## Notes When changing parameters, please refer to "[Confirmation When Changing Parameters](/en/manual/parameter-edit)". ## Setting Values The setting values ​​of this parameter file are as follows. |Parameter name|Value (e.g.)|Description| |:--|:--|:--| |Provider|null or "LDAP" or "LDAP+Local" or "Windows" |If null is specified, authentication will be performed by local users. If "LDAP" is specified, external LDAP authentication such as AD will be used. If "LDAP+Local" is specified, if login fails with LDAP authentication, login will be attempted with local users. If using [Integrated Windows Authentication](/manual/active-directory-sso), specify "Windows". **(Required)**| |DsProvider|null|The default value is null. If you want to explicitly use "Novell.Directory.Ldap" as the LDAP authentication library, specify "Novell". | |ServiceId|null|Cannot be changed. | |ExtensionUrl|null|Cannot be changed. | |RejectUnregisteredUser|true|If true, logins by users not registered in Pleasanter are rejected. If false and using LDAP authentication, authenticated users are automatically registered in Pleasanter. | |LdapParameters|JSON array| Advanced settings required for LDAP authentication. Multiple LDAP servers can be specified as a JSON array. No setting is required for local authentication. | |LdapSearchRoot|"LDAP://dc.example.local/dc=example,dc=local"|Specify the start location of the LDAP search. **LDAP is written in uppercase**. **(Required for LDAP authentication)**| |LdapSearchProperty|"sAMAccountName"|Name of the attribute used for login. **(Required for LDAP authentication)**| |LdapSearchPattern|(&(account={loginId})(deptcode=12345))|Search pattern for retrieving user information after login. Useful if login info cannot be obtained with "SearchProperty=loginId" (such as narrowing down to a specific department from users who belong to multiple departments). | |LdapLoginPattern|null|If null, replace the input account with "{loginId}" in "uid={loginId},ou=people,o=example,c=com". |Set the pattern of the login account to the LDAP server. Supports the format uid=xx,ou=xx,o=xx,c=xx for OpenLDAP. | |LdapAuthenticationType|null|Supports servers that do not support SASL. If null, use Simple authentication. | |NetBiosDomainName|"EXAMPLE"|Enter the NetBios name of the domain **in uppercase. (Required for single sign-on using Windows authentication.)** | |LdapTenantId|1|Cannot be changed. | |LdapDeptCode|"departmentNumber"|Name of the attribute used for the department code. | |LdapDeptCodePattern|null|Regular expression to extract part of the department code.| |LdapDeptName|"department"|Name of the attribute used for the department code. | |LdapDeptNamePattern|null|Regular expression to extract part of the department code. *1| |LdapUserCode|"employeeNumber"|Name of the attribute used for the user code. | |LdapUserCodePattern|null|Regular expression to extract part of the user code. *1| |LdapFirstName|"givenName"|Name of the attribute used for the first name. | |LdapFirstNamePattern|null|Regular expression to extract part of the first name. *1| |LdapLastName|"sn"|Name of the attribute used for the last name. | |LdapLastNamePattern|null|Regular expression to extract part of the last name. *1| |LdapMailAddress|"mail"|Name of the attribute used for the user's email address. | |LdapMailAddressPattern|null|Regular expression to extract part of the user's email address. *1| |LdapExtendedAttributes|JSON array|The following three parameters are stored as an array with one record. Multiple columns can be specified. *Example is shown below *2| |Name|"DisplayName"|Name of the attribute to be additionally acquired. | |Pattern|null|Regular expression to extract part of the additional acquired. *1| |ColumnName|"ClassA"|Pleasanter column name to store the additional acquired value. | |LdapSyncPageSize|0|Supports changes to PageSize during LdapSync. Set -1 for servers that cannot specify PageSize. If the column is absent or 0, the default remains 1000. | |LdapSyncPatterns|"(&(ObjectCategory=User)(ObjectClass=Person))"|Search pattern for searching for users. *3| |LdapGroupName|"cn"|Name of the attribute used for the group name. | |LdapGroupNamePattern|null|Regular expression to extract part of the group name. *1| |LdapSyncGroupPatterns|"(&(ObjectCategory=Group))"|Search pattern for searching for groups. *3 *4| |LdapExcludeAccountDisabled|true|Flag to not import disabled users. | |AutoDisable|true|Flag to reflect disabled accounts in Pleasanter's user information for accounts that are not subject to authentication in LDAP. | |AutoEnable|true|Flag to reflect enabled accounts in Pleasanter's user information for accounts that are subject to authentication in LDAP. | |LdapSyncUser|"DomainUserName"|Username used for synchronizing with LDAP. In Linux, specify the user logon name including the domain (e.g.: hayato@implem.local). In Windows, it is not necessary to specify the domain name. | |LdapSyncPassword|"********"|Password for the user used to synchronize with LDAP. | *1 The first matching string of the regular expression is used. If null, the entire string is used. *2 To include the corresponding column in the response of "[API: User Operations: Get User](/manual/api-user-get-all)", add a column with either or both of the parameters "GridEnabled" and "EditorEnabled" set to "1" in "[Extension: Extended Columns](/manual/extended-column)". *3 Describe the search pattern according to the reference below: https://technet.microsoft.com/ja-jp/library/security/system.directoryservices.directorysearcher.filter(v=vs.85)?cs-save-lang=1&cs-lang=vb *4 If "DsProvider" is "Novell", group synchronization cannot be used. ## Example of LdapExtendedAttributes ``` "LdapExtendedAttributes": [ { "Name": "DisplayName", "Pattern": null, "ColumnName": "DescriptionE" } ] ```