config.yml

【参考】

Whenever the config.yml file is changed, execute the recovery_mode.bat file once to clear the old cache.

Log Settings

The following table describes log settings items.

Parameter NameDescriptionRequiredPossible ValuesDefaultExample ConfigurationComments
log

loglevel

Level of output log entry

Yes

One of the following possible values

  • info
  • warn
  • error
 

info

Refer to "Logs" for more information on log levels.

loggerLog output directory 

One of the following possible values

  • eventlog
  • syslog
eventlogeventlog

Specify eventlog to use Directory Sync in Windows.

Active Directory Settings

The following table describes the Active Directory settings items.

Parameter NameDescriptionRequiredPossible ValuesDefaultExample ConfigurationComments
ad




ldap




server

addresses

AD DS IP address or host name

Multiple configurations possible

Yes

IP address or host name

 

Example 1:
- 127.0.0.1

Example 2:
- ad1.example.co.jp
- ad2.example.co.jp

 

port

LDAP service port provided by AD DS

 

Value from 1 to 65535

389

389

 

user

AD DS login user

Yes

DN (distinguished name)

 

'CN=IIJ Taro,CN=Users,DC=example,DC=co,DC=jp'

 
timeoutTimeout value (in seconds) for communication with AD DS Value from 1 to 36000360010800 

base_dn

Base distinguished name

Yes
DN (distinguished name)

 

'DC=example,DC=co,DC=jp' 

 
filteruserSpecifies the filter used to search users via LDAP Search filter format usable by ldapsearch (compliant with RFC 1558) 'CN=IIJ Taro' 
groupSpecifies the filter used to search groups via LDAP Search filter format usable by ldapsearch (compliant with RFC 1558) 'CN=IIJ Group' 
IIJ ID Server Settings

The following table describes SCIM server connection settings for the IIJ ID Service.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments

iid


  
scim




 http


proxy


use

Enables use of a proxy for communication with the SCIM server

 

One of the following possible values

  • true

  • false

falsetrue 

address

IP address or host name of the proxy server

 IP address or host name proxy.example.co.jp 
port

Port number of the proxy server

 

Value from 1 to 65535

8080

8080

 
userUser name used for proxy authentication    iij-taro

Enabled when iid.scim.http.proxy.password (secret.yml) is also described 

filteruser SCIM filter rules used when retrieving users Filter rules usable by SCIM (compliant with RFC 7644)  userName ew "@example.jp"Refer to "Active Directory Topologies" for more information.
group SCIM filter rules used when retrieving groups Filter rules usable by SCIM (compliant with RFC 7644)  displayName eq "IIJ ID group"

Refer to "Active Directory Topologies" for more information.

IIJ ID User Settings

These settings are used to configure users when provisioned in the IIJ ID Service.

The following settings items are configurable.

  • Default Values (default)
  • Active Directory Attributes (ad_bind)
  • Conversions (convert)
  • Exclusions (exclude)
【参考】

Processing is performed in the following sequence: default > ad_bind > convert > exclude.

Default Values (default)

These settings are used to configure the default values of user attributes. If a value for a corresponding Active Directory attribute is missing, the default value configured with these settings is provisioned to the IIJ ID Service.

 

Parameter Name 

Description

Required

Possible Values

Default

Example Configuration

Comments
iid



 scim



 attribute



 user



 default



 

 

 

 

 

 

 

 

 

 

preferredLanguage

 

Language

 

One of the following possible values

  • ja-JP

  • en-US

ja-JP

ja-JP

 

timezone

 

Time zone

 

Only the following value can be configured.

  • Asia/Tokyo

Asia/Tokyo

Asia/Tokyo

 

active

 

Status (enabled or disabled)

 

One of the following possible values

  • true

  • false

true

true

 

emails

(An array of up to 5 entries can be configured.)

primarySpecifies whether the email address is the primary email addressYes

One of the following possible values

  • true

  • false

 falseOnly one email address can be set as the primary email address.

phoneNumbers

(An array of up to 10 entries can be configured.)



displayDisplay name of phone number   "work", "home", "mobile", "fax", "pager", and "other" 
typeType of phone number     
primarySpecifies whether a phone number is the primary phone number 

One of the following possible values

  • true

  • false

 falseOnly one phone number can be set as the primary phone number.

idTokenClaims

issuer

Issuer of upstream ID provider

   https://idp.example.jp/ 

ims

(An array of up to 10 entries can be configured.)



display

Display name of instance messenger

   Messenger A 
type

Instance messenger type

   "aim", "gtalk", "icq", "xmpp", "msn", "skype", "qq", "yahoo", or "other" 
primarySpecifies whether the instance messenger is the primary instance messenger 

One of the following possible values

  • true

  • false

 false

Only one instance messenger can be set as the primary instance messenger.

entitlements

(An array of up to 20 entries can be configured.)




value

User entitlement

     
display

Display name of entitlement

     
type

Entitlement type

     
primary

Specifies whether the entitlement is the primary entitlement

 

One of the following possible values

  • true

  • false

 falseOnly one entitlement can be set as the primary entitlement.

x509Certificates

(An array of up to 20 entries can be configured.)




display

Display name of X.509 certificate

   

Certificate A

 

type

X.509 certificate type

   laptop, smartphone 

primary

Specifies whether the X.509 certificate is the primary X.509 certificate

 

One of the following possible values

  • true

  • false

 falseOnly one X.509 certificate can be set as the primary X.509 certificate.
Active Directory Attributes (ad_bind)

These settings are used to configure Active Directory attributes tied to users in the IIJ ID Service.

Any configured default values are overwritten with attribute values configured with ad_bind.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments

iid









scim









attribute









user









ad_bind









 

 

 

 

 

 

 

 

 

 

 

 

externalId

External ID (user)

Yes

One of the following possible values

  • objectGUID

  • userPrincipalName

  • sAMAccountName *

  • mail *

 

objectGUID

If the attribute value is empty or a duplicate, user synchronization will fail.

userName

ID

Yes

One of the following possible values

  • userPrincipalName

  • mail

 

mail

Multi-byte characters cannot be used for attribute values.

If the attribute value is empty or a duplicate, user synchronization will fail.  

emails

(An array of up to 5 entries can be configured.)

valueNotification email addressYesOne of the following possible values
  • userPrincipalName

  • mail

 mail If the attribute value is empty, user synchronization will fail.  

name

 

familyName

Last name

 

One of the following possible values

  • sn

  • displayName

 

sn

If the attribute value is empty, user synchronization will fail.  

givenName

First name

 

One of the following possible values

  • givenName

  • displayName

 

givenName

If the attribute value is empty, user synchronization will fail. 
localNames

familyName

Last name in katakana

 

One of the following possible values

  • msDS-PhoneticLastName

  • msDS-PhoneticDisplayName

 

msDS-PhoneticLastName

If the attribute value is described in hiragana, it will be converted into katakana and then synchronized with the IIJ ID Service. 

givenName

First name in katakana

 

One of the following possible values

  • msDS-PhoneticFirstName

  • msDS-PhoneticDisplayName

 

msDS-PhoneticFirstName

If the attribute value is described in hiragana, it will be converted into katakana and then synchronized with the IIJ ID Service. 
preferredLanguageLanguage 

Only the following value can be configured.

  • preferredLanguage

 preferredLanguage 
departmentDepartment 

Only the following value can be configured.

  • department

 department 

title

Position

 

Only the following value can be configured.

  • title

 

title

 

active

Status (enabled or disabled)

 

Multiple attributes, such as the following value, can be configured with an array.

  • userAccountControl

  • accountExpires

  • Etc.
 

Example 1:
- userAccountControl

Example 2:
- userAccountControl
- accountExpires

User is determined to be disabled when the following attribute value is included.

  • userAccountControl: Included when account is disabled
  • accountExpires: Included when account has expired
  • Other attributes: Attributes have a value (value itself is not evaluated)

When multiple values are configured, the user will be disabled if even one attribute is invalid.

externalUserName

User name for upstream ID provider

 

Multiple values, such as the following, can be configured.

  • userPrincipalName
  • mail
  • Etc.
 userPrincipalNameThis attribute is also used as the login_hint value when an authorization request is sent from the IIJ ID Service to an upstream ID provider (OpenID Connect).
idTokenClaimssubject

Unique ID for upstream ID provider

(Corresponding to the sub claim of the ID token issued by the upstream ID provider)

 

Multiple values, such as the following, can be configured.

  • objectGUID
  • userPrincipalName
  • mail
  • sAMAccountName
  • Etc.
 objectGUIDidTokenClaims.subject is used when the authentication protocol used with the upstream ID provider is OpenID Connect.

phoneNumbers

(An array of up to 10 entries can be configured.)

valuePhone numbers 

Multiple values, such as the following, can be configured.

  • facsimileTelephoneNumber
  • pager
  • telephoneNumber
  • Etc.
 

Example 1:
facsimileTelephoneNumber

Example 2:
telephoneNumber

Values sent to the IIJ ID Service must be RFC 3966-format.

(Example: tel:+1-201-555-0123)

ims

(An array of up to 10 entries can be configured.)

valueInstance messenger ID, etc.     

entitlements

(An array of up to 20 entries can be configured.)

valueUser entitlement 

Multiple values, such as the following, can be configured.

  • userPrincipalName

  • sAMAccountName

  • mail

  • Etc.
 userPrincipalName 

x509Certificates

(An array of up to 20 entries can be configured.)

valueX.509 certificates 

Multiple values, such as the following, can be configured.

  • userCertificate
  • Etc.
  X.509 certificates must be in DER format using Base64 encoding.

* Configuring sAMAccountName attribute and email attribute values is not recommended due to no guaranteed of uniqueness by Active Directory.

【注意】

If using this software together with Password Sync, make sure that the external IDs (users) are configured the same in both Directory Sync and Password Sync.

【参考】

External IDs (users) configured here function as attributes to create correspondence between Active Directory and the IIJ ID Service.

【参考】

Although the method of specifying "Notification email address" has changed starting with Directory Sync 2.1.0, the previous configuration method can still be used.

You cannot use both the new and old configuration methods together.

[Old Configuration]

 

Description

Required

Possible Values

Default

Example Configuration

Comments

iid

scim

attribute

user

default

emails

Notification email address (default value)

 

Text string in email address format iij-taro@mail.example.jp 
ad_bindemailsNotification email address (Active Directory attribute value)Yes

One of the following possible values

  • userPrincipalName

  • sAMAccountName

  • mail

 mailIf the attribute value is empty, user synchronization will fail.  
excludeemailsNotification email address (exclusion condition) Text string in email address format - 'iij-jiro@example.co.jp'
- 'iij-saburo@example.co.jp'
 


Conversions (convert)

This parameter is used to convert attribute values configured by default and ad_bind.

Characters that match the pattern parameter for each parameter are replaced with the characters defined by the replacement parameter.
Regular expressions can be used to describe the values of pattern and replacement parameters.

Multiple conversion conditions can be configured. When multiple conditions are configured, the conditions are processed in the order they were described.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments
iidscimattributeuserconvert

phoneNumbers
(An array of up to 10 entries can be configured.)

 value

Phone numbers

   

Example 1: Converts a phone number such as 080-0000-0000 into RFC 3966-compliant format.

- pattern: '\A0'
  replacement: 'tel:+81'

 
Exclusions (exclude)

These parameters are used to specify conditions that are excluded from the IIJ ID Service provisioning process.
Provisioning (creation, updating, and deletion) to the IIJ ID Service will not be executed regarding users that match any configured parameter values exactly.
Multiple exclusion conditions can be configured.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

iid







scim







attribute







user







exclude







userName

ID

 

Text string in email address format - 'iij-taro@example.co.jp'  
name

familyName

Last name   - 'IIJ'
- '斉藤 (Saito)'

givenName

First name   - '太郎 (Taro)'
- '次郎 (Jiro)' 
emails
(An array of up to 5 entries can be configured.)
valueNotification email address Text string in email address format - 'iij-taro@example.co.jp'
- 'iij-jiro@example.co.jp'
localNames

familyName

Last name in katakana   - 'アイアイジェイ (IIJ)'
- 'サイトウ (Saito)' 

givenName

First name in katakana   - 'タロウ (Taro)'
- 'ジロウ (Jiro)'  
preferredLanguageLanguage   - 'en-US'
departmentDepartment   - 'Network Division'
- 'Product Division' 
titlePosition   - 'Assistant Manager'
- '' 
entitlements
(An array of up to 20 entries can be configured.)
valueUser entitlement    
IIJ ID Group Settings

These settings are used to configure groups when provisioned in the IIJ ID Service.

The following settings items are configurable.

  • Default Values (default)
  • Active Directory Attributes (ad_bind)
  • Exclusions (exclude)
【参考】

  • Processing is performed in the following sequence: default > ad_bind > exclude.
  • Provisioning of group email address attributes is not supported.

Default Values (default)
Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments

iid

scim

attribute

group

default

descriptionGroup description   Kansai Branch Office group 
emailGroup email address   groupA@example.jp 
groupTypeGroup type 

One of the following possible values

  • security

  • distribution

 security 
Active Directory Attributes (ad_bind)

These settings are used to configure Active Directory attributes tied to groups in the IIJ ID Service.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments

iid    scim    attribute    group    

ad_bind

 

 


  

externalId

External ID (group)

Yes

Only the following value can be configured.

  • objectGUID

 objectGUID 

displayName

Group name

Yes

Only the following value can be configured.

  • name

 name 
descriptionGroup description   description 
emailGroup email address   mail 
groupTypeGroup type   groupType

When the security group or the distribution group is specified, it is converted to a text string 'security' or 'distribution' respectively to then be synchronized with the IIJ ID Service.

【参考】

External IDs (groups) configured here function as attributes to create correspondence between Active Directory and the IIJ ID Service.

Exclusions (exclude)

These parameters are used to specify conditions that are excluded from the IIJ ID Service provisioning process.
Provisioning (creation, updating, and deletion) to the IIJ ID Service will not be executed regarding groups that match any configured parameter values exactly.
Multiple exclusion conditions can be configured.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

iidscimattributegroupexclude

externalId

External ID (group)   

- abc01234-12ab-12ab-0123-456abc

displayName

Group name   

- Group D
- Group A

descriptionGroup description   

- Kansai Branch Office group

emailGroup email address   

- delta.group@example.jp

groupTypeGroup type   

- security

- distribution