor to ensure that the documentation has the appropriate description.
authz.audit-file-limit New, Optional 0 0 -> MAXINTEGER Passed to the Java java.util.logging.FileHandler constructor so that documentation has the appropriate description.
authz.audit-file-pattern New, Optional

(conditional)

File name pattern Enables authz.enable-audit. Pass this attribute to the Javajava.util.logging.FileHandler constructor to provide appropriate description for the documentation.
authz.authorize-group-list [delegated-admin] authorize-group-list New, Optional False true, false Indicates whether the API must check the authorization on the listGroup() and listNativeGroups().
authz.enable-audit New, Optional False true,false When you use LdapRgyRegistryFactory. getRgyRegistryInstance(URL propertiesUrl, Map enhancements), it recognizes this option, and enable the API operation auditing. If you do not enable authz.enable-authorization option, the user who does this operation is an unauthenticated user.
authz.enable-authorization New, Optional False true, false When LdapRgyRegistryFactory. getRgyRegistryInstance(URL propertiesUrl, Map enhancements) is used, it recognizes the option and enables the authorization of the API operations. Provide authz.pdauthorizatoncontext-user, used as admin user and authorizes each access.
authz.pdauthorizationcontext-user New, Optional

(conditional)

 Verify Identity Access user ID

When authz.enable-authorization is set, this user ID is authorized in API operations. If authz.pdauthorizatoncontext-pwd is also specified, then the Verify Identity Access user account has an additional purpose.

The user account is passed with the password to the construction of the PDAuthorizationContext constructed by the API.

If required, you can override the joint usage by calling AuthzRgyRegistryFactory. updateAdminId(RgyRegistry rgyRegistry, String adminUserId). Doing so changes the Verify Identity Access ID used in the authorization decision.

authz.pdauthorizationcontext-pwd New, Optional Verify Identity Access user password If you specify authz.pdauthorizatoncontext-pwd along with authz.pdauthorizatoncontext-user, the Verify Identity Access user and password are passed to the construction of the PDAuthorizationContext.This is constructed by the API used to provide authorization decision outcomes for API operations.
fed-server.<serverid>.

ldap.bind-dn		 [server:

<serverid>] bind-dn		 New, Required The DN to simple bind to LDAP for all management LDAP operations.
Note: If this value is set to "anonymous", the appliance uses an anonymous bind to the LDAP directory server. Typically the bind-dn has significant privileges so that it can be used to modify LDAP registry entries, such as creating users and resetting passwords via pdadmin or the Registry Direct Java API. Using an anonymous connection to LDAP typically comes with very limited access, perhaps at most search and view of entries, at the least no access at all. If anonymous access has sufficient privileges, then it might be usable for the WebSEAL level of access on users and groups. This access includes the permission for a user to change password if "ldap.bind-auth-and-pwdchg = true" is set.
fed-server.<serverid>.

ldap.bind-pwd		 [server:

<serverid>] bind-pwd		 New, Required The LDAP bind-dn account password. SvrSslCfg and RgyConfig obfuscates this value in the configuration file.
Note: If bind DN (bind-dn) is set to anonymous, you can use any non-empty string as the value of bind password (bind-pwd).
fed-server.<serverid>.

ldap.password-attribute		 [server:

<serverid>] password-attribute		 New, Optional

For RACF suffixes, the default value is racfpassword.

For Active Directory, the default value is unicodePwd.

For all others, the default value is userPassword.

 Specifies the attribute used to set or change passwords. This is primarily used to allow RACF suffixes to choose between using "racfpassword" or "racfpassphase".
fed-server.<serverid>.

ldap.racf-suffix		 [server:

<serverid>] racf-suffix		 New, Optional False true, false

When set to "true", all the suffixes defined under the federated registry stanza will be treated as RACF suffixes. Note that:

  • RACF suffix users can only be searched for using the "racfid" and "krbprincipalname" attributes. Basic users can only be searched for using the "racfid" attribute.
  • It is possible that not all members of a RACF group of type "UNIVERSAL" will be returned. Only the members returned by the group's "racfgroupuserids" attribute will be listed.
  • If importing groups or users as full Verify Identity Access entities, the primary Verify Identity Access registry must provide definitions of all attributes used in the user/group DN. The attributes "profileType" and "racfid" must always be defined as these will always be present in RACF user/group DNs. The embedded LDAP server will contain definitions for "profileType", "racfid", and "sysplex". External LDAP primary registries might also need updating to add the missing attribute definitions.
  • The RACF suffixes provided must have "profileType=user", "profileType=group", and "profileType=connect" children entries directly under them.
  • RgyRegistry.listNativeUsers() and RgyRegistry.listNativeGroups methods accepts a "searchAttributeName" parameter, which specifies the attribute in the Native LDAP user or group entry to filter the resulting list of entries on. If "cn" is provided, then any search of RACF suffixes will use "racfid" instead.
  • RgyRegistry.getUser() and RgyRegistry.getNativeUser() will return the value of "racfid" in a "racfid" attribute and also return fabricated "cn" and "sn" values that also use the "racfid" attribute value. The fabricated "cn" and "sn" values cannot later be modified as they do not exist in the RACF user entry.
  • RgyRegistry.getGroup() and RgyRegistry.getNativeGroup() will return the value of "racfid" in a "racfid" attribute and also return fabricated "cn" value that uses the "racfid" attribute value. The fabricated "cn" values cannot later be modified as they do not exist in the RACF group entry.
  • RgyRegistry.createUser() will not require the "cn" and "sn" attributes be present. If the "racfid" attribute is not present, then the value of "cn" will be used for the value of "racfid".
  • RgyRegistry.createGroup() will not require the "cn" attribute be present. If the "racfid" attribute is not present, then the value of "cn" will be used for the value of "racfid".
  • RgyRegistry.getGroup() and RgyRegistry.getNativeGroup() will not return the RACF group attribute "racfgroupuserids". This attribute is similar to a standard LDAP group's "member" attribute.
  • RgyRegistry.createGroup() will accept an initial membership list via the "racfgroupuserids" attribute. If this attribute is not present and the attribute "member" is present, the value of "member" will be used as a replacement for "racfgroupuserids".
fed-server.<serverid>.

ldap.ssl-enable		 [server:

<serverid>] ssl-enable		 New, Optional False Set this option to true to enable SSL to the LDAP server.
fed-server.<serverid>.

ldap.ssl-server-start-tls 		[server:

<serverid>] ssl-server-start-tls		 New, Optional False true, false
  • If set to true, Registry Direct API upgrades the unencrypted TCP LDAP connection to encrypted by using the LDAP START_TLS extended operation.
  • ldap.ssl-enable must be false if set to true.
fed-server.<serverid>.

ldap.suffix = suffixA;[suffixB;[...]]		 [server:

<serverid>] suffix		 New, Required ';' separated list of LDAP DN strings.

Specifies the suffixes to use from this federated LDAP server.
fed-server.<serverid>.ldap

.bind-auth-and-pwdchg		 [server:

<serverid>] bind-auth-and-pwdchg		 New, Optional False true, false
  • If set to true, Registry Direct API uses bind to authenticate users and a connection that is bound as the user to change their password in cases where the old and new passwords are provided. ldap.auth-using-compare is ignored for the server.
  • A single LDAP operation that combines both remove old password and add new password are used as required by some LDAP server such as Active Directory. Users must also have appropriate LDAP/AD ACLs that allow them to change their own password. For Active Directory, this setting is the default. For other LDAPs, an ACL may need to be added.
fed-server.<serverid>.

ldap.max-server-connections 		[server:

<serverid>] max-server-connections		 New, Optional 16 Indicates the maximum number of connections that can exist to the LDAP server.
fed-server.<serverid>.

ldap.dynamic-groups-enabled 		[server:

<serverid>] dynamic-groups-enabled		 New, Optional False
  • Some registries might not support this option.
  • For Tivoli Directory Server, this setting is always enabled because of the use of ibm-allGroups.
fed-server.<serverid>.

ldap.user-objectclass 		[server:

<serverid>] user-objectclass		 Default value is LDAP server type dependent.

When provided to the configuration tool, it contains a list of comma-separated object class names to set when creating a native user entry in LDAP.

For example: top,person, organizationalPerson, inetOrgPerson,ePerson.

SvrSslCfg that modifies the list to be ";" (semicolon) separated when it places it in the configuration properties file.
fed-server.<serverid>.

ldap.static-group-

objectclass		 [server:

<serverid>] static-group-objectclass		 Default value is LDAP server type dependent.

When provided to the configuration tool, it contains a list of comma-separated objectClass names to set when creating a native group entry in LDAP.

Only non-dynamic groups are created by Verify Identity Access. For example, top,groupOfNames.

SvrSslCfg modifies the list to be ‘;' (semicolon) separated when it places it in the configuration properties file.
fed-server.<serverid>.

ldap.user-search-filter 		[server:

<serverid>] user-search-filter		 Default value is LDAP server type dependent.

An LDAP search filter that selects any native user entry. For example: (|(objectclass=ePerson)(objectclass=Person)).
fed-server.<serverid>.

ldap.group-search-filter		 [server:

<serverid>] group-search-filter		 Default value is LDAP server type dependent.
An LDAP search filter that selects any native group entry. For example: 
(|(objectclass=accessGroup)
(objectclass=groupOfNames)

(objectclass=groupOfUniqueNames)
(objectclass=groupOfURLs))
fed-server.<serverid>.

ldap.is-member-of-attribute		 [server:

<serverid>] is-member-of-attribute		 New, Optional Default value is LDAP server type dependent.

The name of an attribute in user entries that provides a list of group DNs the user is a member of. This is an optimization provided by some LDAP servers.
fed-server.<serverid>.

ldap.follow-referrals		 [server:

<serverid>] follow-referrals		 New, Optional False true, false
  • If set to true, the LDAP client, JNDI, follows the LDAP referrals to other servers. If false, it ignores referrals.
fed-server.<serverid>.

ldap.basic-user-principal

-attribute		 [server:

<serverid>] basic-user-principal-attribute		 New, Optional

If a value is not provided, the system uses a default value that depends on the type of LDAP server. For example, for ISDS, uid is used by default; for AD, userPrincipalName is used by default.
fed-server.<serverid>.

ldap.basic-user-principal

-add		 [server:

<serverid>] basic-user-principal-add		 New, Optional

If a value is not specified, it defaults to the empty string.

If a value is specified, then the value string is appended to the principal ID provided to the API before searching for the Basic or Full user, and removed whenever the Basic or Full user principal ID is returned by the API.

This option is typically used by the AD migration tool to allow Federated AD registries to avoid using the trailing @domain string but still use the userPrincipalName attribute
local_domain [ssl] ssl-local-domain Already Present, Optional valid domain string The name of the default domain that is used when the Management API does not provide a domain name. If you do not provide a value, the value from mgmt_domain configuration option is used.
ldap.ignore-suffix [ldap] ignore-suffix New, Optional Empty list list of valid LDAP suffix strings

Ignore LDAP server suffix when searching for user and group information.

Suffixes cn=localhost , cn=pwdpolicy, cn=configuration, and the suffixes that are specified in the subschemasubentry and changelog values are always ignored.

SvrSslCfg accepts multiple values by using ",," (double comma) separator. The configuration file uses ";" (semicolons) internally as a separator.
ldap.mgmt [ldap] enabled New, Optional false true, false Set this option true to enable LDAP management.
ldap.basic-user-pwd-policy [ldap]basic-user-pwd-policy New, Optional true true, false If basic user support is enabled, this option controls whether global password policies are enabled for basic users.
ldap.dynamic-groups-enabled [ldap] dynamic-groups-enabled New, Optional false true, false Enables support of dynamic groups for some LDAP server types by using the memberURL attribute. Verify Identity Access supports dynamic groups with Tivoli Directory Server regardless of this setting. This stanza entry is supported for Oracle System Directory Server.
ldap.enable-last-login [ldap]enable-last-login New, Optional true, false Sets an option to store the last login date in LDAP each login.
ldap.enhanced-pwd-policy [ldap]enhanced-pwd-policy New, Optional false true, false Specifies whether the LDAP registries that Verify Identity Access uses provide password policy enforcement for LDAP accounts.
Note: The appliance embedded LDAP server does not support this configuration option.
ldap.max-server-connections [ldap] max-server-connections New, Optional 16 2 -> 4096 Indicates the maximum number of connections that can exist to the LDAP server.
ldap.mgmt-domain-suffix [ldap] secauthority-suffix New, Optional

Will be automatic-ally located.

 valid LDAP suffix string Specify the valid LDAP suffix string for the Domain Management of the Verify Identity Access.
mgmt_domain [manager] management-domain Already Present, Required valid domain string Verify Identity Access Management Domain name. Required to determine the location of subdomain in the registry. Sub domains are located relative to the Management Domain LDAP location.
ldap.user-objectclass [ldap] user-objectclass New, Optional Defaults vary depending on LDAP server type

When provided to the configuration tool, it contains a list of comma-separated object class names to set when creating a native user entry in LDAP.

For example: top,person, organizationalPerson, inetOrgPerson,ePerson.

SvrSslCfg that modifies the list to be ";" (semicolon) separated when it places it in the configuration properties file.
ldap.static-group-objectclass [ldap] static-group-objectclass New, Optional Defaults vary depending on LDAP server type

When provided to the configuration tool, it contains a list of comma-separated objectClass names to set when creating a native group entry in LDAP.

Only non-dynamic groups are created by Verify Identity Access. For example, top,groupOfNames.

SvrSslCfg modifies the list to be ‘;' (semicolon) separated when it places it in the configuration properties file.
ldap.user-search-filter [ldap] user-search-filter New, Optional Defaults vary depending on LDAP server type. valid LDAP search filter string

An LDAP search filter that selects any native user entry. For example: (|(objectclass=ePerson)(objectclass=Person)).
ldap.group-search-filter [ldap] group-search-filter New, Optional Defaults vary depending on LDAP server type. valid LDAP search filter string
An LDAP search filter that selects any native group entry. For example: 
(|(objectclass=accessGroup)
(objectclass=groupOfNames)

(objectclass=groupOfUniqueNames)
(objectclass=groupOfURLs))
ldap.svrs [ldap] host, port, ssl-port, and replica New, Required valid host string, port 1 -> 65535, type readwrite or readonly, pref 0 -> 10 A comma-separated list of LDAP server details. Each server detail is a colon separated set of attributes of the form: 
host:port:type:rank[,host2:
port2:type2:rank2[,…]]
where type is either readwrite or readonly and rank is a value from 0 to 10. For example: ldaphost:389:readwrite:5 is modified to a list of LDAP server details that are separated by ';'s.
ldap.ssl-enable [ldap] ssl-enable New, Optional False true, false Set this option to true to enable SSL to the LDAP server.
ldap.fips [ssl] ssl-enable-fips New, Optional False true, false

Deprecated: replaced by ldap.compliance.

Use ldap.compliance=fips for ldap.fips=true.

Use ldap.compliance=none for ldap.fips=false.

Set this option to true to use FIPS mode with the TLS connections to the LDAP server.
ldap.compliance [ssl] ssl-compliance

New, Optional

 none, fips, sp800-131-transition, sp800-131-strict, suite-b-128, suite-b-192

Sets the compliance level for SSL and TLS connections to the LDAP server.

This value is not used when running within a WebSphere JVM because the compliance level is automatically determined based on how WebSphere is configured.
ldap.ssl-v3-enable [ssl] ssl-v3-enable

New, Optional

True

 true, false

Enables or disables the use of SSL version 3 to the LDAP server.

For some ssl.compliance values, this parameter is always disabled.

This parameter is always disabled for compliance levels sp800-131-strict, suite-b-128, and suite-b-192.
ldap.tls-v10-enable [ssl] tls-v10-enable

New, Optional

True

 true, false

Enables or disables the use of TLS version 1.0 to the LDAP server.

For some ssl.compliance values, this parameter is always disabled.

This parameter is always disabled for compliance levels sp800-131-strict, suite-b-128, and suite-b-192.
ldap.tls-v11-enable [ssl] tls-v11-enable

New, Optional

True

 true, false

Enables or disables the use of TLS version 1.1 to the LDAP server.

For some ssl.compliance values, this parameter is always disabled.

This parameter is always disabled for compliance levels sp800-131-strict, suite-b-128, and suite-b-192.
ldap.tls-v12-enable [ssl] tls-v12-enable

New, Optional

True

 true, false

Enables or disables the use of TLS version 1.2 to the LDAP server.

For some ssl.compliance values, this parameter is always disabled.

This parameter is always enabled for sp800-131-strict, suite-b-128, and suite-b-192.
ldap.cipher-suites [ssl] ssl-v3-cipher-specs, [ssl] tls-v10-cipher-specs,[ssl] tls-v11-cipher-specs,[ssl] tls-v12-cipher-specs

New, Optional

Java defaults

 [semicolon list of Java cipher names]

Specifies which cipher suites to use for all SSL and TLS protocols.

Example: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA;SSL_DHE_DSS_WITH_AES_128_CBC_SHA;SSL_DHE_DSS_WITH_AES_128_CBC_SHA256

For information about the cipher suite names, see http://publib.boulder.ibm.com/infocenter/java7sdk/v7r0/index.jsp?topic=%2Fcom.ibm.java.security.component.doc%2Fsecurity-component%2Fjsse2Docs%2Fciphersuites.html.
ldap.ssl-truststore New, Optional Filename string

The file name of a Java JCEKS keystore that contains the trusted CA signers for the LDAP server Certificate.

The API converts the value that is placed in the configuration file into URL format.

The API supports only file: protocol. If you do not provide Filename string in the URL, specify java.naming.ldap.factory.socket, if you enabled ldap.ssl-enable.
ldap.ssl-keystore New, Required if ldap.client-cert-label is specified. Filename string The file name of a Java JCEKS keystore that contains the client certificate to be presented when connecting to the LDAP. The API converts the value that is placed in the configuration file into URL format. The API supports only file: protocol.
ldap.ssl-truststore-pwd New, Required only if ldap.ssl-truststore is specified Password string The password for the ldap.ssl-truststore. This password is obfuscated by SvrSslCfg and RgyConfig when set. Provide the password if ldap.ssl-truststore is set.
ldap.ssl-keystore-pwd New, Required only if ldap.ssl-keystore is specified. Password string The password for the ldap.ssl-keystore. This password is obfuscated by SvrSslCfg and RgyConfig when set. Provide the password if ldap.ssl-keystore is set.
ldap.login-failures-persistent [ldap] login-failures-persistent New, Optional False true, false Login failures are used with the three-strikes policy. If you set this option to false, each process by using this API stores the number of login failures in memory. If multiple servers are involved, the total number of login failures to trigger a strike-out might vary.

If you set this option to true, the strike count is stored in LDAP and shared across all servers. An accurate count can be kept in a multiserver environment.
ldap.client-cert-label New, Optional Label string Label of the client certificate to be presented to the LDAP when connecting with mutual SSL. If not specified, the default of the keystore will be selected. Selects the certificate out of the specified ldap.ssl-keystore.
ldap.auth-using-compare [ldap] auth-using-compare New, Optional

Defaults vary depending on LDAP server type.

 true, false Set this option to false to validate every dn/password by using a new connection to LDAP, and a simple bind. Set this option to true to compare the LDAP against the password attribute to validate the password. Some LDAP servers do not support this setting and ignores it.
ldap.bind-dn [ldap] bind-dn New, Required valid LDAP DN string The DN to simple bind to LDAP for all management LDAP operations.
ldap.bind-pwd [ldap] bind-pwd New, Required valid password string The LDAP bind-dn account password. SvrSslCfg and RgyConfig obfuscates this value in the configuration file.
ldap.bind-auth-and-pwdchg [ldap] bind-auth-and-pwdchg New, Optional False true, false
  • If set to true, Registry Direct API uses bind to authenticate users and a connection that is bound as the user to change their password in cases where the old and new passwords are provided. ldap.auth-using-compare is ignored for the server.
  • A single LDAP operation that combines both remove old password and add new password are used as required by some LDAP server such as Active Directory. Users must also have appropriate LDAP/AD ACLs that allow them to change their own password. For Active Directory, this setting is the default. For other LDAPs, an ACL may need to be added.
ldap.follow-referrals [ldap] follow-referrals New, Optional False true, false
  • If set to true, the LDAP client, JNDI, follows the LDAP referrals to other servers. If false, it ignores referrals.
ldap.return-registry-id [ldap] cache-return-registry-id New, Optional False true, false

If set to true, RgyUser.RgyEntity.getId() returns the Verify Identity Access user ID for the specific user that is stored in the LDAP registry.

If set to false, RgyUser.RgyEntity.getId() returns the Verify Identity Access user ID for the user that was passed into the RgyRegistry.getUser() method.

Verify Identity Access IDs are not case-sensitive. The user ID returned differs if the case of the ID passed to RgyRegistry.getUser() is different from the case of the value that is stored in LDAP.
ldap.user-self-care-objectclass New, Optional Empty valid LDAP objectClass string The name of an AUXILLARY objectClass to confirm information in user entries so that self-care attributes can be added to existing and new native user LDAP entries.
ldap.default-policy-override-support [ldap] default-policy-override-support New, Optional False true, false If set to true, the Verify Identity Access per-user policy is not used. Instead, the global policy takes effect. 
java.naming.ldap.factory.
socket
 New, Optional name of class Makes it possible for the caller to provide their own SSL socket factory to use with JNDI to the LDAP servers.
ldap.cache-policy-expire-time [ldap] cache-policy-expire-time New, Optional 600 (seconds) 0 -> 86400 The duration in seconds for which the global policy is cached in the memory before being read again from LDAP.
ldap.max-auth-connections [ldap] max-auth-connections New, Optional 0 0 -> 32768 Non-zero value that sets the number of simultaneous LDAP connections that are used to authenticate users (when auth-using-compare = false)
ldap.group-map-size 1024 0 -> Maximum Integer The number of entries in a map that is used to convert group native names (DNs) into Verify Identity Access IDs. An LRU algorithm to enables creation of new entries.
ldap.connect-timeout New, Optional 5000 -> 120000 The maximum time in milliseconds to wait for a response after a request is sent to the LDAP server.
ldap.idle-timeout New, Optional 5000 -> 120000 The time in milliseconds after which an idle LDAP connection is closed to free resources.
ldap.read-timeout New, Optional 5000 -> 120000 The maximum time in milliseconds to establish a connection to the LDAP server.
ldap.connect-pool-timeoutt New, Optional 5000 -> 120000 Maximum time in milliseconds to wait for an available connection from the pool.
ldap.connect-pool-maxsizet New, Optional 2 -> 4096 The maximum number of LDAP connections that can be maintained in the connection pool.
ldap.connect-pool New, Optional true, false Indicates whether LDAP connection pooling is active to reuse connections.
ldap.group-map-lifespan 60 0 -> 86400 Duration in seconds for which the entry stays in the map, used to convert group native names (DNs) into Verify Identity Access IDs.
ldap.late-lockout-notification False true, false Notifies the user when the account is locked due to several password login attempts during the n+1th login rather than the nth. Here, n is the value of maxFailedLogins policy attribute in effect for the user.
ldap.basic-user-support [ldap] basic-user-support New, Optional False true, false

If the value is set to true, then basic user support is enabled. All Full and Basic Verify Identity Access user accounts are located by using the ldap.basic-user-principal-attribute attribute in their LDAP Native user entry. This also includes existing Verify Identity Access Full users. So if the Verify Identity Access Full user principal name does not match the value of their attribute that is specified by ldap.basic-user-principal-attribute, then their ID will change.
ldap.basic-user-search-suffix [ldap] basic-user-search-suffix New, Optional

If a value is not provided, it uses the set of suffixes normally used by Verify Identity Access. If specified, it must list all suffixes that are to be searched for Basic and Full Verify Identity Access users. If the suffix that contains the Verify Identity Access domain, sec_master, and Verify Identity Access server accounts is not specified, it is automatically added as this suffix is required.

Each suffix is separated by a semicolon (;) character.
ldap.basic-user-no-duplicates [ldap] basic-user-no-duplicates New, Optional True true, false

If the value is set to true, then the code searches all ldap.basic-user-search-suffixes for a match to the Full or Basic user principal ID. If more than one match is found, the user is reported as not-found.

If the value is set to false, then the search stops after a match is found. The search still detects duplicates on the same suffix, but not across different suffixes. The advantage of this option is that if the administrator can guarantee that duplicates do not exist across suffixes, then the user can be located quicker as some suffix searches could be skipped.
ldap.basic-user-suffix-optimizer [ldap] basic-user-suffix-optimizer New, Optional True true, false

This option has no effect if ldap.basic-user-no-duplicates is set to true.

If the value is set to true, then the basic user suffixes are searched in an optimized order based on hit count (successfully locating a user in the suffix). This can help reduce the number of suffixes searched.

If the value is set to false, then the provided order of ldap.basic-user-search-suffix is used. If not, an internally selected order is used.
ldap.connection-inactivity [ldap] connection-inactivity New, Optional 0 0 -> Maximum Integer Specifies the connection inactivity time, in seconds, after which an unused connection to the LDAP server will be taken down. A value of zero (0) indicates that inactivity will not be tracked and the connection will remain established (permanent). The default is zero.
ldap.group-attribute-names New, Optional List of attribute names separated by ';' characters A list of comma-separated additional attributes which can be managed when creating/updating/retrieving a group in LDAP. 
ldap.is-member-of-attribute New, Optional Default value is LDAP server type dependent. The name of an attribute in user entries that provides a list of group DNs the user is a member of. This is an optimization provided by some LDAP servers.
ldap.suffix-max-iterations New, Optional -1 -1 -> Maximum Integer The maximum number of times the suffix ordering can take place. A value of -1 indicates that there is no limit. See ldap.suffix-ordering.
ldap.suffix-ordering New, Optional bubble bubble, mfu Specifies the algorithm used to determine the order which the suffixes will be searched. The mfu (most frequently used) algorithm will order the suffixes by hits. The bubble algorithm will place the last hit suffix at the beginning of the list.
ldap.suffix-trigger-count New, Optional 10 0 -> Maximum Integer The number of times a particular suffix must be hit before the suffix search order is reordered according to the algorithm specified in ldap.suffix-ordering.