{"$schema":"https://json-schema.org/draft/2019-09/schema","$defs":{"AuthKind":{"type":"string","enum":["none","simple"]},"Binding":{"type":"object","properties":{"DefaultContext":{"type":"string","description":"Default Context to import from.\nThe security system only sees and can import objects below the default context.\nIf you want to see and import all users of an Identity Provider, then set the default context to the root object/domain.\nIf you want to import only users from a certain department or location, then you can set the default context to\nthe appropriate organization unit or location.\nSee also EverybodyUserGroupName and UserFilter to control/filter the users that are imported.\nFormat = LDAP Distinguished Name (RFC 4514) like dc=axonivy,dc=com or ou=ivyteam,dc=axonivy,dc=com"},"ImportUsersOfGroup":{"type":"string","description":"If configured, the security system imports only the users that are members of this user group.\nSee also DefaultContext and UserFilter to control/filter the users that are imported.\nFormat = LDAP Distinguished Name (RFC 4514) of a user group like cn=AxonIvyUser,ou=ivyteam,dc=axonivy,dc=com"},"UserFilter":{"type":"string","description":"The security system only imports users that match the given filter.\nSee also DefaultContext and EverybodyUserGroupName to control/filter the users that are imported.\nFormat = LDAP Search Filter (RFC 4515)","default":"(&(objectClass=user)(!(objectClass=computer)))"}},"additionalProperties":false},"Connection":{"type":"object","properties":{"AuthenticationKind":{"$ref":"#/$defs/AuthKind","description":"provide a technical user for Ivy to access AD\"\nnone = no authentication (default if UserName/Password NOT configured)\"\nsimple = user name and password is used (default if UserName/Password is configured)"},"EnableInsecureSSL":{"type":"boolean","description":"Are insecure SSL connections allowed(no server certificate verification)?\n\nNOTE: Setting EnableInsecureSSL to true will turn off server certificate verification.\nWhenever possible the LDAP server certificate (or its root certificate) should be added to the Ivy Engine trust store.\nSee SSL.Client.TrustStore in the https://developer.axonivy.com/doc/11.2/engine-guide/configuration/files/ivy-yaml.html on how to configure the engine truststore.\n"},"Environment":{"$ref":"#/$defs/Environment","description":"Here you can configure additional environment properties for the LDAP context."},"Password":{"type":"string","description":"Password to authenticate (java.naming.security.credentials)"},"Retry":{"$ref":"#/$defs/Retry"},"Url":{"description":" Url to the Identity Provider\n - LDAP:  ldap://<hostname>:<port>   - port can be omitted if it is default port 389\n - LDAPS: ldaps://<hostname>:<port>  - port can be omitted if it is default port 636\nNOTE: security protocol needs to be set to \"ssl\" for LDAPS (Environment.java.naming.security.protocol, see below).","additionalProperties":false,"type":"string","examples":["ldap://localhost:389","ldaps://localhost:636"]},"UseLdapConnectionPool":{"type":"boolean","description":"Use a connection pool to store established LDAP connections?\nThis can speed up access to the AD since the connections are established once and re-used instead of established, used, closed.\nN.B. Further configuration options for the pool have to be set in jvm.options.\nThe settings are documented in https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html"},"UserName":{"type":"string","description":"User name to authenticate to the Identity Provider (java.naming.security.principal).\nValid formats are...\n- LDAP Distinguished Name (RFC 4514) like cn=Administrator,dc=axonivy,dc=com\n- Active Directory user name like Administrator"}},"additionalProperties":false},"Deref":{"type":"string","enum":["always","never","finding","searching"]},"Environment":{"type":"object","properties":{"java.naming.ldap.derefAliases":{"$ref":"#/$defs/Deref","description":"How to handle LDAP aliases.\nhttps://docs.oracle.com/javase/jndi/tutorial/ldap/misc/aliases.html","default":"always"},"java.naming.referral":{"description":"Specify how referrals received from the Identity Provider are to be processed.\nhttps://docs.oracle.com/javase/jndi/tutorial/ldap/referral/index.html\n\n- follow: is the default setting, but may cause slow reading from the AD\n- ignore: does not follow the referral\n- throw: throws an error if a referral is found. It is intended mostly for identifying and debugging LDAP problems.","default":"follow","additionalProperties":false,"type":"string","examples":["follow","ignore","throw"]},"java.naming.security.protocol":{"description":"Specifies connection security.\nIf this property is unspecified, the behavior is determined by the service provider.\nhttps://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html","additionalProperties":false,"type":"string","examples":["","ssl"]}}},"Lookup":{"type":"string","enum":["MATCHING_RULE","DIRECT","TRAVERSE"]},"Membership":{"type":"object","properties":{"NestedGroupsLookup":{"$ref":"#/$defs/Lookup","description":"This property defines how the synchronization find all users that are a member of a user group.\nThe default should be fine for most situations.\nOnly if you have strict security settings in your directory, you may need to switch to TRAVERSE.\nThe setting TRAVERSE has a big impact on your synchronization speed if you use 'ImportUsersOfGroup'.","default":"MATCHING_RULE"},"UserGroupMemberOfAttribute":{"type":"string","description":"The LDAP attribute that stores the groups a group is a member of, i.e.\nthe LDAP object of a group contains one of these attributes for each group that the group is a member of.","default":"memberOf"},"UserGroupMembersAttribute":{"type":"string","description":"The LDAP attribute that stores the members (user, groups) of a group","default":"member"},"UserMemberOfAttribute":{"type":"string","description":"The LDAP attribute that stores the groups a user is a member of, i.e.\nthe LDAP object of a user contains one of these attributes for each group the user is a member of.","default":"memberOf"},"UserMemberOfLookupAllowed":{"type":"boolean","description":"Can the security system use the LDAP attribute configured in UserMemberOfAttribute (memberOf, groupMembership) to import user role membership?\nSometimes, this LDAP attribute is not available because of security concerns.\nIf you set this to false, then the security system will import the user role membership with an alternative but slower mechanism.","default":"true"}},"additionalProperties":false},"Retry":{"type":"object","properties":{"Count":{"type":"integer","description":"After a failure, how many times shall a call be retried?","default":"3"},"Delay":{"type":"integer","description":"Delay in milliseconds before the next retry call, after a failure.\nWith each retry the delay time doubles.","default":"500"}},"additionalProperties":false},"UserAttribute":{"type":"object","properties":{"EMail":{"type":"string","description":"The LDAP attribute that stores the mail address of a user","default":"mail"},"FullName":{"type":"string","description":"The LDAP attribute that stores the full name of a user","default":"displayName"},"Id":{"type":"string","description":"The LDAP attribute that stores the unique identifier of a user.\nThis identifier is used during synchronization to identify a renamed user","default":"objectGUID"},"Language":{"type":"string","description":"The LDAP attribute that stores the language of a user"},"Name":{"type":"string","description":"The LDAP attribute that stores the name of a user","default":"sAMAccountName"},"Properties":{"description":"Here, you can specify a list of additional LDAP attributes that are imported and available as user properties (IUser.getProperty)\n\nMaps a user property to an LDAP attribute\nIn the example below 'phoneNumber' is the name of the user property.\nThe value of the property is imported from the LDAP attribute 'phone' of the user.","additionalProperties":{"type":"string"},"type":"object","examples":["phoneNumber: phone"]}},"additionalProperties":false}},"type":"object","properties":{"Binding":{"$ref":"#/$defs/Binding"},"Connection":{"$ref":"#/$defs/Connection"},"Membership":{"$ref":"#/$defs/Membership"},"PageSize":{"type":"integer","description":"The number of objects the security system can read in one LDAP request","default":"500"},"Roles":{"description":"Role mapping that is considered by the user synchronization.\nUsers are added to the roles to which they are assigned in.\n\nThe left side, e.g. Manager, specifies the unique name of the role defined in Axon Ivy.\nOn the right side, e.g. cn=manager,ou=ivyteam,dc=axonivy,dc=com the external name of the role is set.\nThe synchronization adds all users to Manager respectively Employee that are assigned to cn=manager,ou=ivyteam,dc=axonivy,dc=com\nrespectively cn=employee,ou=ivyteam,dc=axonivy,dc=com.","additionalProperties":{"type":"string"},"type":"object","examples":["Manager: cn=manager,ou=ivyteam,dc=axonivy,dc=com","Employee: cn=employee,ou=ivyteam,dc=axonivy,dc=com"]},"UserAttribute":{"$ref":"#/$defs/UserAttribute"}},"additionalProperties":false}