config.yml

【参考】

Whenever the config.yml file is changed, execute the recovery_mode.bat file once to clear the old cache.

Log Settings

The following table describes log settings items.

Parameter NameDescriptionRequiredPossible ValuesDefaultExample ConfigurationComments
log

loglevel

Level of output log entry

Yes

One of the following possible values

  • info
  • warn
  • error

 

info

Refer to "Logs" for more information on log levels.

loggerLog output directory 

One of the following possible values

  • eventlog
  • syslog
eventlogsyslog

Specify "syslog" to use Directory Sync in Linux.

OpenLDAP Settings

The following table describes OpenLDAP settings items.

Parameter NameDescriptionRequiredPossible ValuesDefaultExample Configuration
ad








ldap

 









server

 

addresses

IP address or host name of the LDAP server

Multiple configurations possible

Yes

IP address or host name

 

Example 1:
- 127.0.0.1
Example 2:
- ldap1.example.co.jp
- ldap2.example.co.jp

port

LDAP service port

 

Value from 1 to 65535

389

389

user

Login user for LDAP service

Yes

DN (distinguished name)

 'CN=IIJ Taro,CN=Users,DC=example,DC=co,DC=jp'
timeoutTimeout value in seconds for communication with the LDAP server Value from 1 to 36000360010800
base_dn

Base distinguished name
Yes

DN (distinguished name)

 

'DC=example,DC=co,DC=jp'

filteruser

Specifies the filter used to search users via LDAP

 

Search filter usable by ldapsearch (compliant with RFC 1558)

 'CN=IIJ Taro'
group

Specifies the filter used to search groups via LDAP

 

Search filter usable by ldapsearch (compliant with RFC 1558)

 'CN=IIJ Group'
search


userobject_class

User object class

 

Name of object class

User
  • inetOrgPerson
  • posixAccount
  • Etc.
group

object_class

Group object class

 Name of object classGroup
  • groupOfNames
  • groupOfUniqueNames
  • posixGroup
  • Etc.
member_attribute

Name of attribute describing group members

 Attribute namemember
  • member
  • uniqueMember
  • memberUid
  • Etc.
member_user_attribute

Indicates whether the dn or uid of users is specified as the group member attribute value

 

One of the following possible values

  • dn
  • uid
dn
  • dn
  • uid
IIJ ID Server Settings

The following table describes SCIM server connection settings items for the IIJ ID Service.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments

iid




scim




 http


proxy


use

Enables use of a proxy for communication with the SCIM server

 

One of the following possible values

  • true

  • false

falsetrue 

address

IP address or host name of the proxy server

 IP address
or host name
 proxy.example.co.jp 
port

Port number of the proxy server

 

Value from 1 to 65535

8080

8080

 
userUser name used for proxy authentication   iij-taro

Enabled when iid.scim.http.proxy.password (secret.yml) is also described 

filteruserSCIM filter rules used when retrieving users 

Filter rules usable by SCIM (compliant with RFC 7644)

 userName ew "@example.jp" 
groupSCIM filter rules used when retrieving groups 

Filter rules usable by SCIM (compliant with RFC 7644)

 displayName eq "IIJ ID group" 
IIJ ID User Settings

These settings are used to configure users when provisioned in the IIJ ID Service.

The following settings items are configurable.

  • Default Values (default)
  • OpenLDAP Attribute Values (ad_bind)
  • Conversions (convert)
  • Exclusions (exclude)
【参考】

Processing is performed in the following sequence: default > ad_bind > convert > exclude.

Default Values (default)

These settings are used to configure the default values of user attributes. If a value for a corresponding OpenLDAP attribute is missing, the default value configured with these settings is provisioned to the IIJ ID Service.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments
iid

 scim

 attribute

 user

 default

preferredLanguage

Language

 

One of the following possible values

  • ja-JP

  • en-US

ja-JP

ja-JP

 

timezone

Time zone

 

Only the following value can be configured.

  • Asia/Tokyo

Asia/Tokyo

Asia/Tokyo

 

active

Status (enabled or disabled)

 

One of the following possible values

  • true

  • false

true

true

 

emails

(An array of up to 2 entries can be configured.)

primaryIndicates whether the email address is the primary email address 

One of the following possible values

  • true

  • false

 falseOnly one email address can be set as the primary email address.

phoneNumbers

(An array of up to 10 entries can be configured.)



displayDisplay name of phone number     
typeType of phone number   "work", "home", "mobile", "fax", "pager", and "other" 
primaryIndicates whether a phone number is the primary phone number 

One of the following possible values

  • true

  • false

 falseOnly one phone number can be set as the primary phone number.
idTokenClaimsissuerIssuer of upstream ID provider   https://idp.example.jp/ 

ims

(An array of up to 10 entries can be configured.)



display

Display name of instance messenger

   Messenger A 
type

Instance messenger type

   

"aim", "gtalk", "icq", "xmpp", "msn", "skype", "qq", "yahoo", or "other"

 
primary

Indicates whether the instance messenger is the primary instance messenger

 

One of the following possible values

  • true

  • false

 falseOnly one instance messenger can be set as the instance messenger.

entitlements

(An array of up to 20 entries can be configured.)



valueUser entitlement     

display

Display name of entitlement     
typeEntitlement type     
primaryIndicates whether the entitlement is the primary entitlement 

One of the following possible values

  • true

  • false

 false 

x509Certificates

(An array of up to 20 entries can be configured.)



display

Display name of X.509 certificate

   Certificate A 
type

X.509 certificate type

   laptop, smartphone 

primary

Indicates whether the X.509 certificate is the primary X.509 certificate

 

One of the following possible values

  • true

  • false

 falseOnly one X.509 certificate can be set as the primary X.509 certificate
OpenLDAP Attribute Values (ad_bind)

These settings are used to configure OpenLDAP attributes tied to users in the IIJ ID Service.

Any configured default values are overwritten with attribute values configured with ad_bind.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments

iid









scim









attribute









user









ad_bind









externalId

External ID (user)

Yes
  
  • employeeNumber
  • mail
  • dn
  • Etc.
If the attribute value is empty or a duplicate, user synchronization will fail.

userName

ID

Yes
 

 

  • employeeNumber
  • mail
  • Etc.

Multi-byte characters cannot be used for attribute values.

If the attribute value is empty or a duplicate, user synchronization will fail.

name

familyName

Last name

  

 

  • displayName
  • Etc.

If the attribute value is empty, user synchronization will fail.

givenName

First name

  

 

  • displayName
  • Etc.
If the attribute value is empty, user synchronization will fail.

emails

(An array of up to 2 entries can be configured.)

value

Notification email address

Yes
  
  • mail
  • Etc.
If the attribute value is empty, user synchronization will fail.
localNames

familyName

Last name in katakana

 

 

 

 

If the attribute value is described in hiragana, it will be converted into katakana and then synchronized with the IIJ ID Service.

givenName

First name in katakana

 

 

 

 

If the attribute value is described in hiragana, it will be converted into katakana and then synchronized with the IIJ ID Service.
preferredLanguageLanguage   
  • preferredLanguage
  • Etc.
 
departmentDepartment   
  • ou
  • Etc.
 

title

Position

   
  • title
  • Etc.
 

active

Status (enabled or disabled)

 

  
  • pwdAccountLockedTime
  • Etc.

Multiple attributes can be configured with an array.

When multiple values are configured, the user will be disabled if even one attribute is disabled.

A user is determined to be disabled if the attribute has a value (actual value is not evaluated).   

externalUserName

User name for upstream ID provider

   
  • mail
  • Etc.
This attribute is also used as the login_hint value when an authorization request is sent from the IIJ ID Service to an upstream ID provider (OpenID Connect).
idTokenClaimssubject

Unique ID for upstream ID provider

(Corresponding to the sub claim of the ID token issued by the upstream ID provider)

   
  • mail
  • Etc.
idTokenClaims.subject is used when the authentication protocol used with the upstream ID provider is OpenID Connect.

phoneNumbers

(An array of up to 10 entries can be configured.)

value

Phone numbers   

Values sent to the IIJ ID Service must be RFC 3966-format.

(Example: tel: +1-201-555-0123)

 

ims

(An array of up to 10 entries can be configured.)

valueInstance messenger ID, etc.     

entitlements

(An array of up to 20 entries can be configured.)

valueUser entitlement   
  • mail

  • Etc.
 

x509Certificates

(An array of up to 20 entries can be configured.)

valueX.509 certificates   

X.509 certificates must be in DER format using Base64 encoding.

 
【参考】

External IDs (users) configured here function as attributes to create correspondence between OpenLDAP and the IIJ ID Service.

【参考】

Although the method of specifying notification email addresses has changed starting with Directory Sync 2.1.0, the previous configuration method can still be used. However, you cannot use both the new and old configuration methods together.

[Old Configuration]

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments

iidscimattributeuserdefault

emails

Notification email address (default value)

 

Text string in email address format iij-taro@mail.example.jp 
    ad_bindemailsNotification email address (OpenLDAP attribute) Yes  
  • mail
  • Etc.
If the attribute value is empty, user synchronization will fail.  
    excludeemailsNotification email address (exclusion condition) Text string in email address format - 'iij-jiro@example.co.jp'
- 'iij-saburo@example.co.jp'
 

Conversions (convert)

This parameter is used to convert attribute values configured by default and ad_bind.

Characters that match the pattern parameter for each parameter are replaced with the characters defined by the replacement parameter.

Regular expressions can be used to describe the values of pattern and replacement parameters.

Multiple conversion conditions can be configured. When multiple conditions are configured, the conditions are processed in the order they were described.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments
iidscimattributeuserconvert

phoneNumbers
(An array of up to 10 entries can be configured.)

 value

Phone numbers

   

Example 1: Convert a phone number such as 080-0000-0000 into RFC 3966-compliant format.

- pattern: '\A0'
  replacement: 'tel:+81'

 
Exclusions (exclude)

These parameters are used to specify conditions that are excluded from the IIJ ID Service provisioning process.

Provisioning (creation, updating, and deletion) to the IIJ ID Service will not be executed regarding users that match configured parameter values exactly.

Multiple exclusion conditions can be configured.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments
iid







scim







attribute







user







exclude







userName

ID

 

Text string in email address format - 'iij-taro@example.co.jp'  
name

familyName

Last name   - 'IIJ'
- '斉藤 (Saito)'
 

givenName

First name   - '太郎 (Taro)'
- '次郎 (Jiro)' 
 

emails

(An array of up to 2 entries can be configured.)

valueNotification email address Text string in email address format - 'iij-jiro@example.co.jp'
- 'iij-saburo@example.co.jp' 
 
localNames

familyName

Last name in katakana   - 'アイアイジェイ (IIJ)'
- 'サイトウ (Saito)' 
 

givenName

First name in katakana   - 'タロウ (Taro)'
- 'ジロウ (Jiro)' 
 
preferredLanguageLanguage   - 'en-US' 
departmentDepartment   - 'Network Division'
- 'Product Division' 
 
titlePosition   - 'Assistant Manager'
- '' 
 

entitlements

(An array of up to 20 entries can be configured.)

value

User entitlement

     
IIJ ID Group Settings

These settings are used to configure groups when provisioned in the IIJ ID Service.

The following settings items are configurable.

  • Default Values (default)
  • OpenLDAP Attributes (ad_bind)
  • Exclusions (exclude)
【参考】

  • Processing is performed in the following sequence: default > ad_bind > exclude.
  • Provisioning of group email address attributes is not supported.

Default Values (default)
Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments

iid

scim

attribute

group

default

descriptionGroup description   Kansai Branch Office group 
emailGroup email address   groupA@example.jp 
groupTypeGroup type 

One of the following possible values

  • security

  • distribution

 security 
OpenLDAP Attribute Values (ad_bind)

These settings are used to configure OpenLDAP attributes tied to groups in the IIJ ID Service.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments
iidscimattributegroup

ad_bind

externalId

External ID (group)
Yes

Attribute name

 
  • dn
  • Etc.
 

displayName

Group name
Yes

Attribute name

 
  • cn
  • Etc.
 
descriptionGroup description   
  • description
  • Etc.
 
emailGroup email address     
【参考】

External IDs (groups) configured here function as attributes to create correspondence between OpenLDAP and the IIJ ID Service.

Exclusions (exclude)

These parameters are used to specify conditions that are excluded from the IIJ ID Service provisioning process.

Provisioning (creation, updating, and deletion) to the IIJ ID Service will not be executed regarding groups that match configured parameter values exactly.

Multiple exclusion conditions can be configured.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments
iidscimattributegroupexclude

externalId

External ID (group)   

- abc01234-12ab-12ab-0123-456abc

 

displayName

Group name   

- Group D
- Group A 

 
descriptionGroup description   

- Kansai Branch Office group

 
emailGroup email address   

- delta.group@example.jp

 
groupTypeGroup type   

- security

- distribution