config.yml
[ Reference ]
Whenever the config.yml file is changed, execute the recovery_mode.sh file once to clear the old cache.
Log Settings
The following table describes log settings items.
| Parameter Name | Description | Required | Possible Values | Default | Example Configuration | Comments | |
|---|---|---|---|---|---|---|---|
| log | loglevel |
Level of output log entry |
Yes |
One of the following possible values
|
info |
Refer to "Logs" for more information on log levels. |
|
| logger | Log output directory | One of the following possible values
|
eventlog | syslog | Specify "syslog" to use Directory Sync in Linux. |
||
OpenLDAP Settings
The following table describes OpenLDAP settings items.
| Parameter Name | Description | Required | Possible Values | Default | Example Configuration | ||||
|---|---|---|---|---|---|---|---|---|---|
| ad |
ldap |
server |
addresses |
IP address or host name of the LDAP server Multiple configurations possible |
Yes |
IP address or host name |
Example 1: |
||
| port | LDAP service port |
Value from 1 to 65535 | 389 |
389 |
|||||
| user | Login user for LDAP service |
Yes |
DN (distinguished name) |
'CN=IIJ Taro,CN=Users,DC=example,DC=co,DC=jp' | |||||
| timeout | Timeout value in seconds for communication with the LDAP server | Value from 1 to 36000 | 3600 | 10800 | |||||
| base_dn |
Base distinguished name | Yes |
DN (distinguished name) |
'DC=example,DC=co,DC=jp' |
|||||
| filter | user | Specifies the filter used to search users via LDAP |
Search filter usable by ldapsearch (compliant with RFC 1558) |
'CN=IIJ Taro' | |||||
| group | Specifies the filter used to search groups via LDAP |
Search filter usable by ldapsearch (compliant with RFC 1558) |
'CN=IIJ Group' | ||||||
| search |
user | object_class | User object class |
Name of object class |
User |
|
|||
| group |
object_class | Group object class |
Name of object class | Group |
|
||||
| member_attribute | Name of attribute describing group members |
Attribute name | member |
|
|||||
| member_user_attribute | Indicates whether the dn or uid of users is specified as the group member attribute value |
One of the following possible values
|
dn |
|
|||||
IIJ ID Server Settings
The following table describes SCIM server connection settings items for the IIJ ID Service.
Parameter Name |
Description |
Required |
Possible Values |
Default |
Example Configuration |
Comments |
||||
|---|---|---|---|---|---|---|---|---|---|---|
| iid |
scim |
http |
proxy |
use |
Enables use of a proxy for communication with the SCIM server |
One of the following possible values
|
false | true | ||
address |
IP address or host name of the proxy server |
IP address or host name |
proxy.example.co.jp | |||||||
| port | Port number of the proxy server |
Value from 1 to 65535 |
8080 |
8080 |
||||||
| user | User name used for proxy authentication | iij-taro | Enabled when iid.scim.http.proxy.password (secret.yml) is also described |
|||||||
| filter | user | SCIM filter rules used when retrieving users | Filter rules usable by SCIM (compliant with RFC 7644) |
userName ew "@example.jp" | ||||||
| group | SCIM filter rules used when retrieving groups | Filter rules usable by SCIM (compliant with RFC 7644) |
displayName eq "IIJ ID group" | |||||||
| server | dial_timeout | Timeout value regarding establishing communication with the SCIM server | Value from 1 to 36000 | 30 | 60 | |||||
tls_handshake_timeout |
Timeout value regarding a TLS handshake with the SCIM server | Value from 1 to 36000 | 10 | 60 | ||||||
| timeout | Timeout value regarding overall communication with the SCIM server | Value from 1 to 36000 | 3600 | 7200 | ||||||
IIJ ID User Settings
These settings are used to configure users when provisioned in the IIJ ID Service.
The following settings items are configurable.
- Default Values (default)
- OpenLDAP Attribute Values (ad_bind)
- Conversions (convert)
- Exclusions (exclude)
[ Reference ]
Processing is performed in the following sequence: default > ad_bind > convert > exclude.
Default Values (default)
These settings are used to configure the default values of user attributes. If a value for a corresponding OpenLDAP attribute is missing, the default value configured with these settings is provisioned to the IIJ ID Service.
| Parameter Name | Description |
Required |
Possible Values |
Default |
Example Configuration |
Comments | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| iid |
scim |
attribute |
user |
default |
preferredLanguage |
Language |
One of the following possible values
|
ja-JP | ja-JP |
|||
timezone |
Time zone |
Only the following value can be configured.
|
Asia/Tokyo | Asia/Tokyo |
||||||||
active |
Status (enabled or disabled) |
One of the following possible values
|
true | true |
||||||||
emails (An array of up to 2 entries can be configured.) |
primary | Indicates whether the email address is the primary email address | One of the following possible values
|
false | Only one email address can be set as the primary email address. | |||||||
phoneNumbers (An array of up to 10 entries can be configured.) |
display | Display name of phone number | ||||||||||
| type | Type of phone number | "work", "home", "mobile", "fax", "pager", and "other" | ||||||||||
| primary | Indicates whether a phone number is the primary phone number | One of the following possible values
|
false | Only one phone number can be set as the primary phone number. | ||||||||
| idTokenClaims | issuer | Issuer of upstream ID provider | https://idp.example.jp/ | |||||||||
ims (An array of up to 10 entries can be configured.) |
display | Display name of instance messenger |
Messenger A | |||||||||
| type | Instance messenger type |
"aim", "gtalk", "icq", "xmpp", "msn", "skype", "qq", "yahoo", or "other" |
||||||||||
| primary | Indicates whether the instance messenger is the primary instance messenger |
One of the following possible values
|
false | Only one instance messenger can be set as the instance messenger. | ||||||||
entitlements (An array of up to 20 entries can be configured.) |
value | User entitlement | ||||||||||
display |
Display name of entitlement | |||||||||||
| type | Entitlement type | |||||||||||
| primary | Indicates whether the entitlement is the primary entitlement | One of the following possible values
|
false | |||||||||
x509Certificates (An array of up to 20 entries can be configured.) |
display | Display name of X.509 certificate |
Certificate A | |||||||||
| type | X.509 certificate type |
laptop, smartphone | ||||||||||
primary |
Indicates whether the X.509 certificate is the primary X.509 certificate |
One of the following possible values
|
false | Only one X.509 certificate can be set as the primary X.509 certificate | ||||||||
OpenLDAP Attribute Values (ad_bind)
These settings are used to configure OpenLDAP attributes tied to users in the IIJ ID Service.
Any configured default values are overwritten with attribute values configured with ad_bind.
| Parameter Name | Description |
Required |
Possible Values | Default |
Example Configuration |
Comments |
||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| iid |
scim |
attribute |
user |
ad_bind |
externalId |
External ID (user) |
Yes |
|
If the attribute value is empty or a duplicate, user synchronization will fail. | |||
userName |
ID |
Yes |
|
Multi-byte characters cannot be used for attribute values. If the attribute value is empty or a duplicate, user synchronization will fail. |
||||||||
name |
familyName |
Last name |
|
If the attribute value is empty, user synchronization will fail. |
||||||||
givenName |
First name |
|
If the attribute value is empty, user synchronization will fail. | |||||||||
emails (An array of up to 2 entries can be configured.) |
value |
Notification email address |
Yes |
|
If the attribute value is empty, user synchronization will fail. | |||||||
| localNames | familyName |
Last name in katakana |
If the attribute value is described in hiragana, it will be converted into katakana and then synchronized with the IIJ ID Service. | |||||||||
givenName |
First name in katakana |
If the attribute value is described in hiragana, it will be converted into katakana and then synchronized with the IIJ ID Service. | ||||||||||
| preferredLanguage | Language |
|
||||||||||
| department | Department |
|
||||||||||
title |
Position |
|
||||||||||
active |
Status (enabled or disabled) |
|
Multiple attributes can be configured with an array. When multiple values are configured, the user will be disabled if even one attribute is disabled. A user is determined to be disabled if the attribute has a value (actual value is not evaluated). |
|||||||||
| externalUserName | User name for upstream ID provider |
|
This attribute is also used as the login_hint value when an authorization request is sent from the IIJ ID Service to an upstream ID provider (OpenID Connect). | |||||||||
| idTokenClaims | subject | Unique ID for upstream ID provider (Corresponding to the sub claim of the ID token issued by the upstream ID provider) |
|
idTokenClaims.subject is used when the authentication protocol used with the upstream ID provider is OpenID Connect. | ||||||||
phoneNumbers (An array of up to 10 entries can be configured.) |
value |
Phone numbers | Values sent to the IIJ ID Service must be RFC 3966-format. (Example: tel: +1-201-555-0123) |
|||||||||
ims (An array of up to 10 entries can be configured.) |
value | Instance messenger ID, etc. | ||||||||||
entitlements (An array of up to 20 entries can be configured.) |
value | User entitlement |
|
|||||||||
x509Certificates (An array of up to 20 entries can be configured.) |
value | X.509 certificates | X.509 certificates must be in DER format using Base64 encoding. |
|||||||||
| downstreamId | Application-linking ID |
|
||||||||||
[ Reference ]
External IDs (users) configured here function as attributes to create correspondence between OpenLDAP and the IIJ ID Service.
[ Reference ]
Although the method of specifying notification email addresses has changed starting with Directory Sync 2.1.0, the previous configuration method can still be used. However, you cannot use both the new and old configuration methods together.
[Old Configuration]
| Parameter Name | Description |
Required |
Possible Values |
Default |
Example Configuration |
Comments |
|||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| iid | scim | attribute | user | default | emails |
Notification email address (default value) | Text string in email address format | iij-taro@mail.example.jp | |||
| ad_bind | emails | Notification email address (OpenLDAP attribute) | Yes |
|
If the attribute value is empty, user synchronization will fail. | ||||||
| exclude | emails | Notification email address (exclusion condition) | Text string in email address format | - 'iij-jiro@example.co.jp' - 'iij-saburo@example.co.jp' |
|||||||
Conversions (convert)
This parameter is used to convert attribute values configured by default and ad_bind.
Characters that match the pattern parameter for each parameter are replaced with the characters defined by the replacement parameter.
Regular expressions can be used to describe the values of pattern and replacement parameters. Refer to "Available Regular Expressions" for more information on regular expressions that can be configured.
Multiple conversion conditions can be configured. When multiple conditions are configured, the conditions are processed in the order they were described.
| Parameter Name | Description |
Required |
Possible Values |
Default |
Example Configuration |
Comments | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| iid | scim | attribute | user | convert | phoneNumbers |
value | Phone numbers |
Example 1: Convert a phone number such as 080-0000-0000 into RFC 3966-compliant format. - pattern: '\A0' |
||||
Exclusions (exclude)
These parameters are used to specify conditions that are excluded from the IIJ ID Service provisioning process.
Provisioning (creation, updating, and deletion) to the IIJ ID Service will not be executed regarding users that match configured parameter values exactly.
Multiple exclusion conditions can be configured.
Parameter Name |
Description |
Required |
Possible Values |
Default |
Example Configuration |
Comments | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| iid |
scim |
attribute |
user |
exclude |
userName |
ID | Text string in email address format | - 'iij-taro@example.co.jp' | ||||
| name | familyName |
Last name | - 'IIJ' - '斉藤 (Saito)' |
|||||||||
givenName |
First name | - '太郎 (Taro)' - '次郎 (Jiro)' |
||||||||||
emails (An array of up to 2 entries can be configured.) |
value | Notification email address | Text string in email address format | - 'iij-jiro@example.co.jp' - 'iij-saburo@example.co.jp' |
||||||||
| localNames | familyName |
Last name in katakana | - 'アイアイジェイ (IIJ)' - 'サイトウ (Saito)' |
|||||||||
givenName |
First name in katakana | - 'タロウ (Taro)' - 'ジロウ (Jiro)' |
||||||||||
| preferredLanguage | Language | - 'en-US' | ||||||||||
| department | Department | - 'Network Division' - 'Product Division' |
||||||||||
| title | Position | - 'Assistant Manager' - '' |
||||||||||
entitlements (An array of up to 20 entries can be configured.) |
value | User entitlement |
||||||||||
IIJ ID Group Settings
These settings are used to configure groups when provisioned in the IIJ ID Service.
The following settings items are configurable.
- Default Values (default)
- OpenLDAP Attributes (ad_bind)
- Exclusions (exclude)
[ Reference ]
- Processing is performed in the following sequence: default > ad_bind > exclude.
- Provisioning of group email address attributes is not supported.
Default Values (default)
| Parameter Name | Description |
Required |
Possible Values |
Default |
Example Configuration |
Comments |
|||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| iid |
scim |
attribute |
group |
default |
description | Group description | Kansai Branch Office group | ||||
| Group email address | groupA@example.jp | ||||||||||
| groupType | Group type | One of the following possible values
|
security | ||||||||
OpenLDAP Attribute Values (ad_bind)
These settings are used to configure OpenLDAP attributes tied to groups in the IIJ ID Service.
| Parameter Name | Description |
Required |
Possible Values |
Default |
Example Configuration |
Comments | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| iid | scim | attribute | group | ad_bind |
externalId |
External ID (group) | Yes |
Attribute name |
|
||
displayName |
Group name | Yes |
Attribute name |
|
|||||||
| description | Group description |
|
|||||||||
| Group email address | |||||||||||
[ Reference ]
External IDs (groups) configured here function as attributes to create correspondence between OpenLDAP and the IIJ ID Service.
Exclusions (exclude)
These parameters are used to specify conditions that are excluded from the IIJ ID Service provisioning process.
Provisioning (creation, updating, and deletion) to the IIJ ID Service will not be executed regarding groups that match configured parameter values exactly.
Multiple exclusion conditions can be configured.
| Parameter Name | Description |
Required |
Possible Values |
Default |
Example Configuration |
Comments | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| iid | scim | attribute | group | exclude | externalId |
External ID (group) | - abc01234-12ab-12ab-0123-456abc |
||||
displayName |
Group name | - Group D |
|||||||||
| description | Group description | - Kansai Branch Office group |
|||||||||
| Group email address | - delta.group@example.jp |
||||||||||
| groupType | Group type | - security - distribution |
|||||||||