Edit configuration file
The EDIT configuration file option allows you to set several properties that affect the system's external patron verification via the LDAP protocol. When you select this option, the contents of the ldsa.properties file display in the full screen editor. For example:
EDITING FILE: ldap.properties ^E > END ^F > Show FULL Menu OVERWRITE USE_LDAPS=1 LDAP_PORT=636 LDAP_SERVER=directory.university.edu USE_CAPATH=1 CAPATH=/usr/local/ssl/certs/cacert.pem BIND_BASE=uid=library,ou=identities,ou=special,dc=university,dc=edu BIND_PASSWORD=13111 12855 12598 13622 12343 12595 12339 12339 14131 SEARCH_ATTRIBUTE=uid SEARCH_BASE=ou=people,dc=university,dc=edu USE_PASSWORD=1 III_TAG=u KEY_ATTRIBUTE=uid NON_LDAP_PTYPES=2,3,5,7-10
The file consists of multiple lines of text, each specifying a property's Name and Value. For example, "LDAP_SERVER=directory.university.edu".
LDAP and Binding
- "Binding" is the process of sending a connection request from the Sierra server to the LDAP server, authenticating it, and creating a connection identity. The Sierra server can request a different identity by sending another connection request with different properties. Normally the Sierra server connects to the LDAP server with a password, though it is possible to set up the Sierra server to connect without a password as an anonymous bind.
- The connection is made via a perl script which Innovative provides. If necessary, a replacement script written by your site's IT staff can be substituted. Contact Innovative to discuss this option.
- Do not edit the BIND_PASSWORD property in the full screen editor. The value of this property is encrypted and must be edited only with the SET LDAP server Bind Password menu option.
Not all of the properties in the following list are required. Your system might have only some of the properties listed below. The complete set of properties that can appear in this is listed below.
Property | Definition |
BIND_BASE | Specifies the database on the LDAP server to access on the first bind request. If this property is not used or is set to a blank value, Sierra uses anonymous binding. |
BIND_PASSWORD | Password for the first bind request. This property's value is encrypted and must be set only with the Setting the Bind Password function. |
BIND_USER | Some LDAP servers (notably those that use the SASL protocol) require that the connection script bind as a specific user, who is specified with this property. |
CAPATH | A directory or specific configuration file that contains certificate information (see USE_CAPATH). |
III_FIELD_TAGS | If there are multiple field group tags that map to the index tag used to verify the patron's key (see III_TAG), they are specified in this property's value. Also, if the field group tag is different from the index tag, the field group tag is specified here. |
III_TAG | The index tag used to verify the patron's key. |
KEY_ATTRIBUTE | Specifies which attribute in the data returned by the LDAP server is to be used as the patron key. |
KEY_TRANSFORM | A regular expression used to modify the SEARCH_ATTRIBUTE before using it in a search. |
KEY_TRANSFORM2 | A regular expression used to modify the SEARCH_ATTRIBUTE2 before using it in a search. |
LDAP_PORT | Specifies the port number that the LDAP server uses for the patron verification interface. |
LDAP_SERVER | Specifies the full IP address of the LDAP server. |
NON_LDAP_PTYPES | This value lists patron types that are permitted to use non-LDAP verification. This includes patron types that can use either LDAP credentials or patron record data, as well as those patron types that cannot use LDAP. Patron types not listed in this element can use LDAP verification only, and will not be able to verify using their patron record data. This value can be a comma-separated list of values and/or a range of values. For example: 4, 20-30 |
SEARCH_ATTRIBUTE | The primary search attribute to be used (for example, university ID). |
SEARCH_ATTRIBUTE2 | The primary search attribute to be used in a second search for a given patron on the LDAP server. |
SEARCH_BASE | An attribute string used for searching for a given user. |
SEARCH_BASE2 | A string used in the second search for a given patron on the LDAP server. |
SUBSTITUTION | This allows the organization to alter the returned key. For example, some organizations do not use leading alphabetics in the University ID in Sierra, even though they are used on their campus systems. |
TIME_OUT | This is the length of time that the Innovative system waits for a response from the LDAP server. The default is three seconds. To customize this parameter, enter a positive integer. |
USE_CAPATH | Set to '1' to specify that CAPATH is a directory or '0' to specify that CAPATH is a file. The preferred setting is USE_CAPATH=0, with CAPATH as a filename. |
USE_CERTIFICATES | Set to '1' to use certificates when connecting to the LDAP server or '0 not to use them If this property is not in the configuration file, certificates are not used. |
USE_LDAPS | Set to '1' to use the SSL security protocol or '0' not to use it. If your library uses SSL, add the SSL port numbers to the External Patron Verification system option. |
USE_ONE_BIND |
Set to '1' to send a single request with the patron ID and password for authentication. Set to '0' to use the BIND_USER and BIND_PASSWORD values in a BIND request to the LDAP server. The LDAP server returns a patron record. The LDAP client sends the patron record password for validation. |
USE_PASSWORD | Set to '1' to specify that the system should verify the user's password or '0' to specify that it should not. If this property is not in the configuration file, the password is not verified. Innovative recommends that you set this property to '1'. |
USE_SASL_1ST_BIND | Set to '1' to use the Simple Authentication and Security Layer protocol during the first bind or '0' to specify that it is not. If this property is not in the configuration file, SASL is not used. |
USE_SASL_2ND_BIND | Set to '1' to use the Simple Authentication and Security Layer protocol during the second bind or '0' to specify that it is not. If this property is not in the configuration file, SASL is not used. |
USE_TLS | Set to '1' to use the Transport Layer Security protocol to connect to the LDAP server or '0' to specify that it is not. If this property is not in the configuration file, TLS is not used. |
USER_DIR | The path to the directory that contains the user-provided script for binding to the LDAP server. The USER_SCRIPT property is required if USER_DIR is included in the configuration file. |
USER_SCRIPT | If your library's LDAP server requires a bind protocol other than that provided in Innovative's External Patron Verification product, you can write and provide to Innovative a script for the bind to your LDAP server. To use this property, your library must provide Innovative with a bind script. Innovative does not provide support or training for the creation of bind scripts. The USER_DIR property is required if USER_SCRIPT is included in the configuration file. |