Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10791

API Descriptor _fields parameter for POST Action: schema do not seem to limit responses

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 14.0.0
    • Fix Version/s: None
    • Component/s: API descriptor
    • Labels:
    • Rank:
      1|hzt1fz:

      Description

      OpenAM 14.0.0-SNAPSHOT Build 5bc2f25f66 (2017-March-01 00:32)
      As shown in the attached image,

      When I attempt to use the API endpoint

      POST /realm-config/authentication/modules/activedirectory

      and set the _fields parameter to userSearchFilter then "try it out"

      Expected Response
      ________________

      Only get the fields associated with userSearchFilter

      Actual Response
      ______________

      {
        "type": "object",
        "properties": {
          "connectionHeartbeatTimeUnit": {
            "title": "LDAP Connection Heartbeat Time Unit",
            "description": "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
            "propertyOrder": 1600,
            "required": true,
            "enum": [
              "SECONDS",
              "MINUTES",
              "HOURS"
            ],
            "options": {
              "enum_titles": [
                "SECONDS",
                "MINUTES",
                "HOURS"
              ]
            },
            "type": "string",
            "exampleValue": ""
          },
          "userSearchAttributes": {
            "title": "Attributes Used to Search for a User to be Authenticated",
            "description": "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
            "propertyOrder": 700,
            "required": true,
            "items": {
              "type": "string"
            },
            "type": "array",
            "exampleValue": ""
          },
          "trustAllServerCertificates": {
            "title": "Trust All Server Certificates",
            "description": "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
            "propertyOrder": 1400,
            "required": true,
            "type": "boolean",
            "exampleValue": ""
          },
          "userSearchFilter": {
            "title": "User Search Filter",
            "description": "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
            "propertyOrder": 800,
            "required": true,
            "type": "string",
            "exampleValue": ""
          },
          "userBindPassword": {
            "title": "Bind User Password",
            "description": "The password of the administration account.",
            "propertyOrder": 500,
            "required": true,
            "type": "string",
            "format": "password",
            "exampleValue": ""
          },
          "returnUserDN": {
            "title": "Return User DN to DataStore",
            "description": "Controls whether the DN or the username is returned as the authentication principal.",
            "propertyOrder": 1200,
            "required": true,
            "type": "boolean",
            "exampleValue": ""
          },
          "userSearchStartDN": {
            "title": "DN to Start User Search",
            "description": "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
            "propertyOrder": 300,
            "required": true,
            "items": {
              "type": "string"
            },
            "type": "array",
            "exampleValue": ""
          },
          "searchScope": {
            "title": "Search Scope",
            "description": "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
            "propertyOrder": 900,
            "required": true,
            "enum": [
              "OBJECT",
              "ONELEVEL",
              "SUBTREE"
            ],
            "options": {
              "enum_titles": [
                "OBJECT",
                "ONELEVEL",
                "SUBTREE"
              ]
            },
            "type": "string",
            "exampleValue": ""
          },
          "profileAttributeMappings": {
            "title": "User Creation Attributes",
            "description": "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
            "propertyOrder": 1300,
            "required": true,
            "items": {
              "type": "string"
            },
            "type": "array",
            "exampleValue": ""
          },
          "userProfileRetrievalAttribute": {
            "title": "Attribute Used to Retrieve User Profile",
            "description": "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
            "propertyOrder": 600,
            "required": true,
            "type": "string",
            "exampleValue": ""
          },
          "authenticationLevel": {
            "title": "Authentication Level",
            "description": "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
            "propertyOrder": 1800,
            "required": true,
            "type": "integer",
            "exampleValue": ""
          },
          "openam-auth-ldap-connection-mode": {
            "title": "LDAP Connection Mode",
            "description": "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
            "propertyOrder": 1000,
            "required": true,
            "enum": [
              "LDAP",
              "LDAPS",
              "StartTLS"
            ],
            "options": {
              "enum_titles": [
                "LDAP",
                "LDAPS",
                "StartTLS"
              ]
            },
            "type": "string",
            "exampleValue": ""
          },
          "operationTimeout": {
            "title": "LDAP operations timeout",
            "description": "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
            "propertyOrder": 1700,
            "required": true,
            "type": "integer",
            "exampleValue": ""
          },
          "primaryLdapServer": {
            "title": "Primary Active Directory Server ",
            "description": "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
            "propertyOrder": 100,
            "required": true,
            "items": {
              "type": "string"
            },
            "type": "array",
            "exampleValue": ""
          },
          "userBindDN": {
            "title": "Bind User DN",
            "description": "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
            "propertyOrder": 400,
            "required": true,
            "type": "string",
            "exampleValue": ""
          },
          "secondaryLdapServer": {
            "title": "Secondary Active Directory Server",
            "description": "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
            "propertyOrder": 200,
            "required": true,
            "items": {
              "type": "string"
            },
            "type": "array",
            "exampleValue": ""
          },
          "connectionHeartbeatInterval": {
            "title": "LDAP Connection Heartbeat Interval",
            "description": "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.",
            "propertyOrder": 1500,
            "required": true,
            "type": "integer",
            "exampleValue": ""
          }
        }
      }
      

      Setting the parameter only seems to change the order in which the attributes are returned rather than displaying limited set.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              edward.barker edwardb
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: