List of published manuals

List of manuals for contractors

IIJ ID Service Directory Sync Manual [Windows Active Directory]

config.yml

[ Reference ]

Whenever the config.yml file is changed, execute the recovery_mode.bat file once to clear the old cache.

Log Settings

The following table describes log settings items.

Parameter NameDescriptionRequiredPossible ValuesDefaultExample ConfigurationComments
log

loglevel

Level of output log entry

Yes

One of the following possible values

  • info
  • warn
  • error
  • debug

info

Refer to "Logs" for more information on log levels.

loggerLog output directory
eventlog
eventlog


Active Directory Settings

The following table describes the Active Directory settings items.

Parameter NameDescriptionRequiredPossible ValuesDefaultExample ConfigurationComments
ad




ldap




server

addresses

AD DS IP address or host name

Multiple configurations possible

Yes

IP address or host name


Example 1:
- 127.0.0.1

Example 2:
- ad1.example.co.jp
- ad2.example.co.jp


port

LDAP service port provided by AD DS


Value from 1 to 65535

389

389


user

AD DS login user

Yes

DN (distinguished name)


'CN=IIJ Taro,CN=Users,DC=example,DC=co,DC=jp'


timeoutTimeout value (in seconds) for communication with AD DS
Value from 1 to 36000360010800
encryptionEncrypts connection to AD DS
none or start_tlsnone

Example 1: Not using encryption
- none

Example 2: Using STARTTLS
- start_tls

  • Active Directory of IIJ Directory Service for Microsoft does not support this option as of now.
  • To use LDAPS connection, specify start_tls.
verify_modeVerifies the certificate when encrypting connections with AD DS

One of the following possible values

  • true

  • false

falsetrueWhen setting “true,” state the FQDN (or IP address) of AD DS that matches the common name of the certificate in ad.ldap.server.addresses.

base_dn

Base distinguished name

Yes
DN (distinguished name)


'DC=example,DC=co,DC=jp' 


filteruserSpecifies the filter used to search users via LDAP
Search filter format usable by ldapsearch (compliant with RFC 1558)
'CN=IIJ Taro'
groupSpecifies the filter used to search groups via LDAP
Search filter format usable by ldapsearch (compliant with RFC 1558)
'CN=IIJ Group'
cache_disabled
Disables the function for detecting the difference using the uSNChanged attribute of AD

One of the following possible values

  • true

  • false

truefalseWhen setting a filter that contains memberOf in ad.ldap.filter, set “true.”
IIJ ID Server Settings

The following table describes SCIM server connection settings for the IIJ ID Service.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments

iid


  		scim




 http


proxy


use

Enables use of a proxy for communication with the SCIM server


One of the following possible values

  • true

  • false

falsetrue

address

IP address or host name of the proxy server


IP address or host name
proxy.example.co.jp
port

Port number of the proxy server


Value from 1 to 65535

8080

8080


userUser name used for proxy authentication 


iij-taro

Enabled when iid.scim.http.proxy.password (secret.yml) is also described 

filteruser SCIM filter rules used when retrieving users
Filter rules usable by SCIM (compliant with RFC 7644) 
userName ew "@example.jp"Refer to "Active Directory Topologies" for more information.
group SCIM filter rules used when retrieving groups
Filter rules usable by SCIM (compliant with RFC 7644) 
displayName eq "IIJ ID group"

Refer to "Active Directory Topologies" for more information.

serverdial_timeoutTimeout value regarding establishment of communication with the SCIM server
Value from 1 to 360003060
tls_handshake_timeoutTimeout value regarding TLS handshake with the SCIM server
Value from 1 to 360001060
timeoutTimeout value regarding overall communication with the SCIM server
Value from 1 to 3600036007200
IIJ ID User Settings

These settings are used to configure users when provisioned in the IIJ ID Service.
The following settings items are configurable.

  • Default Values (default)
  • Active Directory Attributes (ad_bind)
  • Conversions (convert)
  • Exclusions (exclude)
[ Reference ]

Processing is performed in the following sequence: default > ad_bind > convert > exclude.

Default Values (default)

These settings are used to configure the default values of user attributes. If a value for a corresponding Active Directory attribute is missing, the default value configured with these settings is provisioned to the IIJ ID Service.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments
iid



 scim



 attribute



 user



 default













preferredLanguage


Language


One of the following possible values

  • ja-JP

  • en-US

ja-JP

ja-JP


timezone


Time zone


Only the following value can be configured.

  • Asia/Tokyo

Asia/Tokyo

Asia/Tokyo


active


Status (enabled or disabled)


One of the following possible values

  • true

  • false

true

true


emails

(An array of up to 5 entries can be configured.)

primarySpecifies whether the email address is the primary email addressYes

One of the following possible values

  • true

  • false


falseOnly one email address can be set as the primary email address.

phoneNumbers

(An array of up to 10 entries can be configured.)



displayDisplay name of phone number


"work", "home", "mobile", "fax", "pager", and "other"
typeType of phone number




primarySpecifies whether a phone number is the primary phone number

One of the following possible values

  • true

  • false


falseOnly one phone number can be set as the primary phone number.

idTokenClaims

issuer

Issuer of upstream ID provider




https://idp.example.jp/

ims

(An array of up to 10 entries can be configured.)



display

Display name of instance messenger




Messenger A
type

Instance messenger type




"aim", "gtalk", "icq", "xmpp", "msn", "skype", "qq", "yahoo", or "other"
primarySpecifies whether the instance messenger is the primary instance messenger

One of the following possible values

  • true

  • false


false

Only one instance messenger can be set as the primary instance messenger.

entitlements

(An array of up to 20 entries can be configured.)




value

User entitlement






display

Display name of entitlement






type

Entitlement type






primary

Specifies whether the entitlement is the primary entitlement


One of the following possible values

  • true

  • false


falseOnly one entitlement can be set as the primary entitlement.

x509Certificates

(An array of up to 20 entries can be configured.)




display

Display name of X.509 certificate




Certificate A


type

X.509 certificate type




laptop, smartphone

primary

Specifies whether the X.509 certificate is the primary X.509 certificate


One of the following possible values

  • true

  • false


falseOnly one X.509 certificate can be set as the primary X.509 certificate.
Active Directory Attributes (ad_bind)

These settings are used to configure Active Directory attributes tied to users in the IIJ ID Service.
Any configured default values are overwritten with attribute values configured with ad_bind.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments

iid









scim









attribute









user









ad_bind
















 





externalId

External ID (user)

Yes

Any of the following values
(More than one value can be specified for ver 3.0.0 and later)

  • objectGUID

  • mS-DS-ConsistencyGuid

  • userPrincipalName

  • sAMAccountName *1

  • mail *1


Example 1)
- objectGUID

Example 2)
- mS-DS-ConsistencyGuid
- objectGUID


When these parameters are specified in an array, the first element in the array is applied preferentially.
If no attribute specified for the element exists, the next element is applied.

If all the attribute values of the Active Directory user are empty or overlap with other users, user synchronization will fail.

userName

ID

Yes

One of the following possible values

  • userPrincipalName

  • mail

  • sAMAccountName *2


mail

Multi-byte characters cannot be used for attribute values.

 If the attribute value of the Active Directory user to synchronize is empty or a duplicate, user synchronization will fail.

emails

(An array of up to 5 entries can be configured.)

valueNotification email addressYesOne of the following possible values

  • userPrincipalName

  • mail

  • mailNickName
  • proxyAddresses *3 *4

Example 1)
mail

Example 2)
- mail
- proxyAddresses

If all values of the relevant attributes of Active Directory users are empty, user synchronization will fail.

name


familyName

Last name


One of the following possible values

  • sn

  • displayName

  • Etc.


sn

If the attribute value is empty, user synchronization will fail.  

givenName

First name


One of the following possible values

  • givenName

  • displayName

  • Etc.


givenName

If the attribute value is empty, user synchronization will fail. 
localNames

familyName

Last name in katakana


One of the following possible values

  • msDS-PhoneticLastName

  • msDS-PhoneticDisplayName


msDS-PhoneticLastName

If the attribute value is stated in hiragana, it will be converted into katakana and then synchronized with the IIJ ID Service.

givenName

First name in katakana


One of the following possible values

  • msDS-PhoneticFirstName

  • msDS-PhoneticDisplayName


msDS-PhoneticFirstName

If the attribute value is stated in hiragana, it will be converted into katakana and then synchronized with the IIJ ID Service.
preferredLanguageLanguage

Only the following value can be configured.

  • preferredLanguage


preferredLanguage
departmentDepartment

Only the following value can be configured.

  • department


department

title

Position


Only the following value can be configured.

  • title


title


active

Status (enabled or disabled)


Multiple attributes, such as the following value, can be configured with an array.

  • userAccountControl

  • accountExpires

  • Etc.

Example 1:
- userAccountControl

Example 2:
- userAccountControl
- accountExpires

User is determined to be disabled when the following attribute value is included.

  • userAccountControl: Included when account is disabled
  • accountExpires: Included when account has expired
  • Other attributes: Attributes have a value (value itself is not evaluated)

When multiple values are configured, the user will be disabled if even one attribute is invalid.

externalUserName

User name for upstream ID provider


Multiple values, such as the following, can be configured.

  • userPrincipalName
  • mail
  • Etc.

userPrincipalNameThis attribute is also used as the login_hint value when an authorization request is sent from the IIJ ID Service to an upstream ID provider (OpenID Connect).
idTokenClaimssubject

Unique ID for upstream ID provider

(Corresponding to the sub claim of the ID token issued by the upstream ID provider)


Multiple values, such as the following, can be configured.

  • objectGUID
  • userPrincipalName
  • mail
  • sAMAccountName
  • Etc.

- objectGUID

idTokenClaims.subject is used when the authentication protocol used with the upstream ID provider is OpenID Connect.

phoneNumbers

(An array of up to 10 entries can be configured.)

valuePhone numbers

Multiple values, such as the following, can be configured.

  • facsimileTelephoneNumber
  • pager
  • telephoneNumber
  • Etc.

Example 1:
facsimileTelephoneNumber

Example 2:
telephoneNumber

Values sent to the IIJ ID Service must be in the RFC 3966 Global Numbers format.

(Example: tel:+1-201-555-0123)

ims

(An array of up to 10 entries can be configured.)

valueInstance messenger ID, etc.




entitlements

(An array of up to 20 entries can be configured.)

valueUser entitlement

Multiple values, such as the following, can be configured.

  • userPrincipalName

  • sAMAccountName

  • mail

  • Etc.

userPrincipalName

x509Certificates

(An array of up to 20 entries can be configured.)

valueX.509 certificates

Multiple values, such as the following, can be configured.

  • userCertificate
  • Etc.


X.509 certificates must be in DER format using Base64 encoding.
downstreamId
Application-linking ID

Multiple values, such as the following, can be configured.

  • mS-DS-ConsistencyGuid
  • Etc.

mS-DS-ConsistencyGuid

*1 Configuring sAMAccountName attribute and email attribute values are not recommended due to Active Directory not providing any guarantee of uniqueness.
*2 Because the sAMAccountName attribute is not configured in email address format, you cannot use it as it is. You need to change its format to email address format using the convert function.
*3 The attribute values set to the "SMTP:" and "smtp:" prefixes of proxyAddresses are synchronized with all IIJ IDs in the form without the prefix.For configurations in which proxyAddresses are primary values, the email address to which the "SMTP:" (all upper-case characters) prefix is set is configured as the primary email address. 
*4 When multiple email addresses are registered with proxyAddresses, the maximum number of IIJ IDs that can be registered with the emails attribute may be exceeded, depending on the configuration.If the maximum number of IIJ IDs is exceeded, of the non-primary email addresses, the fifth and subsequent email addresses in alphabetical order will not be synchronized with IIJ IDs.

[ Note ]

If using this software together with Password Sync, make sure that the external IDs (users) are configured the same in both Directory Sync and Password Sync.

[ Reference ]

External IDs (users) configured here function as attributes to create correspondence between Active Directory and the IIJ ID Service.

[ Reference ]

Although the method of specifying "Notification email address" has changed starting with Directory Sync 2.1.0, the previous configuration method can still be used.

You cannot use both the new and old configuration methods together.

[Old Configuration]


Description

Required

Possible Values

Default

Example Configuration

Comments

iid

scim

attribute

user

default

emails

Notification email address (default value)


Text string in email address format
iij-taro@mail.example.jp
ad_bindemailsNotification email address (Active Directory attribute value)Yes

One of the following possible values

  • userPrincipalName

  • sAMAccountName

  • mail


mailIf the attribute value is empty, user synchronization will fail.  
excludeemailsNotification email address (exclusion condition)
Text string in email address format
- 'iij-jiro@example.co.jp'
- 'iij-saburo@example.co.jp'


Conversions (convert)

This parameter is used to convert attribute values configured by default and ad_bind.

Characters that match the pattern parameter for each parameter are replaced with the characters defined by the replacement parameter.Regular expressions can be used to describe the values of pattern and replacement parameters.Refer to "Available Regular Expressions" for information on regular expressions that can be configured.

Multiple conversion conditions can be configured. When multiple conditions are configured, the conditions are processed in the order they were described.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments
iid

scim

attribute
 		user
 		convert
 

userName


ID




Example 1: Change the domain

- pattern: '@example.com\z'
  replacement: '@example.jp'

Example 2: Add "'@' + (AD domain name)" to the end

- pattern: '\z'
  replacement: '@example.jp'


externalUserName
User name for upstream ID provider


Example: Add “’@’ + (AD domain name)” to the end

- pattern: '\z'
  replacement: '@example.jp'


phoneNumbers
(An array of up to 10 entries can be configured.)

 value

Phone numbers




Example 1: Converts a phone number such as 080-0000-0000 into RFC3966 Global Numbers compliant format.

- pattern:'\A0'
  replacement:'tel:+81'


Exclusions (exclude)

These parameters are used to specify conditions that are excluded from the IIJ ID Service provisioning process.
Provisioning (creation, updating, and deletion) to the IIJ ID Service will not be executed regarding users that match any configured parameter values exactly.
Multiple exclusion conditions can be configured.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

iid







scim







attribute







user







exclude







userName

ID


Text string in email address format
'iij-taro@example.co.jp'  
name

familyName

Last name


- 'IIJ'
- '斉藤 (Saito)'

givenName

First name


- '太郎 (Taro)'
- '次郎 (Jiro)' 

emails
(An array of up to 5 entries can be configured.)		valueNotification email address
Text string in email address format

- 'iij-taro@example.co.jp'
- 'iij-jiro@example.co.jp'

localNames

familyName

Last name in katakana


- 'アイアイジェイ (IIJ)'
- 'サイトウ (Saito)' 

givenName

First name in katakana


- 'タロウ (Taro)'
- 'ジロウ (Jiro)'  

preferredLanguageLanguage


'en-US'
departmentDepartment


- 'Network Division'
- 'Product Division' 

titlePosition


- 'Assistant Manager'
'' 

entitlements
(An array of up to 20 entries can be configured.)		valueUser entitlement



IIJ ID Group Settings

These settings are used to configure groups when provisioned in the IIJ ID Service.

The following settings items are configurable.

  • Default Values (default)
  • Active Directory Attributes (ad_bind)
  • Conversions (convert)
  • Exclusions (exclude)
[ Reference ]

  • Processing is performed in the following sequence: default > ad_bind > exclude.
  • Provisioning of group email address attributes is not supported.

Default Values (default)
Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments

iid

scim

attribute

group

default

descriptionGroup description


Kansai Branch Office group
emailGroup email address


groupA@example.jp
groupTypeGroup type

One of the following possible values

  • security

  • distribution


security
Active Directory Attributes (ad_bind)

These settings are used to configure Active Directory attributes tied to groups in the IIJ ID Service.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

Comments

iid    scim    attribute    group    

ad_bind

 



  

externalId

External ID (group)

Yes

Only the following value can be configured.

  • objectGUID


objectGUID

displayName

Group name

Yes

Only the following value can be configured.

  • name


name
descriptionGroup description


description
emailGroup email address


mail
groupTypeGroup type


groupType

When the security group or the distribution group is specified, it is converted to a text string 'security' or 'distribution' respectively to then be synchronized with the IIJ ID Service.

[ Reference ]

External IDs (groups) configured here function as attributes to create correspondence between Active Directory and the IIJ ID Service.

Exclusions (exclude)

These parameters are used to specify conditions that are excluded from the IIJ ID Service provisioning process.
Provisioning (creation, updating, and deletion) to the IIJ ID Service will not be executed regarding groups that match any configured parameter values exactly.
Multiple exclusion conditions can be configured.

Parameter Name

Description

Required

Possible Values

Default

Example Configuration

iidscimattributegroupexclude

externalId

External ID (group)


abc01234-12ab-12ab-0123-456abc

displayName

Group name


- Group D
- Group A

descriptionGroup description


Kansai Branch Office group

emailGroup email address


delta.group@example.jp

groupTypeGroup type


- security
- distribution

SCIM optional settings

The following setting is used to configure options when provisioned in the IIJ ID Service.


base64_disabled


The Active Directory attributes shown below are encoded in Base64 format by default and provisioned to this service. This is because binary values cannot be synchronized directly with this service.


  • mS-DS-ConsistencyGuid
  • objectGUID
  • objectSID
  • userCertificate

To disable Base64 encoding in a case where, for example, a value other than a binary value is set to the mS-DS-ConsistencyGuid attribute, configure the following option.


Parameter NameDescriptionRequired

Possible Values

Default

Example Configuration

Comments
iidscimattributebase64_disabledActive Directory attribute that disables changes by Base64 encoding
mS-DS-ConsistencyGuid
- mS-DS-ConsistencyGuidWhen using Azure AD Connect, there is no need to disable Base64 encoding of the mS-DS-ConsistencyGuid attribute.
Only when a value other than a binary value is set to the mS-DS-ConsistencyGuid attribute, is Base64 encoding not required.