'[CommitOpenAM] [10288] trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx :'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       forgerock-openam-commit
Subject:    [CommitOpenAM] [10288] trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx :
From:       noreply () forgerock ! org
Date:       2014-08-28 8:47:10
Message-ID: 20140828084710.A0DA9422A4 () sources ! internal ! forgerock ! com
[Download RAW message or body]

[Attachment #2 (text/html)]

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[10288] trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx: \
CR-4330 Fixes for OPENAM-4156: Document the new DN Cache control feature; \
OPENAM-4374: Add a reference for Data Store configuration options</title> </head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: \
verdana,arial,helvetica,sans-serif; font-size: 10pt;  } #msg dl a { font-weight: \
bold} #msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: \
bold; } #msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: \
6px; } #logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em \
0; } #logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg \
h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; } \
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; \
} #logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: \
-1.5em; padding-left: 1.5em; } #logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em \
1em 0 1em; background: white;} #logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid \
#fa0; border-bottom: 1px solid #fa0; background: #fff; } #logmsg table th { \
text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted \
#fa0; } #logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: \
0.2em 0.5em; } #logmsg table thead th { text-align: center; border-bottom: 1px solid \
#fa0; } #logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: \
6px; } #patch { width: 100%; }
#patch h4 {font-family: \
verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
 #patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, \
#patch .copfile {border:1px solid #ccc;margin:10px 0;} #patch ins \
{background:#dfd;text-decoration:none;display:block;padding:0 10px;} #patch del \
{background:#fdd;text-decoration:none;display:block;padding:0 10px;} #patch .lines, \
                .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a \
href="http://sources.forgerock.org/changelog/openam/?cs=10288">10288</a></dd> \
<dt>Author</dt> <dd>mark</dd> <dt>Date</dt> <dd>2014-08-28 09:47:10 +0100 (Thu, 28 \
Aug 2014)</dd> </dl>

<h3>Log Message</h3>
<pre>CR-4330 Fixes for <a \
href="https://bugster.forgerock.org/jira/browse/OPENAM-4156">OPENAM-4156</a>: \
Document the new DN Cache control feature; <a \
href="https://bugster.forgerock.org/jira/browse/OPENAM-4374">OPENAM-4374</a>: Add a \
reference for Data Store configuration options</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxadminguidechap \
realmsxml">trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/admin-guide/chap-realms.xml</a></li>
 <li><a href="#trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxreleasenotesc \
hapwhatsnewxml">trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/release-notes/chap-whats-new.xml</a></li>
 </ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdatas \
toresactivedirectoryxml">trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-active-directory.xml</a></li>
 <li><a href="#trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdata \
storesadamxml">trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-adam.xml</a></li>
 <li><a href="#trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdata \
storesdbxml">trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-db.xml</a></li>
 <li><a href="#trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdata \
storesdseexml">trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-dsee.xml</a></li>
 <li><a href="#trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdata \
storesgenericldapv3xml">trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-generic-ldapv3.xml</a></li>
 <li><a href="#trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdata \
storesopendjxml">trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-opendj.xml</a></li>
 <li><a href="#trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdata \
storestivolixml">trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-tivoli.xml</a></li>
 </ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxadminguidechaprealmsxml"></a>
 <div class="modfile"><h4>Modified: \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/admin-guide/chap-realms.xml \
(10287 => 10288)</h4> <pre class="diff"><span>
<span class="info">--- \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/admin-guide/chap-realms.xml	2014-08-27 \
                22:50:30 UTC (rev 10287)
+++ trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/admin-guide/chap-realms.xml	2014-08-28 \
08:47:10 UTC (rev 10288) </span><span class="lines">@@ -24,12 +24,12 @@
</span><span class="cx">   !    
</span><span class="cx"> --&gt;
</span><span class="cx"> &lt;chapter xml:id='chap-realms'
</span><del>- xmlns='http://docbook.org/ns/docbook'
- version='5.0' xml:lang='en'
- xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
- xsi:schemaLocation='http://docbook.org/ns/docbook
-                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
- xmlns:xlink='http://www.w3.org/1999/xlink'&gt;
</del><ins>+         xmlns='http://docbook.org/ns/docbook' version='5.0' \
xml:lang='en' +         xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+         xsi:schemaLocation='http://docbook.org/ns/docbook
+                             http://docbook.org/xml/5.0/xsd/docbook.xsd'
+         xmlns:xlink='http://www.w3.org/1999/xlink'
+         xmlns:xinclude='http://www.w3.org/2001/XInclude'&gt;
</ins><span class="cx">  &lt;title&gt;Configuring Realms&lt;/title&gt;
</span><span class="cx">  
</span><span class="cx">  \
&lt;indexterm&gt;&lt;primary&gt;Realms&lt;/primary&gt;&lt;/indexterm&gt; </span><span \
class="lines">@@ -326,17 +326,75 @@ </span><span class="cx">   &lt;step&gt;
</span><span class="cx">    &lt;para&gt;In the second screen, provide information on \
how to connect </span><span class="cx">    to your data store, and then click Finish \
to save your work.&lt;/para&gt; </span><del>-   
-   &lt;para&gt;See the &lt;link \
                xlink:href=&quot;admin-guide#chap-auth-services&quot;
-   xlink:role=&quot;http://docbook.org/xlink/role/olink&quot;&gt;chapter on
-   authentication&lt;/link&gt; for hints on connecting to
-   &lt;link xlink:href=&quot;admin-guide#ad-module-conf-hints&quot;
-   xlink:role=&quot;http://docbook.org/xlink/role/olink&quot;&gt;Active \
                Directory&lt;/link&gt;,
-   &lt;link xlink:href=&quot;admin-guide#ldap-module-conf-hints&quot;
-   xlink:role=&quot;http://docbook.org/xlink/role/olink&quot;&gt;LDAP \
                directory&lt;/link&gt;, and
-   &lt;link xlink:href=&quot;admin-guide#jdbc-module-conf-hints&quot;
-   xlink:role=&quot;http://docbook.org/xlink/role/olink&quot;&gt;JDBC&lt;/link&gt; \
                data
-   sources.&lt;/para&gt;
</del><ins>+
+   &lt;itemizedlist&gt;
+    &lt;para&gt;
+     See the following sections for hints depending on the type of data store.
+    &lt;/para&gt;
+
+    &lt;listitem&gt;
+     &lt;para&gt;
+      &lt;link
+       xlink:href=&quot;admin-guide#sec-data-stores-active-directory&quot;
+       xlink:role=&quot;http://docbook.org/xlink/role/olink&quot;
+       /&gt;
+     &lt;/para&gt;
+    &lt;/listitem&gt;
+
+    &lt;listitem&gt;
+     &lt;para&gt;
+      &lt;link
+       xlink:href=&quot;admin-guide#sec-data-stores-adam&quot;
+       xlink:role=&quot;http://docbook.org/xlink/role/olink&quot;
+       /&gt;
+     &lt;/para&gt;
+    &lt;/listitem&gt;
+
+    &lt;listitem&gt;
+     &lt;para&gt;
+      &lt;link
+       xlink:href=&quot;admin-guide#sec-data-stores-db&quot;
+       xlink:role=&quot;http://docbook.org/xlink/role/olink&quot;
+       /&gt;
+     &lt;/para&gt;
+    &lt;/listitem&gt;
+
+    &lt;listitem&gt;
+     &lt;para&gt;
+      &lt;link
+       xlink:href=&quot;admin-guide#sec-data-stores-generic-ldapv3&quot;
+       xlink:role=&quot;http://docbook.org/xlink/role/olink&quot;
+       /&gt;
+     &lt;/para&gt;
+    &lt;/listitem&gt;
+
+    &lt;listitem&gt;
+     &lt;para&gt;
+      &lt;link
+       xlink:href=&quot;admin-guide#sec-data-stores-opendj&quot;
+       xlink:role=&quot;http://docbook.org/xlink/role/olink&quot;
+       /&gt;
+     &lt;/para&gt;
+    &lt;/listitem&gt;
+
+    &lt;listitem&gt;
+     &lt;para&gt;
+      &lt;link
+       xlink:href=&quot;admin-guide#sec-data-stores-dsee&quot;
+       xlink:role=&quot;http://docbook.org/xlink/role/olink&quot;
+       /&gt;
+     &lt;/para&gt;
+    &lt;/listitem&gt;
+
+    &lt;listitem&gt;
+     &lt;para&gt;
+      &lt;link
+       xlink:href=&quot;admin-guide#sec-data-stores-tivoli&quot;
+       xlink:role=&quot;http://docbook.org/xlink/role/olink&quot;
+       /&gt;
+     &lt;/para&gt;
+    &lt;/listitem&gt;
+   &lt;/itemizedlist&gt;
</ins><span class="cx">   &lt;/step&gt;
</span><span class="cx">   &lt;step&gt;
</span><span class="cx">    &lt;para&gt;Click the Subjects tab, and make sure the \
connection to your </span><span class="lines">@@ -393,4 +451,12 @@
</span><span class="cx">    &lt;para&gt;Save your work.&lt;/para&gt;
</span><span class="cx">   &lt;/step&gt;
</span><span class="cx">  &lt;/procedure&gt;
</span><ins>+
+ &lt;xinclude:include \
href=&quot;../shared/sec-data-stores-active-directory.xml&quot; /&gt; + \
&lt;xinclude:include href=&quot;../shared/sec-data-stores-adam.xml&quot; /&gt; + \
&lt;xinclude:include href=&quot;../shared/sec-data-stores-db.xml&quot; /&gt; + \
&lt;xinclude:include href=&quot;../shared/sec-data-stores-generic-ldapv3.xml&quot; \
/&gt; + &lt;xinclude:include href=&quot;../shared/sec-data-stores-opendj.xml&quot; \
/&gt; + &lt;xinclude:include href=&quot;../shared/sec-data-stores-dsee.xml&quot; \
/&gt; + &lt;xinclude:include href=&quot;../shared/sec-data-stores-tivoli.xml&quot; \
/&gt; </ins><span class="cx"> &lt;/chapter&gt;
</span></span></pre></div>
<a id="trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxreleasenoteschapwhatsnewxml"></a>
 <div class="modfile"><h4>Modified: \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/release-notes/chap-whats-new.xml \
(10287 => 10288)</h4> <pre class="diff"><span>
<span class="info">--- \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/release-notes/chap-whats-new.xml	2014-08-27 \
                22:50:30 UTC (rev 10287)
+++ trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/release-notes/chap-whats-new.xml	2014-08-28 \
08:47:10 UTC (rev 10288) </span><span class="lines">@@ -274,6 +274,21 @@
</span><span class="cx"> 
</span><span class="cx">   &lt;listitem&gt;
</span><span class="cx">     &lt;para&gt;
</span><ins>+     &lt;emphasis role=&quot;bold&quot;&gt;Configurable DN Cache for \
LDAP Data Stores&lt;/emphasis&gt;. +     OpenAM now has the capability to enable and \
disable DN caching. +     DN caching helps avoid DN lookups
+     that can happen in bursts during authentication.
+     (
+     &lt;link
+      xlink:show=&quot;new&quot;
+      xlink:href=&quot;https://bugster.forgerock.org/jira/browse/OPENAM-3822&quot;
+     &gt;OPENAM-3822&lt;/link&gt;
+     ).
+    &lt;/para&gt;
+  &lt;/listitem&gt;
+
+  &lt;listitem&gt;
+    &lt;para&gt;
</ins><span class="cx">      &lt;emphasis role=&quot;bold&quot;&gt;Quicker UI \
Customization&lt;/emphasis&gt;. </span><span class="cx">      While customizing the \
UI, you can set the advanced server property, </span><span class="cx">      \
&lt;literal&gt;org.forgerock.openam.core.resource.lookup.cache.enabled&lt;/literal&gt;,
 </span></span></pre></div>
<a id="trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdatastoresac \
tivedirectoryxmlfromrev10287trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecapachempmtuningxml"></a>
 <div class="copfile"><h4>Copied: \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-active-directory.xml \
(from rev 10287, trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-apache-mpm-tuning.xml) \
(0 => 10288)</h4> <pre class="diff"><span>
<span class="info">--- \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-active-directory.xml	 \
                (rev 0)
+++ trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-active-directory.xml	2014-08-28 \
08:47:10 UTC (rev 10288) </span><span class="lines">@@ -0,0 +1,1001 @@
</span><ins>+&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
+&lt;!--
+  ! CCPL HEADER START
+  !
+  ! This work is licensed under the Creative Commons
+  ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
+  ! To view a copy of this license, visit
+  ! http://creativecommons.org/licenses/by-nc-nd/3.0/
+  ! or send a letter to Creative Commons, 444 Castro Street,
+  ! Suite 900, Mountain View, California, 94041, USA.
+  !
+  ! You can also obtain a copy of the license at
+  ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
+  ! See the License for the specific language governing permissions
+  ! and limitations under the License.
+  !
+  ! If applicable, add the following below this CCPL HEADER, with the fields
+  ! enclosed by brackets &quot;[]&quot; replaced with your own identifying \
information: +  !      Portions Copyright [yyyy] [name of copyright owner]
+  !
+  ! CCPL HEADER END
+  !
+  !      Copyright 2011-2014 ForgeRock AS
+  !
+--&gt;
+&lt;section xml:id=&quot;sec-data-stores-active-directory&quot;
+         xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
+         xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+         xsi:schemaLocation='http://docbook.org/ns/docbook
+                             http://docbook.org/xml/5.0/xsd/docbook.xsd'&gt;
+ &lt;title&gt;Hints for Configuring Active Directory Data Stores&lt;/title&gt;
+
+ &lt;para&gt;
+  Use these hints when configuring Active Directory Data Stores.
+ &lt;/para&gt;
+
+ &lt;indexterm&gt;
+  &lt;primary&gt;Data stores&lt;/primary&gt;
+  &lt;secondary&gt;Active Directory&lt;/secondary&gt;
+ &lt;/indexterm&gt;
+
+ &lt;para&gt;
+  &lt;command&gt;ssoadm&lt;/command&gt; service name:
+  &lt;literal&gt;sunIdentityRepositoryService&lt;/literal&gt;
+ &lt;/para&gt;
+
+ &lt;variablelist&gt;
+  &lt;varlistentry&gt;
+   &lt;term&gt;Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Name for the data store configuration
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Load schema when finished&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Add appropriate LDAP schema to the directory server
+     when saving the configuration.
+     The LDAP Bind DN user must have access to perform this operation.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;idRepoLoadSchema&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     false
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Server&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     &lt;literal&gt;&lt;replaceable&gt;host&lt;/replaceable&gt;:&lt;replaceable&gt;port&lt;/replaceable&gt;&lt;/literal&gt;
 +     to contact the directory server, with optional
+     &lt;literal&gt;|&lt;replaceable&gt;server_ID&lt;/replaceable&gt;|&lt;replaceable&gt;site_ID&lt;/replaceable&gt;&lt;/literal&gt;
 +     for deployments with multiple servers and sites
+    &lt;/para&gt;
+
+    &lt;orderedlist&gt;
+     &lt;para&gt;
+      OpenAM uses the optional settings to determine
+      which directory server to contact first.
+      OpenAM tries to contact directory servers
+      in the following priority order, with highest priority first.
+     &lt;/para&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the list
+       whose &lt;replaceable&gt;server_ID&lt;/replaceable&gt;
+       matches the current OpenAM server
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the list
+       whose &lt;replaceable&gt;site_ID&lt;/replaceable&gt;
+       matches the current OpenAM server
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the remaining list
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+    &lt;/orderedlist&gt;
+
+    &lt;para&gt;
+     If the directory server is not available,
+     OpenAM proceeds to the next directory server in the list.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-ldap-server&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;host&lt;/replaceable&gt;:&lt;replaceable&gt;port&lt;/replaceable&gt;&lt;/literal&gt;
 +     of the initial directory server configured for this OpenAM server
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Bind DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Bind DN for connecting to the directory server.
+     Some OpenAM capabilities require write access to directory entries.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-authid&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;CN=Administrator,CN=Users,&lt;replaceable&gt;base-dn&lt;/replaceable&gt;&lt;/literal&gt;
 +    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Bind Password&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Bind password for connecting to the directory server
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-authpw&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Organization DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     The base DN under which to find user and group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-organization_name&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;base-dn&lt;/replaceable&gt;&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP SSL/TLS Enabled&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Whether to use LDAPS or StartTLS to connect to the directory server.
+     If you enable SSL/TLS, OpenAM must be able to trust server certificates,
+     either because the server certificates were signed by a CA
+     whose certificate is already included in the trust store
+     used by the container where OpenAM runs,
+     or because you imported the certificates into the trust store.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-ssl-enabled&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     false
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Pool Maximum Size&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum number of connections to the directory server.
+     Make sure the directory service can cope
+     with the maximum number of client connections across all servers.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-connection_pool_max_size&lt;/literal&gt;
 +    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Heartbeat Interval&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     How often to send a heartbeat request to the directory server
+     to ensure that the connection does not remain idle.
+     Some network administrators configure firewalls and load balancers
+     to drop connections that are idle for too long.
+     You can turn this off by setting the value to 0 or to a negative number.
+     To set the units for the interval use LDAP Connection Heartbeat Time Unit.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;openam-idrepo-ldapv3-heartbeat-interval&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Heartbeat Time Unit&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Time unit for the LDAP Connection Heartbeat Interval setting
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;openam-idrepo-ldapv3-heartbeat-timeunit&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;second&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Maximum Results Returned from Search&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     A cap for the number of search results to request.
+     For example when using the Subjects tab to view profiles,
+     even if you set
+     Configuration &gt; Console &gt; Administration &gt; Maximum Results Returned \
from Search +     to a larger number, OpenAM does not exceed this setting.
+     Rather than raise this number,
+     consider narrowing your search to match fewer directory entries.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-max-result&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1000
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Search Timeout&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum time to wait for search results in seconds.
+     Does not apply to persistent searches.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-time-limit&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Plug-in Search Scope&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP searches can apply to a single entry (SCOPE_BASE),
+     entries directly below the search DN (SCOPE_ONE),
+     or all entries below the search DN (SEARCH_SUB)
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-search-scope&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;SCOPE_SUB&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Repository Plug-in Class Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     OpenAM identity repository implementation
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoClass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name Mapping&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Map of OpenAM profile attribute names to directory server attribute names
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoAttributeMapping&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;userPassword=unicodePwd&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Plug-in Supported Types and Operations&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Map of OpenAM operations that can be performed in the specified OpenAM contexts
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoSupportedOperations&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;group=read,create,edit,delete&lt;/literal&gt;,
+     &lt;literal&gt;realm=read,create,edit,delete,service&lt;/literal&gt;,
+     &lt;literal&gt;user=read,create,edit,delete&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Users Search Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for a user by name, match values against this attribute
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-users-search-attribute&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Users Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for users, apply this LDAP search filter as well
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-users-search-filter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(objectclass=person)&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP People Container Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute of the LDAP base DN which contains user profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-people-container-name&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP People Container Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute value of the LDAP base DN which contains user profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-people-container-value&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;users&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP User Object Class&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     User profiles have these LDAP object classes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     OpenAM handles only those attributes listed in this setting.
+     OpenAM discards any such unlisted attributes from requests
+     and the request proceeds without the attribute.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     For example, with default settings
+     if you request that OpenAM execute a search that asks for
+     the &lt;literal&gt;mailAlternateAddress&lt;/literal&gt; attribute,
+     OpenAM does the search, but does not request
+     &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;.
+     In the same way, OpenAM does perform an update operation
+     with a request to set the value of an unlisted attribute
+     like &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;,
+     but it drops the unlisted attribute from the update request.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-user-objectclass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;organizationalPerson&lt;/literal&gt;,
+     &lt;literal&gt;person&lt;/literal&gt;,
+     &lt;literal&gt;top&lt;/literal&gt;,
+     &lt;literal&gt;User&lt;/literal&gt;,
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP User Attributes&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     User profiles have these LDAP attributes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-user-attributes&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;assignedDashboard&lt;/literal&gt;,
+     &lt;literal&gt;cn&lt;/literal&gt;,
+     &lt;literal&gt;devicePrintProfiles&lt;/literal&gt;,
+     &lt;literal&gt;displayName&lt;/literal&gt;,
+     &lt;literal&gt;distinguishedName&lt;/literal&gt;,
+     &lt;literal&gt;dn&lt;/literal&gt;,
+     &lt;literal&gt;employeeNumber&lt;/literal&gt;,
+     &lt;literal&gt;givenName&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-auth-configuration&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-add-session-listener-on-all-sessions&lt;/literal&gt;,
 +     &lt;literal&gt;iplanet-am-session-destroy-sessions&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-get-valid-sessions&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-max-caching-time&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-max-idle-time&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-max-session-time&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-quota-limit&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-service-status&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-account-life&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-admin-start-dn&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-alias-list&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-auth-config&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-auth-modules&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-failure-url&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-federation-info-key&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-federation-info&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-login-status&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-password-reset-force-reset&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-password-reset-options&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-password-reset-question-answer&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-success-url&lt;/literal&gt;,
+     &lt;literal&gt;mail&lt;/literal&gt;,
+     &lt;literal&gt;name&lt;/literal&gt;,
+     &lt;literal&gt;objectclass&lt;/literal&gt;,
+     &lt;literal&gt;objectGUID&lt;/literal&gt;,
+     &lt;literal&gt;postalAddress&lt;/literal&gt;,
+     &lt;literal&gt;preferredlanguage&lt;/literal&gt;,
+     &lt;literal&gt;preferredLocale&lt;/literal&gt;,
+     &lt;literal&gt;preferredtimezone&lt;/literal&gt;,
+     &lt;literal&gt;sAMAccountName&lt;/literal&gt;,
+     &lt;literal&gt;sn&lt;/literal&gt;,
+     &lt;literal&gt;sun-fm-saml2-nameid-info&lt;/literal&gt;,
+     &lt;literal&gt;sun-fm-saml2-nameid-infokey&lt;/literal&gt;,
+     &lt;literal&gt;sunAMAuthInvalidAttemptsData&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityMSISDNNumber&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerDiscoEntries&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPAddressCard&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameAltCN&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameCN&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameFN&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameMN&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNamePT&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameSN&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsAge&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsBirthDay&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsDisplayLanguage&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsLanguage&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsTimeZone&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmergencyContact&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmploymentIdentityAltO&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmploymentIdentityJobTitle&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmploymentIdentityOrg&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEncryPTKey&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadegreetmesound&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeGreetSound&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeMugShot&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeNamePronounced&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeWebSite&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPInformalName&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityAltIdType&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityAltIdValue&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityDOB&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityGender&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityLegalName&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityMaritalStatus&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityVATIdType&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityVATIdValue&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPMsgContact&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPSignKey&lt;/literal&gt;,
+     &lt;literal&gt;telephoneNumber&lt;/literal&gt;,
+     &lt;literal&gt;unicodePwd&lt;/literal&gt;,
+     &lt;literal&gt;userAccountControl&lt;/literal&gt;,
+     &lt;literal&gt;userpassword&lt;/literal&gt;,
+     &lt;literal&gt;userPrincipalname&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Create User Attribute Mapping&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When creating a user profile,
+     apply this map of OpenAM profile attribute names
+     to directory server attribute names.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Attributes not mapped to another attribute
+     (for example, &lt;literal&gt;cn&lt;/literal&gt;)
+     and attributes mapped to themselves
+     (for example, &lt;literal&gt;cn=cn&lt;/literal&gt;)
+     take the value of the username
+     unless the attribute values are provided when creating the profile.
+     The object classes for user profile LDAP entries
+     generally require Common Name (cn) and Surname (sn) attributes,
+     so this prevents an LDAP constraint violation
+     when performing the add operation.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-createuser-attr-mapping&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;,
+     &lt;literal&gt;sn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name of User Status&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Attribute to check/set user status
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-isactive&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;userAccountControl&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;User Status Active Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Active users have the user status attribute set to this value.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-active&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     544
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;User Status Inactive Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Inactive users have the user status attribute set to this value.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-inactive&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     546
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Authentication Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute for building the bind DN
+     when given a username and password
+     to authenticate a user against the directory server
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-auth-naming-attr&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Search Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for a group by name, match values against this attribute
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-groups-search-attribute&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for groups, apply this LDAP search filter as well
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-groups-search-filter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(objectclass=group)&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Container Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute of the LDAP base DN which contains group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-container-name&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Container Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute value of the LDAP base DN which contains group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-container-value&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;users&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Object Class&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Group profiles have these LDAP object classes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-objectclass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;Group&lt;/literal&gt;,
+     &lt;literal&gt;top&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Attributes&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Group profiles have these LDAP attributes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-attributes&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;,
+     &lt;literal&gt;distinguishedName&lt;/literal&gt;,
+     &lt;literal&gt;dn&lt;/literal&gt;,
+     &lt;literal&gt;member&lt;/literal&gt;,
+     &lt;literal&gt;name&lt;/literal&gt;,
+     &lt;literal&gt;objectCategory&lt;/literal&gt;,
+     &lt;literal&gt;objectclass&lt;/literal&gt;,
+     &lt;literal&gt;sAMAccountName&lt;/literal&gt;,
+     &lt;literal&gt;sAMAccountType&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name for Group Membership&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP attribute in the member's LDAP entry
+     whose values are the groups to which a member belongs
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-memberof&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name of Unique Member&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Attribute in the group's LDAP entry
+     whose values are the members of the group
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-uniquemember&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;member&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Persistent Search Base DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Base DN for LDAP persistent searches
+     used to receive notification of changes in directory server data
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-psearchbase&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;base-dn&lt;/replaceable&gt;&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Persistent Search Scope&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP searches can apply to a single entry (SCOPE_BASE),
+     entries directly below the search DN (SCOPE_ONE),
+     or all entries below the search DN (SEARCH_SUB)
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Specify either &lt;literal&gt;SCOPE_BASE&lt;/literal&gt;
+     or &lt;literal&gt;SCOPE_ONE&lt;/literal&gt;.
+     Do not specify &lt;literal&gt;SCOPE_SUB&lt;/literal&gt;,
+     as it can have a severe impact on Active Directory performance.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-psearch-scope&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;SCOPE_SUB&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;The Delay Time Between Retries&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     How long to wait after receiving an error result
+     that indicates OpenAM should try the LDAP operation again
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;com.iplanet.am.ldap.connection.delay.between.retries&lt;/literal&gt;
 +    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1000 milliseconds
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;DN Cache Enabled&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Whether to enable the DN cache, which is used to cache DN lookups
+     that can happen in bursts during authentication.
+     As the cache can become stale when a user is moved or renamed,
+     enable DN caching when the directory service allows move/rename operations (Mod \
DN), +     and when OpenAM uses persistent searches to obtain notification of such \
updates. +    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-dncache-enabled&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     false
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;DN Cache Size&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum number of DNs cached when caching is enabled
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-dncache-size&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1500 items
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+ &lt;/variablelist&gt;
+&lt;/section&gt;
</ins></span></pre></div>
<a id="trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdatastoresadamxml"></a>
 <div class="addfile"><h4>Added: \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-adam.xml \
(0 => 10288)</h4> <pre class="diff"><span>
<span class="info">--- \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-adam.xml	 \
                (rev 0)
+++ trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-adam.xml	2014-08-28 \
08:47:10 UTC (rev 10288) </span><span class="lines">@@ -0,0 +1,1013 @@
</span><ins>+&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
+&lt;!--
+  ! CCPL HEADER START
+  !
+  ! This work is licensed under the Creative Commons
+  ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
+  ! To view a copy of this license, visit
+  ! http://creativecommons.org/licenses/by-nc-nd/3.0/
+  ! or send a letter to Creative Commons, 444 Castro Street,
+  ! Suite 900, Mountain View, California, 94041, USA.
+  !
+  ! You can also obtain a copy of the license at
+  ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
+  ! See the License for the specific language governing permissions
+  ! and limitations under the License.
+  !
+  ! If applicable, add the following below this CCPL HEADER, with the fields
+  ! enclosed by brackets &quot;[]&quot; replaced with your own identifying \
information: +  !      Portions Copyright [yyyy] [name of copyright owner]
+  !
+  ! CCPL HEADER END
+  !
+  !      Copyright 2011-2014 ForgeRock AS
+  !
+--&gt;
+&lt;section xml:id=&quot;sec-data-stores-adam&quot;
+         xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
+         xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+         xsi:schemaLocation='http://docbook.org/ns/docbook
+                             http://docbook.org/xml/5.0/xsd/docbook.xsd'&gt;
+ &lt;title&gt;Hints for Configuring Active Directory Application Mode (ADAM) Data \
Stores&lt;/title&gt; +
+ &lt;para&gt;
+  Use these hints when configuring Active Directory Application Mode (ADAM) Data \
Stores. + &lt;/para&gt;
+
+ &lt;indexterm&gt;
+  &lt;primary&gt;Data stores&lt;/primary&gt;
+  &lt;secondary&gt;Active Directory Application Mode (ADAM)&lt;/secondary&gt;
+ &lt;/indexterm&gt;
+
+ &lt;para&gt;
+  &lt;command&gt;ssoadm&lt;/command&gt; service name:
+  &lt;literal&gt;sunIdentityRepositoryService&lt;/literal&gt;
+ &lt;/para&gt;
+
+ &lt;variablelist&gt;
+  &lt;varlistentry&gt;
+   &lt;term&gt;Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Name for the data store configuration
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Load schema when finished&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Add appropriate LDAP schema to the directory server
+     when saving the configuration.
+     The LDAP Bind DN user must have access to perform this operation.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;idRepoLoadSchema&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     false
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Server&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     &lt;literal&gt;&lt;replaceable&gt;host&lt;/replaceable&gt;:&lt;replaceable&gt;port&lt;/replaceable&gt;&lt;/literal&gt;
 +     to contact the directory server, with optional
+     &lt;literal&gt;|&lt;replaceable&gt;server_ID&lt;/replaceable&gt;|&lt;replaceable&gt;site_ID&lt;/replaceable&gt;&lt;/literal&gt;
 +     for deployments with multiple servers and sites
+    &lt;/para&gt;
+
+    &lt;orderedlist&gt;
+     &lt;para&gt;
+      OpenAM uses the optional settings to determine
+      which directory server to contact first.
+      OpenAM tries to contact directory servers
+      in the following priority order, with highest priority first.
+     &lt;/para&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the list
+       whose &lt;replaceable&gt;server_ID&lt;/replaceable&gt;
+       matches the current OpenAM server
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the list
+       whose &lt;replaceable&gt;site_ID&lt;/replaceable&gt;
+       matches the current OpenAM server
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the remaining list
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+    &lt;/orderedlist&gt;
+
+    &lt;para&gt;
+     If the directory server is not available,
+     OpenAM proceeds to the next directory server in the list.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-ldap-server&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;host&lt;/replaceable&gt;:&lt;replaceable&gt;port&lt;/replaceable&gt;&lt;/literal&gt;
 +     of the initial directory server configured for this OpenAM server
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Bind DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Bind DN for connecting to the directory server.
+     Some OpenAM capabilities require write access to directory entries.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-authid&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;CN=Administrator,CN=Users,&lt;replaceable&gt;base-dn&lt;/replaceable&gt;&lt;/literal&gt;
 +    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Bind Password&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Bind password for connecting to the directory server
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-authpw&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Organization DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     The base DN under which to find user and group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-organization_name&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;base-dn&lt;/replaceable&gt;&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP SSL/TLS Enabled&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Whether to use LDAPS or StartTLS to connect to the directory server.
+     If you enable SSL/TLS, OpenAM must be able to trust server certificates,
+     either because the server certificates were signed by a CA
+     whose certificate is already included in the trust store
+     used by the container where OpenAM runs,
+     or because you imported the certificates into the trust store.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-ssl-enabled&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     false
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Pool Maximum Size&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum number of connections to the directory server.
+     Make sure the directory service can cope
+     with the maximum number of client connections across all servers.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-connection_pool_max_size&lt;/literal&gt;
 +    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Heartbeat Interval&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     How often to send a heartbeat request to the directory server
+     to ensure that the connection does not remain idle.
+     Some network administrators configure firewalls
+     and load balancers to drop connections that are idle for too long.
+     You can turn this off by setting the value to 0 or to a negative number.
+     To set the units for the interval use LDAP Connection Heartbeat Time Unit.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;openam-idrepo-ldapv3-heartbeat-interval&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Heartbeat Time Unit&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Time unit for the LDAP Connection Heartbeat Interval setting
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;openam-idrepo-ldapv3-heartbeat-timeunit&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;second&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Maximum Results Returned from Search&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     A cap for the number of search results to request.
+     For example when using the Subjects tab to view profiles,
+     even if you set
+     Configuration &gt; Console &gt; Administration &gt; Maximum Results Returned \
from Search +     to a larger number, OpenAM does not exceed this setting.
+     Rather than raise this number,
+     consider narrowing your search to match fewer directory entries.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-max-result&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1000
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Search Timeout&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum time to wait for search results in seconds.
+     Does not apply to persistent searches.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-time-limit&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Plug-in Search Scope&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP searches can apply to a single entry (SCOPE_BASE),
+     entries directly below the search DN (SCOPE_ONE),
+     or all entries below the search DN (SEARCH_SUB)
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-search-scope&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;SCOPE_SUB&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Repository Plug-in Class Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     OpenAM identity repository implementation
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoClass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name Mapping&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Map of OpenAM profile attribute names to directory server attribute names
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoAttributeMapping&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;userPassword=unicodePwd&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Plug-in Supported Types and Operations&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Map of OpenAM operations that can be performed in the specified OpenAM contexts
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoSupportedOperations&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;group=read,create,edit,delete&lt;/literal&gt;,
+     &lt;literal&gt;realm=read,create,edit,delete,service&lt;/literal&gt;,
+     &lt;literal&gt;user=read,create,edit,delete&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Users Search Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for a user by name, match values against this attribute
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-users-search-attribute&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Users Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for users, apply this LDAP search filter as well
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-users-search-filter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(objectclass=person)&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP People Container Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute of the LDAP base DN which contains user profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-people-container-name&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP People Container Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute value of the LDAP base DN which contains user profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-people-container-value&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP User Object Class&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     User profiles have these LDAP object classes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     OpenAM handles only those attributes listed in this setting.
+     OpenAM discards any unlisted attributes from requests
+     and the request proceeds without the attribute.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     For example, with default settings
+     if you request that OpenAM execute a search that asks for
+     the &lt;literal&gt;mailAlternateAddress&lt;/literal&gt; attribute,
+     OpenAM does the search, but does not request
+     &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;.
+     In the same way, OpenAM does perform an update operation
+     with a request to set the value of an unlisted attribute
+     like &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;,
+     but it drops the unlisted attribute from the update request.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-user-objectclass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;devicePrintProfilesContainer&lt;/literal&gt;,
+     &lt;literal&gt;forgerock-am-dashboard-service&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-auth-configuration-service&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-managed-person&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-service&lt;/literal&gt;,
+     &lt;literal&gt;iPlanetPreferences&lt;/literal&gt;,
+     &lt;literal&gt;organizationalPerson&lt;/literal&gt;,
+     &lt;literal&gt;person&lt;/literal&gt;,
+     &lt;literal&gt;sunAMAuthAccountLockout&lt;/literal&gt;,
+     &lt;literal&gt;sunFederationManagerDataStore&lt;/literal&gt;,
+     &lt;literal&gt;sunFMSAML2NameIdentifier&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerLibertyPPService&lt;/literal&gt;,
+     &lt;literal&gt;top&lt;/literal&gt;,
+     &lt;literal&gt;User&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP User Attributes&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     User profiles have these LDAP attributes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     OpenAM handles only those attributes listed in this setting.
+     OpenAM discards any unlisted attributes from requests
+     and the request proceeds without the attribute.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     For example, with default settings
+     if you request that OpenAM execute a search that asks for
+     the &lt;literal&gt;mailAlternateAddress&lt;/literal&gt; attribute,
+     OpenAM does the search, but does not request
+     &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;.
+     In the same way, OpenAM does perform an update operation
+     with a request to set the value of an unlisted attribute
+     like &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;,
+     but it drops the unlisted attribute from the update request.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-user-attributes&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;assignedDashboard&lt;/literal&gt;,
+     &lt;literal&gt;cn&lt;/literal&gt;,
+     &lt;literal&gt;devicePrintProfiles&lt;/literal&gt;,
+     &lt;literal&gt;displayName&lt;/literal&gt;,
+     &lt;literal&gt;distinguishedName&lt;/literal&gt;,
+     &lt;literal&gt;dn&lt;/literal&gt;,
+     &lt;literal&gt;employeeNumber&lt;/literal&gt;,
+     &lt;literal&gt;givenName&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-auth-configuration&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-add-session-listener-on-all-sessions&lt;/literal&gt;,
 +     &lt;literal&gt;iplanet-am-session-destroy-sessions&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-get-valid-sessions&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-max-caching-time&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-max-idle-time&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-max-session-time&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-quota-limit&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-service-status&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-account-life&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-admin-start-dn&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-alias-list&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-auth-config&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-auth-modules&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-failure-url&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-federation-info-key&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-federation-info&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-login-status&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-password-reset-force-reset&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-password-reset-options&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-password-reset-question-answer&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-success-url&lt;/literal&gt;,
+     &lt;literal&gt;mail&lt;/literal&gt;,
+     &lt;literal&gt;name&lt;/literal&gt;,
+     &lt;literal&gt;objectclass&lt;/literal&gt;,
+     &lt;literal&gt;objectGUID&lt;/literal&gt;,
+     &lt;literal&gt;postalAddress&lt;/literal&gt;,
+     &lt;literal&gt;preferredlanguage&lt;/literal&gt;,
+     &lt;literal&gt;preferredLocale&lt;/literal&gt;,
+     &lt;literal&gt;preferredtimezone&lt;/literal&gt;,
+     &lt;literal&gt;sAMAccountName&lt;/literal&gt;,
+     &lt;literal&gt;sn&lt;/literal&gt;,
+     &lt;literal&gt;sun-fm-saml2-nameid-info&lt;/literal&gt;,
+     &lt;literal&gt;sun-fm-saml2-nameid-infokey&lt;/literal&gt;,
+     &lt;literal&gt;sunAMAuthInvalidAttemptsData&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityMSISDNNumber&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerDiscoEntries&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPAddressCard&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameAltCN&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameCN&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameFN&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameMN&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNamePT&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameSN&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsAge&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsBirthDay&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsDisplayLanguage&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsLanguage&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsTimeZone&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmergencyContact&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmploymentIdentityAltO&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmploymentIdentityJobTitle&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmploymentIdentityOrg&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEncryPTKey&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadegreetmesound&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeGreetSound&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeMugShot&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeNamePronounced&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeWebSite&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPInformalName&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityAltIdType&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityAltIdValue&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityDOB&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityGender&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityLegalName&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityMaritalStatus&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityVATIdType&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityVATIdValue&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPMsgContact&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPSignKey&lt;/literal&gt;,
+     &lt;literal&gt;telephoneNumber&lt;/literal&gt;,
+     &lt;literal&gt;unicodePwd&lt;/literal&gt;,
+     &lt;literal&gt;userAccountControl&lt;/literal&gt;,
+     &lt;literal&gt;userpassword&lt;/literal&gt;,
+     &lt;literal&gt;userPrincipalname&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Create User Attribute Mapping&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When creating a user profile,
+     apply this map of OpenAM profile attribute names
+     to directory server attribute names.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Attributes not mapped to another attribute
+     (for example, &lt;literal&gt;cn&lt;/literal&gt;)
+     and attributes mapped to themselves
+     (for example, &lt;literal&gt;cn=cn&lt;/literal&gt;)
+     take the value of the username
+     unless the attribute values are provided when creating the profile.
+     The object classes for user profile LDAP entries
+     generally require Common Name (cn) and Surname (sn) attributes,
+     so this prevents an LDAP constraint violation
+     when performing the add operation.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-createuser-attr-mapping&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;,
+     &lt;literal&gt;sn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name of User Status&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Attribute to check/set user status
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-isactive&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;msDS-UserAccountDisabled&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;User Status Active Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Active users have the user status attribute set to this value.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-active&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     FALSE
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;User Status Inactive Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Inactive users have the user status attribute set to this value.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-inactive&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     TRUE
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Authentication Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute for building the bind DN when given a username and password
+     to authenticate a user against the directory server
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-auth-naming-attr&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Search Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for a group by name, match values against this attribute
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-groups-search-attribute&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for groups, apply this LDAP search filter as well
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-groups-search-filter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(objectclass=group)&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Container Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute of the LDAP base DN which contains group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-container-name&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Container Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute value of the LDAP base DN which contains group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-container-value&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Object Class&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Group profiles have these LDAP object classes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-objectclass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;Group&lt;/literal&gt;,
+     &lt;literal&gt;top&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Attributes&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Group profiles have these LDAP attributes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-attributes&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;,
+     &lt;literal&gt;distinguishedName&lt;/literal&gt;,
+     &lt;literal&gt;dn&lt;/literal&gt;,
+     &lt;literal&gt;member&lt;/literal&gt;,
+     &lt;literal&gt;name&lt;/literal&gt;,
+     &lt;literal&gt;objectCategory&lt;/literal&gt;,
+     &lt;literal&gt;objectclass&lt;/literal&gt;,
+     &lt;literal&gt;sAMAccountName&lt;/literal&gt;,
+     &lt;literal&gt;sAMAccountType&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name for Group Membership&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP attribute in the member's LDAP entry
+     whose values are the groups to which a member belongs
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-memberof&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name of Unique Member&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Attribute in the group's LDAP entry
+     whose values are the members of the group
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-uniquemember&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;member&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Persistent Search Base DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Base DN for LDAP persistent searches used
+     to receive notification of changes in directory server data
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-psearchbase&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;base-dn&lt;/replaceable&gt;&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Persistent Search Scope&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP searches can apply to a single entry (SCOPE_BASE),
+     entries directly below the search DN (SCOPE_ONE),
+     or all entries below the search DN (SEARCH_SUB)
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Specify either &lt;literal&gt;SCOPE_BASE&lt;/literal&gt;
+     or &lt;literal&gt;SCOPE_ONE&lt;/literal&gt;.
+     Do not specify &lt;literal&gt;SCOPE_SUB&lt;/literal&gt;,
+     as it can have a severe impact on Active Directory performance.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-psearch-scope&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;SCOPE_SUB&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;The Delay Time Between Retries&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     How long to wait after receiving an error result
+     that indicates OpenAM should try the LDAP operation again
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;com.iplanet.am.ldap.connection.delay.between.retries&lt;/literal&gt;
 +    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1000 milliseconds
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;DN Cache Enabled&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Whether to enable the DN cache, which is used to cache DN lookups
+     that can happen in bursts during authentication.
+     As the cache can become stale when a user is moved or renamed,
+     enable DN caching when the directory service allows move/rename operations (Mod \
DN), +     and when OpenAM uses persistent searches to obtain notification of such \
updates. +    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-dncache-enabled&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     false
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;DN Cache Size&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum number of DNs cached when caching is enabled
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-dncache-size&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1500 items
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+ &lt;/variablelist&gt;
+&lt;/section&gt;
</ins></span></pre></div>
<a id="trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdatastoresdbxml"></a>
 <div class="addfile"><h4>Added: \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-db.xml \
(0 => 10288)</h4> <pre class="diff"><span>
<span class="info">--- \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-db.xml	 \
                (rev 0)
+++ trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-db.xml	2014-08-28 \
08:47:10 UTC (rev 10288) </span><span class="lines">@@ -0,0 +1,538 @@
</span><ins>+&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
+&lt;!--
+  ! CCPL HEADER START
+  !
+  ! This work is licensed under the Creative Commons
+  ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
+  ! To view a copy of this license, visit
+  ! http://creativecommons.org/licenses/by-nc-nd/3.0/
+  ! or send a letter to Creative Commons, 444 Castro Street,
+  ! Suite 900, Mountain View, California, 94041, USA.
+  !
+  ! You can also obtain a copy of the license at
+  ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
+  ! See the License for the specific language governing permissions
+  ! and limitations under the License.
+  !
+  ! If applicable, add the following below this CCPL HEADER, with the fields
+  ! enclosed by brackets &quot;[]&quot; replaced with your own identifying \
information: +  !      Portions Copyright [yyyy] [name of copyright owner]
+  !
+  ! CCPL HEADER END
+  !
+  !      Copyright 2011-2014 ForgeRock AS
+  !
+--&gt;
+&lt;section xml:id=&quot;sec-data-stores-db&quot;
+         xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
+         xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+         xsi:schemaLocation='http://docbook.org/ns/docbook
+                             http://docbook.org/xml/5.0/xsd/docbook.xsd'
+         xmlns:xlink='http://www.w3.org/1999/xlink'&gt;
+ &lt;title&gt;Hints for Configuring Database Repository (Early Access) Data \
Stores&lt;/title&gt; +
+ &lt;para&gt;
+  Use these hints when configuring Database Repository (Early Access) Data Stores.
+ &lt;/para&gt;
+
+ &lt;important&gt;
+  &lt;para&gt;
+   This feature is in Early Access,
+   meaning it is not generally supported for use in production environments.
+   If you expect to use a relational database as an identity repository
+   other than for development or testing purposes,
+   first confirm supportability of your configuration with an expert.
+   You can contact ForgeRock at
+   &lt;link xlink:href=&quot;mailto:info@forgerock.com&quot;&gt;info@forgerock.com&lt;/link&gt;.
 +  &lt;/para&gt;
+ &lt;/important&gt;
+
+ &lt;indexterm&gt;
+  &lt;primary&gt;Data stores&lt;/primary&gt;
+  &lt;secondary&gt;Database Repository (Early Access)&lt;/secondary&gt;
+ &lt;/indexterm&gt;
+
+ &lt;para&gt;
+  &lt;command&gt;ssoadm&lt;/command&gt; service name:
+  &lt;literal&gt;sunIdentityRepositoryService&lt;/literal&gt;
+ &lt;/para&gt;
+
+ &lt;variablelist&gt;
+  &lt;varlistentry&gt;
+   &lt;term&gt;Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Name for the data store configuration
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Load schema when finished&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Add the appropriate schema to the database on saving the configuration.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;idRepoLoadSchema&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     false
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Database Data Access Object Plugin Class Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     OpenAM data access implementation
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-dao-class-name&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;com.sun.identity.idm.plugins.database.JdbcSimpleUserDao&lt;/literal&gt;
 +    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Connection Type&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Whether to connect directly to the database,
+     or to connect through JNDI provided by the container where OpenAM runs
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-dao-JDBCConnectionType&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     Connection is retrieved via programmatic connection
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Database DataSource Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Data source name from the container configuration when connecting over JNDI
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-DataSourceJndiName&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;java:comp/env/jdbc/openssousersdb&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;JDBC Driver Class Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Driver class used when connecting directly
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-JDBCDriver&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;com.mysql.jdbc.Driver&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;JDBC Driver URL&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     URL used when connecting directly
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-JDBCUrl&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;jdbc:mysql://127.0.0.1:3306/test&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Connect This User to Database&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Username used when connecting directly
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-JDBCDbuser&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;root&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Password for Connecting to Database&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Password used when connecting directly
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-JDBCDbpassword&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Maximum Results Returned from Search&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     A cap for the number of search results to request.
+     For example when using the Subjects tab to view profiles,
+     even if you set
+     Configuration &gt; Console &gt; Administration &gt; Maximum Results Returned \
from Search +     to a larger number, OpenAM does not exceed this setting.
+     Rather than raise this number,
+     consider narrowing your search to match fewer profiles.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-config-max-result&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1000
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Database Repository Plugin Class Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     OpenAM identity repository implementation
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoClass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;com.sun.identity.idm.plugins.database.DatabaseRepo&lt;/literal&gt;
 +    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name Mapping&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Map of OpenAM profile attribute names to database column names
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoAttributeMapping&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;iplanet-am-user-account-life=iplanet_am_user_account_life&lt;/literal&gt;,
 +     &lt;literal&gt;iplanet-am-user-alias-list=iplanet_am_user_alias_list&lt;/literal&gt;,
 +     &lt;literal&gt;iplanet-am-user-auth-config=iplanet_am_user_auth_config&lt;/literal&gt;,
 +     &lt;literal&gt;iplanet-am-user-failure-url=iplanet_am_user_failure_url&lt;/literal&gt;,
 +     &lt;literal&gt;iplanet-am-user-password-reset-force-reset=iplanet_am_user_password_reset_force_reset&lt;/literal&gt;,
 +     &lt;literal&gt;iplanet-am-user-password-reset-question-answer=iplanet_am_user_password_reset_question_answer&lt;/literal&gt;,
 +     &lt;literal&gt;iplanet-am-user-password-resetoptions=iplanet_am_user_password_resetoptions&lt;/literal&gt;,
 +     &lt;literal&gt;iplanet-am-user-success-url=iplanet_am_user_success_url&lt;/literal&gt;
 +    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Database Plug-in Supported Types and Operations&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Map of OpenAM operations that can be performed in the specified OpenAM contexts
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-sunIdRepoSupportedOperations&lt;/literal&gt;
 +    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;group=read,create,edit,delete&lt;/literal&gt;,
+     &lt;literal&gt;user=read,create,edit,delete,service&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Database User Table Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Table to store user profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-UserTableName&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;opensso_users&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;List of User Attributes Names in Database&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Columns for user profile attributes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-UserAttrs&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;ChangePassword&lt;/literal&gt;,
+     &lt;literal&gt;cn&lt;/literal&gt;,
+     &lt;literal&gt;employeenumber&lt;/literal&gt;,
+     &lt;literal&gt;givenname&lt;/literal&gt;,
+     &lt;literal&gt;inetuserstatus&lt;/literal&gt;,
+     &lt;literal&gt;iplanet_am_user_account_life&lt;/literal&gt;,
+     &lt;literal&gt;iplanet_am_user_alias_list&lt;/literal&gt;,
+     &lt;literal&gt;iplanet_am_user_auth_config&lt;/literal&gt;,
+     &lt;literal&gt;iplanet_am_user_failure_url&lt;/literal&gt;,
+     &lt;literal&gt;iplanet_am_user_password_reset_force_reset&lt;/literal&gt;,
+     &lt;literal&gt;iplanet_am_user_password_reset_question_answer&lt;/literal&gt;,
+     &lt;literal&gt;iplanet_am_user_password_resetoptions&lt;/literal&gt;,
+     &lt;literal&gt;iplanet_am_user_success_url&lt;/literal&gt;,
+     &lt;literal&gt;mail&lt;/literal&gt;,
+     &lt;literal&gt;manager&lt;/literal&gt;,
+     &lt;literal&gt;postaladdress&lt;/literal&gt;,
+     &lt;literal&gt;preferredlocale&lt;/literal&gt;,
+     &lt;literal&gt;sn&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityMSISDNNumber&lt;/literal&gt;,
+     &lt;literal&gt;telephonenumber&lt;/literal&gt;,
+     &lt;literal&gt;uid&lt;/literal&gt;,
+     &lt;literal&gt;userpassword&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;User Password Attribute Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Column for user passwords
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-UserPasswordAttr&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;userpassword&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;User ID Attribute Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Column for user IDs
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-UserIDAttr&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;uid&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name of User Status&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Column to check/set user status
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-UserStatusAttr&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;inetuserstatus&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;User Status Active Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Active users have the user status set to this value.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-activeValue&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;Active&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;User Status Inactive Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Inactive users have the user status set to this value.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-inactiveValue&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;Inactive&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Users Search Attribute in Database&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Key for looking up user profiles by name
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-config-users-search-attribute&lt;/literal&gt;
 +    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Database Membership table name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Table to store group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-MembershipTableName&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;groups&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Membership ID Attribute Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Column for group IDs
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-MembershipIDAttr&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;group_name&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Membership Search Attribute in Database&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Key for looking up group profiles by name
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-opensso-database-membership-search-attribute&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+ &lt;/variablelist&gt;
+&lt;/section&gt;
</ins></span></pre></div>
<a id="trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdatastoresdseexml"></a>
 <div class="addfile"><h4>Added: \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-dsee.xml \
(0 => 10288)</h4> <pre class="diff"><span>
<span class="info">--- \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-dsee.xml	 \
                (rev 0)
+++ trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-dsee.xml	2014-08-28 \
08:47:10 UTC (rev 10288) </span><span class="lines">@@ -0,0 +1,1261 @@
</span><ins>+&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
+&lt;!--
+  ! CCPL HEADER START
+  !
+  ! This work is licensed under the Creative Commons
+  ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
+  ! To view a copy of this license, visit
+  ! http://creativecommons.org/licenses/by-nc-nd/3.0/
+  ! or send a letter to Creative Commons, 444 Castro Street,
+  ! Suite 900, Mountain View, California, 94041, USA.
+  !
+  ! You can also obtain a copy of the license at
+  ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
+  ! See the License for the specific language governing permissions
+  ! and limitations under the License.
+  !
+  ! If applicable, add the following below this CCPL HEADER, with the fields
+  ! enclosed by brackets &quot;[]&quot; replaced with your own identifying \
information: +  !      Portions Copyright [yyyy] [name of copyright owner]
+  !
+  ! CCPL HEADER END
+  !
+  !      Copyright 2011-2014 ForgeRock AS
+  !
+--&gt;
+&lt;section xml:id=&quot;sec-data-stores-dsee&quot;
+         xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
+         xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+         xsi:schemaLocation='http://docbook.org/ns/docbook
+                             http://docbook.org/xml/5.0/xsd/docbook.xsd'&gt;
+ &lt;title&gt;Hints for Configuring Sun DS with OpenAM schema Data \
Stores&lt;/title&gt; +
+ &lt;para&gt;
+  Use these hints when configuring Data Stores
+  for Oracle DSEE or Sun DSEE using OpenAM schema.
+ &lt;/para&gt;
+
+ &lt;indexterm&gt;
+  &lt;primary&gt;Data stores&lt;/primary&gt;
+  &lt;secondary&gt;Oracle DSEE&lt;/secondary&gt;
+ &lt;/indexterm&gt;
+
+ &lt;para&gt;
+  &lt;command&gt;ssoadm&lt;/command&gt; service name:
+  &lt;literal&gt;sunIdentityRepositoryService&lt;/literal&gt;
+ &lt;/para&gt;
+
+ &lt;variablelist&gt;
+  &lt;varlistentry&gt;
+   &lt;term&gt;Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Name for the data store configuration
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Load schema when finished&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Add appropriate LDAP schema to the directory server
+     when saving the configuration.
+     The LDAP Bind DN user must have access to perform this operation.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;idRepoLoadSchema&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     false
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Server&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     &lt;literal&gt;&lt;replaceable&gt;host&lt;/replaceable&gt;:&lt;replaceable&gt;port&lt;/replaceable&gt;&lt;/literal&gt;
 +     to contact the directory server, with optional
+     &lt;literal&gt;|&lt;replaceable&gt;server_ID&lt;/replaceable&gt;|&lt;replaceable&gt;site_ID&lt;/replaceable&gt;&lt;/literal&gt;
 +     for deployments with multiple servers and sites
+    &lt;/para&gt;
+
+    &lt;orderedlist&gt;
+     &lt;para&gt;
+      OpenAM uses the optional settings to determine
+      which directory server to contact first.
+      OpenAM tries to contact directory servers
+      in the following priority order, with highest priority first.
+     &lt;/para&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the list
+       whose &lt;replaceable&gt;server_ID&lt;/replaceable&gt;
+       matches the current OpenAM server
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the list
+       whose &lt;replaceable&gt;site_ID&lt;/replaceable&gt;
+       matches the current OpenAM server
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the remaining list
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+    &lt;/orderedlist&gt;
+
+    &lt;para&gt;
+     If the directory server is not available,
+     OpenAM proceeds to the next directory server in the list.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-ldap-server&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;host&lt;/replaceable&gt;:&lt;replaceable&gt;port&lt;/replaceable&gt;&lt;/literal&gt;
 +     of the initial directory server configured for this OpenAM server
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Bind DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Bind DN for connecting to the directory server.
+     Some OpenAM capabilities require write access to directory entries.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-authid&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn=dsameuser,ou=DSAME \
Users,&lt;replaceable&gt;base-dn&lt;/replaceable&gt;&lt;/literal&gt; +    \
&lt;/para&gt; +   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Bind Password&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Bind password for connecting to the directory server
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-authpw&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Organization DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     The base DN under which to find user and group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-organization_name&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;base-dn&lt;/replaceable&gt;&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP SSL/TLS Enabled&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Whether to use LDAPS or StartTLS to connect to the directory server.
+     If you enable SSL/TLS, OpenAM must be able to trust server certificates,
+     either because the server certificates were signed by a CA
+     whose certificate is already included in the trust store
+     used by the container where OpenAM runs,
+     or because you imported the certificates into the trust store.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-ssl-enabled&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     false
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Pool Maximum Size&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum number of connections to the directory server.
+     Make sure the directory service can cope
+     with the maximum number of client connections across all servers.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-connection_pool_max_size&lt;/literal&gt;
 +    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Heartbeat Interval&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     How often to send a heartbeat request to the directory server
+     to ensure that the connection does not remain idle.
+     Some network administrators configure firewalls
+     and load balancers to drop connections that are idle for too long.
+     You can turn this off by setting the value to 0 or to a negative number.
+     To set the units for the interval use LDAP Connection Heartbeat Time Unit.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;openam-idrepo-ldapv3-heartbeat-interval&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Heartbeat Time Unit&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Time unit for the LDAP Connection Heartbeat Interval setting
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;openam-idrepo-ldapv3-heartbeat-timeunit&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;second&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Maximum Results Returned from Search&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     A cap for the number of search results to request.
+     For example when using the Subjects tab to view profiles,
+     even if you set
+     Configuration &gt; Console &gt; Administration &gt; Maximum Results Returned \
from Search +     to a larger number, OpenAM does not exceed this setting.
+     Rather than raise this number,
+     consider narrowing your search to match fewer directory entries.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-max-result&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1000
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Search Timeout&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum time to wait for search results in seconds.
+     Does not apply to persistent searches.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-time-limit&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Plug-in Search Scope&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP searches can apply to a single entry (SCOPE_BASE),
+     entries directly below the search DN (SCOPE_ONE),
+     or all entries below the search DN (SEARCH_SUB)
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-search-scope&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;SCOPE_SUB&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Repository Plug-in Class Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     OpenAM identity repository implementation
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoClass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name Mapping&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Map of OpenAM profile attribute names to directory server attribute names
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoAttributeMapping&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Plug-in Supported Types and Operations&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Map of OpenAM operations that can be performed in the specified OpenAM contexts
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoSupportedOperations&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;filteredrole=read,create,edit,delete&lt;/literal&gt;,
+     &lt;literal&gt;group=read,create,edit,delete&lt;/literal&gt;,
+     &lt;literal&gt;realm=read,create,edit,delete,service&lt;/literal&gt;,
+     &lt;literal&gt;role=read,create,edit,delete&lt;/literal&gt;,
+     &lt;literal&gt;user=read,create,edit,delete,service&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Users Search Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for a user by name, match values against this attribute
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-users-search-attribute&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;uid&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Users Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for users, apply this LDAP search filter as well
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-users-search-filter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(objectclass=inetorgperson)&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP People Container Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute of the LDAP base DN which contains user profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-people-container-name&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;ou&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP People Container Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute value of the LDAP base DN which contains user profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-people-container-value&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;people&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP User Object Class&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     User profiles have these LDAP object classes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     OpenAM handles only those attributes listed in this setting.
+     OpenAM discards any unlisted attributes from requests
+     and the request proceeds without the attribute.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     For example, with default settings
+     if you request that OpenAM execute a search that asks for
+     the &lt;literal&gt;mailAlternateAddress&lt;/literal&gt; attribute,
+     OpenAM does the search, but does not request
+     &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;.
+     In the same way, OpenAM does perform an update operation
+     with a request to set the value of an unlisted attribute
+     like &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;,
+     but it drops the unlisted attribute from the update request.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-user-objectclass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;devicePrintProfilesContainer&lt;/literal&gt;,
+     &lt;literal&gt;forgerock-am-dashboard-service&lt;/literal&gt;,
+     &lt;literal&gt;inetadmin&lt;/literal&gt;,
+     &lt;literal&gt;inetorgperson&lt;/literal&gt;,
+     &lt;literal&gt;inetuser&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-auth-configuration-service&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-managed-person&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-service&lt;/literal&gt;,
+     &lt;literal&gt;iPlanetPreferences&lt;/literal&gt;,
+     &lt;literal&gt;organizationalperson&lt;/literal&gt;,
+     &lt;literal&gt;person&lt;/literal&gt;,
+     &lt;literal&gt;sunAMAuthAccountLockout&lt;/literal&gt;,
+     &lt;literal&gt;sunFederationManagerDataStore&lt;/literal&gt;,
+     &lt;literal&gt;sunFMSAML2NameIdentifier&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerLibertyPPService&lt;/literal&gt;,
+     &lt;literal&gt;top&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP User Attributes&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     User profiles have these LDAP attributes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     OpenAM handles only those attributes listed in this setting.
+     OpenAM discards any unlisted attributes from requests
+     and the request proceeds without the attribute.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     For example, with default settings
+     if you request that OpenAM execute a search that asks for
+     the &lt;literal&gt;mailAlternateAddress&lt;/literal&gt; attribute,
+     OpenAM does the search, but does not request
+     &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;.
+     In the same way, OpenAM does perform an update operation
+     with a request to set the value of an unlisted attribute
+     like &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;,
+     but it drops the unlisted attribute from the update request.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-user-attributes&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;sunIdentityServerPPDemographicsBirthDay&lt;/literal&gt;,
+     &lt;literal&gt;uid&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityLegalName&lt;/literal&gt;,
+     &lt;literal&gt;manager&lt;/literal&gt;,
+     &lt;literal&gt;assignedDashboard&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameSN&lt;/literal&gt;,
+     &lt;literal&gt;userPassword&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-get-valid-sessions&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmploymentIdentityJobTitle&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-password-reset-question-answer&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityDOB&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmergencyContact&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameCN&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-success-url&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-admin-start-dn&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-federation-info&lt;/literal&gt;,
+     &lt;literal&gt;userCertificate&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeGreetSound&lt;/literal&gt;,
+     &lt;literal&gt;sunAMAuthInvalidAttemptsData&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeNamePronounced&lt;/literal&gt;,
+     &lt;literal&gt;distinguishedName&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsTimeZone&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityMSISDNNumber&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-max-caching-time&lt;/literal&gt;,
+     &lt;literal&gt;sn&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-quota-limit&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-max-session-time&lt;/literal&gt;,
+     &lt;literal&gt;adminRole&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmploymentIdentityAltO&lt;/literal&gt;,
+     &lt;literal&gt;objectClass&lt;/literal&gt;,
+     &lt;literal&gt;sun-fm-saml2-nameid-info&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityMaritalStatus&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-login-status&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityAltIdType&lt;/literal&gt;,
+     &lt;literal&gt;devicePrintProfiles&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-max-idle-time&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadegreetmesound&lt;/literal&gt;,
+     &lt;literal&gt;cn&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-password-reset-options&lt;/literal&gt;,
+     &lt;literal&gt;telephoneNumber&lt;/literal&gt;,
+     &lt;literal&gt;preferredlanguage&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-federation-info-key&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPMsgContact&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityGender&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-alias-list&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameFN&lt;/literal&gt;,
+     &lt;literal&gt;caCertificate&lt;/literal&gt;,
+     &lt;literal&gt;inetUserStatus&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameMN&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEncryPTKey&lt;/literal&gt;,
+     &lt;literal&gt;givenName&lt;/literal&gt;,
+     &lt;literal&gt;memberOf&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-static-group-dn&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityVATIdValue&lt;/literal&gt;,
+     &lt;literal&gt;preferredLocale&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-service-status&lt;/literal&gt;,
+     &lt;literal&gt;sun-fm-saml2-nameid-infokey&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsAge&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerDiscoEntries&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityVATIdType&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-auth-config&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-failure-url&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPAddressCard&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNamePT&lt;/literal&gt;,
+     &lt;literal&gt;dn&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-add-session-listener-on-all-sessions&lt;/literal&gt;,
 +     &lt;literal&gt;mail&lt;/literal&gt;,
+     &lt;literal&gt;authorityRevocationList&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-password-reset-force-reset&lt;/literal&gt;,
+     &lt;literal&gt;inetUserHttpURL&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityAltIdValue&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameAltCN&lt;/literal&gt;,
+     &lt;literal&gt;preferredtimezone&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPInformalName&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPSignKey&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmploymentIdentityOrg&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-destroy-sessions&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeMugShot&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeWebSite&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsDisplayLanguage&lt;/literal&gt;,
+     &lt;literal&gt;postalAddress&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-auth-configuration&lt;/literal&gt;,
+     &lt;literal&gt;employeeNumber&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-auth-modules&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-account-life&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsLanguage&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Create User Attribute Mapping&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When creating a user profile,
+     apply this map of OpenAM profile attribute names
+     to directory server attribute names.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Attributes not mapped to another attribute
+     (for example, &lt;literal&gt;cn&lt;/literal&gt;)
+     and attributes mapped to themselves
+     (for example, &lt;literal&gt;cn=cn&lt;/literal&gt;)
+     take the value of the username
+     unless the attribute values are provided when creating the profile.
+     The object classes for user profile LDAP entries
+     generally require Common Name (cn) and Surname (sn) attributes,
+     so this prevents an LDAP constraint violation
+     when performing the add operation.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-createuser-attr-mapping&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;,
+     &lt;literal&gt;sn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name of User Status&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Attribute to check/set user status
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-isactive&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;inetuserstatus&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;User Status Active Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Active users have the user status attribute set to this value.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-active&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;Active&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;User Status Inactive Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Inactive users have the user status attribute set to this value.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-inactive&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;Inactive&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Authentication Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute for building the bind DN when given a username and password
+     to authenticate a user against the directory server
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-auth-naming-attr&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;uid&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Search Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for a group by name, match values against this attribute
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-groups-search-attribute&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for groups, apply this LDAP search filter as well
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-groups-search-filter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(objectclass=groupOfUniqueNames)&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Container Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute of the LDAP base DN which contains group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-container-name&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;ou&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Container Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute value of the LDAP base DN which contains group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-container-value&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;groups&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Object Class&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Group profiles have these LDAP object classes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-objectclass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;groupofuniquenames&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-managed-group&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-managed-static-group&lt;/literal&gt;,
+     &lt;literal&gt;groupofurls&lt;/literal&gt;,
+     &lt;literal&gt;top&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Attributes&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Group profiles have these LDAP attributes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-attributes&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-group-subscribable&lt;/literal&gt;,
+     &lt;literal&gt;dn&lt;/literal&gt;,
+     &lt;literal&gt;objectclass&lt;/literal&gt;,
+     &lt;literal&gt;uniqueMember&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name for Group Membership&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP attribute in the member's LDAP entry
+     whose values are the groups to which a member belongs
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-memberof&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name of Unique Member&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Attribute in the group's LDAP entry
+     whose values are the members of the group
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-uniquemember&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;uniqueMember&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name of Group Member URL&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Attribute in the dynamic group's LDAP entry
+     whose values are LDAP URLs specifying members of the group
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-memberurl&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;memberUrl&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Roles Search Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for a role by name, match values against this attribute
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-roles-search-attribute&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Roles Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for roles, apply this LDAP search filter as well
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-roles-search-filter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(&amp;amp;(objectclass=ldapsubentry)(objectclass=nsmanagedroledefinition))&lt;/literal&gt;
 +    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Roles Object Class&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Role profiles have these LDAP object classes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-role-objectclass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;ldapsubentry&lt;/literal&gt;,
+     &lt;literal&gt;nsmanagedroledefinition&lt;/literal&gt;,
+     &lt;literal&gt;nsroledefinition&lt;/literal&gt;,
+     &lt;literal&gt;nssimpleroledefinition&lt;/literal&gt;,
+     &lt;literal&gt;top&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Filter Roles Search Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for a filtered role by name, match values against this attribute
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-filterroles-search-attribute&lt;/literal&gt;
 +    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Filter Roles Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for filtered roles, apply this LDAP search filter as well
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-filterroles-search-filter&lt;/literal&gt;
 +    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(&amp;amp;(objectclass=ldapsubentry)(objectclass=nsfilteredroledefinition))&lt;/literal&gt;
 +    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Filter Roles Object Class&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Filtered role profiles have these LDAP object classes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-filterrole-objectclass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;ldapsubentry&lt;/literal&gt;,
+     &lt;literal&gt;nscomplexroledefinition&lt;/literal&gt;,
+     &lt;literal&gt;nsfilteredroledefinition&lt;/literal&gt;,
+     &lt;literal&gt;nsroledefinition&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Filter Roles Attributes&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Filtered role profiles have these LDAP attributes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-filterrole-attributes&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;nsRoleFilter&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name for Filtered Role Membership&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP attribute in the member's LDAP entry
+     whose values are the filtered roles to which a member belongs
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-nsrole&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;nsrole&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name of Role Membership&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP attribute in the member's LDAP entry
+     whose values are the roles to which a member belongs
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-nsroledn&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;nsRoleDN&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name of Filtered Role Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP attribute whose values are the filters for filtered roles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-nsrolefilter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;nsRoleFilter&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Persistent Search Base DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Base DN for LDAP persistent searches used
+     to receive notification of changes in directory server data
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-psearchbase&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;base-dn&lt;/replaceable&gt;&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Persistent Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP filter to apply when performing persistent searches
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-psearch-filter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(objectclass=*)&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Persistent Search Scope&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP searches can apply to a single entry (SCOPE_BASE),
+     entries directly below the search DN (SCOPE_ONE),
+     or all entries below the search DN (SEARCH_SUB)
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-psearch-scope&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;SCOPE_SUB&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;The Delay Time Between Retries&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     How long to wait after receiving an error result
+     that indicates OpenAM should try the LDAP operation again
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;com.iplanet.am.ldap.connection.delay.between.retries&lt;/literal&gt;
 +    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1000 milliseconds
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;DN Cache Enabled&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Whether to enable the DN cache, which is used to cache DN lookups
+     that can happen in bursts during authentication.
+     As the cache can become stale when a user is moved or renamed,
+     enable DN caching when the directory service allows move/rename operations (Mod \
DN), +     and when OpenAM uses persistent searches to obtain notification of such \
updates. +    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-dncache-enabled&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     true
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;DN Cache Size&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum number of DNs cached when caching is enabled
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-dncache-size&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1500 items
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+ &lt;/variablelist&gt;
+&lt;/section&gt;
</ins></span></pre></div>
<a id="trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdatastoresgenericldapv3xml"></a>
 <div class="addfile"><h4>Added: \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-generic-ldapv3.xml \
(0 => 10288)</h4> <pre class="diff"><span>
<span class="info">--- \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-generic-ldapv3.xml	 \
                (rev 0)
+++ trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-generic-ldapv3.xml	2014-08-28 \
08:47:10 UTC (rev 10288) </span><span class="lines">@@ -0,0 +1,978 @@
</span><ins>+&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
+&lt;!--
+  ! CCPL HEADER START
+  !
+  ! This work is licensed under the Creative Commons
+  ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
+  ! To view a copy of this license, visit
+  ! http://creativecommons.org/licenses/by-nc-nd/3.0/
+  ! or send a letter to Creative Commons, 444 Castro Street,
+  ! Suite 900, Mountain View, California, 94041, USA.
+  !
+  ! You can also obtain a copy of the license at
+  ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
+  ! See the License for the specific language governing permissions
+  ! and limitations under the License.
+  !
+  ! If applicable, add the following below this CCPL HEADER, with the fields
+  ! enclosed by brackets &quot;[]&quot; replaced with your own identifying \
information: +  !      Portions Copyright [yyyy] [name of copyright owner]
+  !
+  ! CCPL HEADER END
+  !
+  !      Copyright 2011-2014 ForgeRock AS
+  !
+--&gt;
+&lt;section xml:id=&quot;sec-data-stores-generic-ldapv3&quot;
+         xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
+         xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+         xsi:schemaLocation='http://docbook.org/ns/docbook
+                             http://docbook.org/xml/5.0/xsd/docbook.xsd'&gt;
+ &lt;title&gt;Hints for Configuring Generic LDAPv3 Data Stores&lt;/title&gt;
+
+ &lt;para&gt;
+  Use these hints when configuring Generic LDAPv3 compliant Data Stores.
+ &lt;/para&gt;
+
+ &lt;indexterm&gt;
+  &lt;primary&gt;Data stores&lt;/primary&gt;
+  &lt;secondary&gt;Generic LDAPv3&lt;/secondary&gt;
+ &lt;/indexterm&gt;
+
+ &lt;para&gt;
+  &lt;command&gt;ssoadm&lt;/command&gt; service name:
+  &lt;literal&gt;sunIdentityRepositoryService&lt;/literal&gt;
+ &lt;/para&gt;
+
+ &lt;variablelist&gt;
+  &lt;varlistentry&gt;
+   &lt;term&gt;Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Name for the data store configuration
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Load schema when finished&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Add appropriate LDAP schema to the directory server
+     when saving the configuration.
+     The LDAP Bind DN user must have access to perform this operation.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;idRepoLoadSchema&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     false
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Server&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     &lt;literal&gt;&lt;replaceable&gt;host&lt;/replaceable&gt;:&lt;replaceable&gt;port&lt;/replaceable&gt;&lt;/literal&gt;
 +     to contact the directory server, with optional
+     &lt;literal&gt;|&lt;replaceable&gt;server_ID&lt;/replaceable&gt;|&lt;replaceable&gt;site_ID&lt;/replaceable&gt;&lt;/literal&gt;
 +     for deployments with multiple servers and sites
+    &lt;/para&gt;
+
+    &lt;orderedlist&gt;
+     &lt;para&gt;
+      OpenAM uses the optional settings to determine
+      which directory server to contact first.
+      OpenAM tries to contact directory servers
+      in the following priority order, with highest priority first.
+     &lt;/para&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the list
+       whose &lt;replaceable&gt;server_ID&lt;/replaceable&gt;
+       matches the current OpenAM server
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the list
+       whose &lt;replaceable&gt;site_ID&lt;/replaceable&gt;
+       matches the current OpenAM server
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the remaining list
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+    &lt;/orderedlist&gt;
+
+    &lt;para&gt;
+     If the directory server is not available,
+     OpenAM proceeds to the next directory server in the list.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-ldap-server&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;host&lt;/replaceable&gt;:&lt;replaceable&gt;port&lt;/replaceable&gt;&lt;/literal&gt;
 +     of the initial directory server configured for this OpenAM server
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Bind DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Bind DN for connecting to the directory server.
+     Some OpenAM capabilities require write access to directory entries.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-authid&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Bind Password&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Bind password for connecting to the directory server
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-authpw&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Organization DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     The base DN under which to find user and group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-organization_name&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;base-dn&lt;/replaceable&gt;&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP SSL/TLS Enabled&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Whether to use LDAPS or StartTLS to connect to the directory server.
+     If you enable SSL/TLS, OpenAM must be able to trust server certificates,
+     either because the server certificates were signed by a CA
+     whose certificate is already included in the trust store
+     used by the container where OpenAM runs,
+     or because you imported the certificates into the trust store.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-ssl-enabled&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     false
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Pool Maximum Size&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum number of connections to the directory server.
+     Make sure the directory service can cope
+     with the maximum number of client connections across all servers.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-connection_pool_max_size&lt;/literal&gt;
 +    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Heartbeat Interval&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     How often to send a heartbeat request to the directory server
+     to ensure that the connection does not remain idle.
+     Some network administrators configure firewalls
+     and load balancers to drop connections that are idle for too long.
+     You can turn this off by setting the value to 0 or to a negative number.
+     To set the units for the interval use LDAP Connection Heartbeat Time Unit.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;openam-idrepo-ldapv3-heartbeat-interval&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Heartbeat Time Unit&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Time unit for the LDAP Connection Heartbeat Interval setting
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;openam-idrepo-ldapv3-heartbeat-timeunit&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;second&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Maximum Results Returned from Search&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     A cap for the number of search results to request.
+     For example when using the Subjects tab to view profiles,
+     even if you set
+     Configuration &gt; Console &gt; Administration &gt; Maximum Results Returned \
from Search +     to a larger number, OpenAM does not exceed this setting.
+     Rather than raise this number,
+     consider narrowing your search to match fewer directory entries.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-max-result&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1000
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Search Timeout&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum time to wait for search results in seconds.
+     Does not apply to persistent searches.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-time-limit&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Plug-in Search Scope&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP searches can apply to a single entry (SCOPE_BASE),
+     entries directly below the search DN (SCOPE_ONE),
+     or all entries below the search DN (SEARCH_SUB)
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-search-scope&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;SCOPE_SUB&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Repository Plug-in Class Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     OpenAM identity repository implementation
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoClass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name Mapping&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Map of OpenAM profile attribute names to directory server attribute names
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoAttributeMapping&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Plug-in Supported Types and Operations&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Map of OpenAM operations that can be performed in the specified OpenAM contexts
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoSupportedOperations&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;realm=read,create,edit,delete,service&lt;/literal&gt;,
+     &lt;literal&gt;user=read,create,edit,delete&lt;/literal&gt;,
+     &lt;literal&gt;group=read,create,edit,delete&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Users Search Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for a user by name, match values against this attribute
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-users-search-attribute&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;uid&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Users Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for users, apply this LDAP search filter as well
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-users-search-filter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(objectclass=inetorgperson)&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP People Container Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute of the LDAP base DN which contains user profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-people-container-name&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP People Container Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute value of the LDAP base DN which contains user profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-people-container-value&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP User Object Class&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     User profiles have these LDAP object classes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     OpenAM handles only those attributes listed in this setting.
+     OpenAM discards any unlisted attributes from requests
+     and the request proceeds without the attribute.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     For example, with default settings
+     if you request that OpenAM execute a search that asks for
+     the &lt;literal&gt;mailAlternateAddress&lt;/literal&gt; attribute,
+     OpenAM does the search, but does not request
+     &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;.
+     In the same way, OpenAM does perform an update operation
+     with a request to set the value of an unlisted attribute
+     like &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;,
+     but it drops the unlisted attribute from the update request.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-user-objectclass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;inetorgperson&lt;/literal&gt;,
+     &lt;literal&gt;inetUser&lt;/literal&gt;,
+     &lt;literal&gt;organizationalPerson&lt;/literal&gt;,
+     &lt;literal&gt;person&lt;/literal&gt;,
+     &lt;literal&gt;top&lt;/literal&gt;,
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP User Attributes&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     User profiles have these LDAP attributes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     OpenAM handles only those attributes listed in this setting.
+     OpenAM discards any unlisted attributes from requests
+     and the request proceeds without the attribute.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     For example, with default settings
+     if you request that OpenAM execute a search that asks for
+     the &lt;literal&gt;mailAlternateAddress&lt;/literal&gt; attribute,
+     OpenAM does the search, but does not request
+     &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;.
+     In the same way, OpenAM does perform an update operation
+     with a request to set the value of an unlisted attribute
+     like &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;,
+     but it drops the unlisted attribute from the update request.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-user-attributes&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;uid&lt;/literal&gt;,
+     &lt;literal&gt;caCertificate&lt;/literal&gt;,
+     &lt;literal&gt;authorityRevocationList&lt;/literal&gt;,
+     &lt;literal&gt;inetUserStatus&lt;/literal&gt;,
+     &lt;literal&gt;mail&lt;/literal&gt;,
+     &lt;literal&gt;sn&lt;/literal&gt;,
+     &lt;literal&gt;manager&lt;/literal&gt;,
+     &lt;literal&gt;userPassword&lt;/literal&gt;,
+     &lt;literal&gt;adminRole&lt;/literal&gt;,
+     &lt;literal&gt;objectClass&lt;/literal&gt;,
+     &lt;literal&gt;givenName&lt;/literal&gt;,
+     &lt;literal&gt;memberOf&lt;/literal&gt;,
+     &lt;literal&gt;cn&lt;/literal&gt;,
+     &lt;literal&gt;telephoneNumber&lt;/literal&gt;,
+     &lt;literal&gt;preferredlanguage&lt;/literal&gt;,
+     &lt;literal&gt;userCertificate&lt;/literal&gt;,
+     &lt;literal&gt;postalAddress&lt;/literal&gt;,
+     &lt;literal&gt;dn&lt;/literal&gt;,
+     &lt;literal&gt;employeeNumber&lt;/literal&gt;,
+     &lt;literal&gt;distinguishedName&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Create User Attribute Mapping&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When creating a user profile,
+     apply this map of OpenAM profile attribute names
+     to directory server attribute names.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Attributes not mapped to another attribute
+     (for example, &lt;literal&gt;cn&lt;/literal&gt;)
+     and attributes mapped to themselves
+     (for example, &lt;literal&gt;cn=cn&lt;/literal&gt;)
+     take the value of the username
+     unless the attribute values are provided when creating the profile.
+     The object classes for user profile LDAP entries
+     generally require Common Name (cn) and Surname (sn) attributes,
+     so this prevents an LDAP constraint violation
+     when performing the add operation.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-createuser-attr-mapping&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;, &lt;literal&gt;sn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name of User Status&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Attribute to check/set user status
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-isactive&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;inetuserstatus&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;User Status Active Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Active users have the user status attribute set to this value.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-active&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;Active&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;User Status Inactive Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Inactive users have the user status attribute set to this value.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-inactive&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;Inactive&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Authentication Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute for building the bind DN when given a username and password
+     to authenticate a user against the directory server
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-auth-naming-attr&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;uid&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Search Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for a group by name, match values against this attribute
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-groups-search-attribute&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for groups, apply this LDAP search filter as well
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-groups-search-filter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(objectclass=groupOfUniqueNames)&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Container Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute of the LDAP base DN which contains group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-container-name&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;ou&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Container Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute value of the LDAP base DN which contains group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-container-value&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;groups&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Object Class&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Group profiles have these LDAP object classes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-objectclass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;groupofuniquenames&lt;/literal&gt;,
+     &lt;literal&gt;top&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Attributes&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Group profiles have these LDAP attributes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-attributes&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;ou&lt;/literal&gt;,
+     &lt;literal&gt;cn&lt;/literal&gt;,
+     &lt;literal&gt;description&lt;/literal&gt;,
+     &lt;literal&gt;dn&lt;/literal&gt;,
+     &lt;literal&gt;objectclass&lt;/literal&gt;,
+     &lt;literal&gt;uniqueMember&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name for Group Membership&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP attribute in the member's LDAP entry
+     whose values are the groups to which a member belongs
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-memberof&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name of Unique Member&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Attribute in the group's LDAP entry
+     whose values are the members of the group
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-uniquemember&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;uniqueMember&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name of Group Member URL&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Attribute in the dynamic group's LDAP entry
+     whose value is a URL specifying the members of the group
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-memberurl&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;memberUrl&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Default Group Member's User DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     DN of member added to all newly created groups
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-dftgroupmember&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Persistent Search Base DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Base DN for LDAP persistent searches used
+     to receive notification of changes in directory server data
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-psearchbase&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;base-dn&lt;/replaceable&gt;&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Persistent Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP filter to apply when performing persistent searches
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-psearch-filter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(objectclass=*)&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Persistent Search Scope&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP searches can apply to a single entry (SCOPE_BASE),
+     entries directly below the search DN (SCOPE_ONE),
+     or all entries below the search DN (SEARCH_SUB)
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-psearch-scope&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;SCOPE_SUB&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;The Delay Time Between Retries&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     How long to wait after receiving an error result
+     that indicates OpenAM should try the LDAP operation again
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;com.iplanet.am.ldap.connection.delay.between.retries&lt;/literal&gt;
 +    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1000 milliseconds
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;DN Cache Enabled&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Whether to enable the DN cache, which is used to cache DN lookups
+     that can happen in bursts during authentication.
+     As the cache can become stale when a user is moved or renamed,
+     enable DN caching when the directory service allows move/rename operations (Mod \
DN), +     and when OpenAM uses persistent searches to obtain notification of such \
updates. +    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-dncache-enabled&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     false
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;DN Cache Size&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum number of DNs cached when caching is enabled
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-dncache-size&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1500 items
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+ &lt;/variablelist&gt;
+&lt;/section&gt;
</ins></span></pre></div>
<a id="trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdatastoresopendjxml"></a>
 <div class="addfile"><h4>Added: \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-opendj.xml \
(0 => 10288)</h4> <pre class="diff"><span>
<span class="info">--- \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-opendj.xml	 \
                (rev 0)
+++ trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-opendj.xml	2014-08-28 \
08:47:10 UTC (rev 10288) </span><span class="lines">@@ -0,0 +1,1031 @@
</span><ins>+&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
+&lt;!--
+  ! CCPL HEADER START
+  !
+  ! This work is licensed under the Creative Commons
+  ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
+  ! To view a copy of this license, visit
+  ! http://creativecommons.org/licenses/by-nc-nd/3.0/
+  ! or send a letter to Creative Commons, 444 Castro Street,
+  ! Suite 900, Mountain View, California, 94041, USA.
+  !
+  ! You can also obtain a copy of the license at
+  ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
+  ! See the License for the specific language governing permissions
+  ! and limitations under the License.
+  !
+  ! If applicable, add the following below this CCPL HEADER, with the fields
+  ! enclosed by brackets &quot;[]&quot; replaced with your own identifying \
information: +  !      Portions Copyright [yyyy] [name of copyright owner]
+  !
+  ! CCPL HEADER END
+  !
+  !      Copyright 2011-2014 ForgeRock AS
+  !
+--&gt;
+&lt;section xml:id=&quot;sec-data-stores-opendj&quot;
+         xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
+         xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+         xsi:schemaLocation='http://docbook.org/ns/docbook
+                             http://docbook.org/xml/5.0/xsd/docbook.xsd'&gt;
+ &lt;title&gt;Hints for Configuring OpenDJ Data Stores&lt;/title&gt;
+
+ &lt;para&gt;
+  Use these hints when configuring OpenDJ Data Stores.
+ &lt;/para&gt;
+
+ &lt;indexterm&gt;
+  &lt;primary&gt;Data stores&lt;/primary&gt;
+  &lt;secondary&gt;OpenDJ&lt;/secondary&gt;
+ &lt;/indexterm&gt;
+
+ &lt;para&gt;
+  &lt;command&gt;ssoadm&lt;/command&gt; service name:
+  &lt;literal&gt;sunIdentityRepositoryService&lt;/literal&gt;
+ &lt;/para&gt;
+
+ &lt;variablelist&gt;
+  &lt;varlistentry&gt;
+   &lt;term&gt;Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Name for the data store configuration
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Load schema when finished&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Add appropriate LDAP schema to the directory server
+     when saving the configuration.
+     The LDAP Bind DN user must have access to perform this operation.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;idRepoLoadSchema&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     false
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Server&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     &lt;literal&gt;&lt;replaceable&gt;host&lt;/replaceable&gt;:&lt;replaceable&gt;port&lt;/replaceable&gt;&lt;/literal&gt;
 +     to contact the directory server, with optional
+     &lt;literal&gt;|&lt;replaceable&gt;server_ID&lt;/replaceable&gt;|&lt;replaceable&gt;site_ID&lt;/replaceable&gt;&lt;/literal&gt;
 +     for deployments with multiple servers and sites
+    &lt;/para&gt;
+
+    &lt;orderedlist&gt;
+     &lt;para&gt;
+      OpenAM uses the optional settings to determine
+      which directory server to contact first.
+      OpenAM tries to contact directory servers
+      in the following priority order, with highest priority first.
+     &lt;/para&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the list
+       whose &lt;replaceable&gt;server_ID&lt;/replaceable&gt;
+       matches the current OpenAM server
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the list
+       whose &lt;replaceable&gt;site_ID&lt;/replaceable&gt;
+       matches the current OpenAM server
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the remaining list
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+    &lt;/orderedlist&gt;
+
+    &lt;para&gt;
+     If the directory server is not available,
+     OpenAM proceeds to the next directory server in the list.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-ldap-server&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;host&lt;/replaceable&gt;:&lt;replaceable&gt;port&lt;/replaceable&gt;&lt;/literal&gt;
 +     of the initial directory server configured for this OpenAM server
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Bind DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Bind DN for connecting to the directory server.
+     Some OpenAM capabilities require write access to directory entries.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-authid&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Bind Password&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Bind password for connecting to the directory server
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-authpw&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Organization DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     The base DN under which to find user and group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-organization_name&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;base-dn&lt;/replaceable&gt;&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP SSL/TLS Enabled&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Whether to use LDAPS or StartTLS to connect to the directory server.
+     If you enable SSL/TLS, OpenAM must be able to trust server certificates,
+     either because the server certificates were signed by a CA
+     whose certificate is already included in the trust store
+     used by the container where OpenAM runs,
+     or because you imported the certificates into the trust store.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-ssl-enabled&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     false
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Pool Maximum Size&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum number of connections to the directory server.
+     Make sure the directory service can cope
+     with the maximum number of client connections across all servers.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-connection_pool_max_size&lt;/literal&gt;
 +    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Heartbeat Interval&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     How often to send a heartbeat request to the directory server
+     to ensure that the connection does not remain idle.
+     Some network administrators configure firewalls
+     and load balancers to drop connections that are idle for too long.
+     You can turn this off by setting the value to 0 or to a negative number.
+     To set the units for the interval use LDAP Connection Heartbeat Time Unit.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;openam-idrepo-ldapv3-heartbeat-interval&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Heartbeat Time Unit&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Time unit for the LDAP Connection Heartbeat Interval setting
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;openam-idrepo-ldapv3-heartbeat-timeunit&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;second&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Maximum Results Returned from Search&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     A cap for the number of search results to request.
+     For example when using the Subjects tab to view profiles,
+     even if you set
+     Configuration &gt; Console &gt; Administration &gt; Maximum Results Returned \
from Search +     to a larger number, OpenAM does not exceed this setting.
+     Rather than raise this number,
+     consider narrowing your search to match fewer directory entries.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-max-result&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1000
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Search Timeout&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum time to wait for search results in seconds.
+     Does not apply to persistent searches.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-time-limit&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Plug-in Search Scope&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP searches can apply to a single entry (SCOPE_BASE),
+     entries directly below the search DN (SCOPE_ONE),
+     or all entries below the search DN (SEARCH_SUB)
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-search-scope&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;SCOPE_SUB&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Repository Plug-in Class Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     OpenAM identity repository implementation
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoClass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name Mapping&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Map of OpenAM profile attribute names to directory server attribute names
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoAttributeMapping&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Plug-in Supported Types and Operations&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Map of OpenAM operations that can be performed in the specified OpenAM contexts
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoSupportedOperations&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;realm=read,create,edit,delete,service&lt;/literal&gt;,
+     &lt;literal&gt;user=read,create,edit,delete&lt;/literal&gt;,
+     &lt;literal&gt;group=read,create,edit,delete&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Users Search Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for a user by name, match values against this attribute
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-users-search-attribute&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;uid&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Users Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for users, apply this LDAP search filter as well
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-users-search-filter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(objectclass=inetorgperson)&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP People Container Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute of the LDAP base DN which contains user profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-people-container-name&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;ou&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP People Container Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute value of the LDAP base DN which contains user profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-people-container-value&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;people&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP User Object Class&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     User profiles have these LDAP object classes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     OpenAM handles only those attributes listed in this setting.
+     OpenAM discards any unlisted attributes from requests
+     and the request proceeds without the attribute.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     For example, with default settings
+     if you request that OpenAM execute a search that asks for
+     the &lt;literal&gt;mailAlternateAddress&lt;/literal&gt; attribute,
+     OpenAM does the search, but does not request
+     &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;.
+     In the same way, OpenAM does perform an update operation
+     with a request to set the value of an unlisted attribute
+     like &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;,
+     but it drops the unlisted attribute from the update request.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-user-objectclass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;devicePrintProfilesContainer&lt;/literal&gt;,
+     &lt;literal&gt;forgerock-am-dashboard-service&lt;/literal&gt;,
+     &lt;literal&gt;inetorgperson&lt;/literal&gt;,
+     &lt;literal&gt;inetuser&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-auth-configuration-service&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-managed-person&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-service&lt;/literal&gt;,
+     &lt;literal&gt;iPlanetPreferences&lt;/literal&gt;,
+     &lt;literal&gt;organizationalperson&lt;/literal&gt;,
+     &lt;literal&gt;person&lt;/literal&gt;,
+     &lt;literal&gt;sunAMAuthAccountLockout&lt;/literal&gt;,
+     &lt;literal&gt;sunFederationManagerDataStore&lt;/literal&gt;,
+     &lt;literal&gt;sunFMSAML2NameIdentifier&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerLibertyPPService&lt;/literal&gt;,
+     &lt;literal&gt;top&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP User Attributes&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     User profiles have these LDAP attributes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     OpenAM handles only those attributes listed in this setting.
+     OpenAM discards any unlisted attributes from requests
+     and the request proceeds without the attribute.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     For example, with default settings
+     if you request that OpenAM execute a search that asks for
+     the &lt;literal&gt;mailAlternateAddress&lt;/literal&gt; attribute,
+     OpenAM does the search, but does not request
+     &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;.
+     In the same way, OpenAM does perform an update operation
+     with a request to set the value of an unlisted attribute
+     like &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;,
+     but it drops the unlisted attribute from the update request.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-user-attributes&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;sunIdentityServerPPDemographicsBirthDay&lt;/literal&gt;,
+     &lt;literal&gt;uid&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityLegalName&lt;/literal&gt;,
+     &lt;literal&gt;manager&lt;/literal&gt;,
+     &lt;literal&gt;assignedDashboard&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameSN&lt;/literal&gt;,
+     &lt;literal&gt;userPassword&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-get-valid-sessions&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmploymentIdentityJobTitle&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-password-reset-question-answer&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityDOB&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmergencyContact&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameCN&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-success-url&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-admin-start-dn&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-federation-info&lt;/literal&gt;,
+     &lt;literal&gt;userCertificate&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeGreetSound&lt;/literal&gt;,
+     &lt;literal&gt;sunAMAuthInvalidAttemptsData&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeNamePronounced&lt;/literal&gt;,
+     &lt;literal&gt;distinguishedName&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsTimeZone&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityMSISDNNumber&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-max-caching-time&lt;/literal&gt;,
+     &lt;literal&gt;sn&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-quota-limit&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-max-session-time&lt;/literal&gt;,
+     &lt;literal&gt;adminRole&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmploymentIdentityAltO&lt;/literal&gt;,
+     &lt;literal&gt;objectClass&lt;/literal&gt;,
+     &lt;literal&gt;sun-fm-saml2-nameid-info&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityMaritalStatus&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-login-status&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityAltIdType&lt;/literal&gt;,
+     &lt;literal&gt;devicePrintProfiles&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-max-idle-time&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadegreetmesound&lt;/literal&gt;,
+     &lt;literal&gt;cn&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-password-reset-options&lt;/literal&gt;,
+     &lt;literal&gt;telephoneNumber&lt;/literal&gt;,
+     &lt;literal&gt;preferredlanguage&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-federation-info-key&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPMsgContact&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityGender&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-alias-list&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameFN&lt;/literal&gt;,
+     &lt;literal&gt;caCertificate&lt;/literal&gt;,
+     &lt;literal&gt;inetUserStatus&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameMN&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEncryPTKey&lt;/literal&gt;,
+     &lt;literal&gt;givenName&lt;/literal&gt;,
+     &lt;literal&gt;memberOf&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityVATIdValue&lt;/literal&gt;,
+     &lt;literal&gt;preferredLocale&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-service-status&lt;/literal&gt;,
+     &lt;literal&gt;sun-fm-saml2-nameid-infokey&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsAge&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerDiscoEntries&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityVATIdType&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-auth-config&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-failure-url&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPAddressCard&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNamePT&lt;/literal&gt;,
+     &lt;literal&gt;dn&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-add-session-listener-on-all-sessions&lt;/literal&gt;,
 +     &lt;literal&gt;mail&lt;/literal&gt;,
+     &lt;literal&gt;authorityRevocationList&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-password-reset-force-reset&lt;/literal&gt;,
+     &lt;literal&gt;inetUserHttpURL&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityAltIdValue&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameAltCN&lt;/literal&gt;,
+     &lt;literal&gt;preferredtimezone&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPInformalName&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPSignKey&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmploymentIdentityOrg&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-destroy-sessions&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeMugShot&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeWebSite&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsDisplayLanguage&lt;/literal&gt;,
+     &lt;literal&gt;postalAddress&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-auth-configuration&lt;/literal&gt;,
+     &lt;literal&gt;employeeNumber&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-account-life&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-auth-modules&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsLanguage&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Create User Attribute Mapping&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When creating a user profile,
+     apply this map of OpenAM profile attribute names
+     to directory server attribute names.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Attributes not mapped to another attribute
+     (for example, &lt;literal&gt;cn&lt;/literal&gt;)
+     and attributes mapped to themselves
+     (for example, &lt;literal&gt;cn=cn&lt;/literal&gt;)
+     take the value of the username
+     unless the attribute values are provided when creating the profile.
+     The object classes for user profile LDAP entries
+     generally require Common Name (cn) and Surname (sn) attributes,
+     so this prevents an LDAP constraint violation
+     when performing the add operation.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-createuser-attr-mapping&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;, &lt;literal&gt;sn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name of User Status&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Attribute to check/set user status
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-isactive&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;inetuserstatus&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;User Status Active Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Active users have the user status attribute set to this value.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-active&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;Active&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;User Status Inactive Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Inactive users have the user status attribute set to this value.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-inactive&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;Inactive&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Authentication Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute for building the bind DN when given a username and password
+     to authenticate a user against the directory server
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-auth-naming-attr&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;uid&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Search Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for a group by name, match values against this attribute
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-groups-search-attribute&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for groups, apply this LDAP search filter as well
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-groups-search-filter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(objectclass=groupOfUniqueNames)&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Container Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute of the LDAP base DN which contains group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-container-name&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;ou&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Container Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute value of the LDAP base DN which contains group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-container-value&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;groups&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Object Class&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Group profiles have these LDAP object classes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-objectclass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;groupofuniquenames&lt;/literal&gt;,
+     &lt;literal&gt;top&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Attributes&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Group profiles have these LDAP attributes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-attributes&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;,
+     &lt;literal&gt;dn&lt;/literal&gt;,
+     &lt;literal&gt;objectclass&lt;/literal&gt;,
+     &lt;literal&gt;uniqueMember&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name for Group Membership&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP attribute in the member's LDAP entry
+     whose values are the groups to which a member belongs
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-memberof&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name of Unique Member&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Attribute in the group's LDAP entry
+     whose values are the members of the group
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-uniquemember&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;uniqueMember&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Persistent Search Base DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Base DN for LDAP persistent searches used
+     to receive notification of changes in directory server data
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-psearchbase&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;base-dn&lt;/replaceable&gt;&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Persistent Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP filter to apply when performing persistent searches
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-psearch-filter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(objectclass=*)&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Persistent Search Scope&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP searches can apply to a single entry (SCOPE_BASE),
+     entries directly below the search DN (SCOPE_ONE),
+     or all entries below the search DN (SEARCH_SUB)
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-psearch-scope&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;SCOPE_SUB&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;The Delay Time Between Retries&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     How long to wait after receiving an error result
+     that indicates OpenAM should try the LDAP operation again
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     The OpenDJ data store uses this setting only for persistent searches.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;com.iplanet.am.ldap.connection.delay.between.retries&lt;/literal&gt;
 +    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1000 milliseconds
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;DN Cache Enabled&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Whether to enable the DN cache, which is used to cache DN lookups
+     that can happen in bursts during authentication.
+     As the cache can become stale when a user is moved or renamed,
+     enable DN caching when the directory service allows move/rename operations (Mod \
DN), +     and when OpenAM uses persistent searches to obtain notification of such \
updates. +    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-dncache-enabled&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     true
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;DN Cache Size&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum number of DNs cached when caching is enabled
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-dncache-size&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1500 items
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+ &lt;/variablelist&gt;
+&lt;/section&gt;
</ins></span></pre></div>
<a id="trunkopenamopenamdocumentationopenamdocsourcesrcmaindocbkxsharedsecdatastorestivolixml"></a>
 <div class="addfile"><h4>Added: \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-tivoli.xml \
(0 => 10288)</h4> <pre class="diff"><span>
<span class="info">--- \
trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-tivoli.xml	 \
                (rev 0)
+++ trunk/openam/openam-documentation/openam-doc-source/src/main/docbkx/shared/sec-data-stores-tivoli.xml	2014-08-28 \
08:47:10 UTC (rev 10288) </span><span class="lines">@@ -0,0 +1,1032 @@
</span><ins>+&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
+&lt;!--
+  ! CCPL HEADER START
+  !
+  ! This work is licensed under the Creative Commons
+  ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
+  ! To view a copy of this license, visit
+  ! http://creativecommons.org/licenses/by-nc-nd/3.0/
+  ! or send a letter to Creative Commons, 444 Castro Street,
+  ! Suite 900, Mountain View, California, 94041, USA.
+  !
+  ! You can also obtain a copy of the license at
+  ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
+  ! See the License for the specific language governing permissions
+  ! and limitations under the License.
+  !
+  ! If applicable, add the following below this CCPL HEADER, with the fields
+  ! enclosed by brackets &quot;[]&quot; replaced with your own identifying \
information: +  !      Portions Copyright [yyyy] [name of copyright owner]
+  !
+  ! CCPL HEADER END
+  !
+  !      Copyright 2011-2014 ForgeRock AS
+  !
+--&gt;
+&lt;section xml:id=&quot;sec-data-stores-tivoli&quot;
+         xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
+         xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+         xsi:schemaLocation='http://docbook.org/ns/docbook
+                             http://docbook.org/xml/5.0/xsd/docbook.xsd'&gt;
+ &lt;title&gt;Hints for Configuring Tivoli Directory Server Data \
Stores&lt;/title&gt; +
+ &lt;para&gt;
+  Use these hints when configuring Tivoli Directory Server Data Stores.
+ &lt;/para&gt;
+
+ &lt;indexterm&gt;
+  &lt;primary&gt;Data stores&lt;/primary&gt;
+  &lt;secondary&gt;Tivoli Directory Server&lt;/secondary&gt;
+ &lt;/indexterm&gt;
+
+ &lt;para&gt;
+  &lt;command&gt;ssoadm&lt;/command&gt; service name:
+  &lt;literal&gt;sunIdentityRepositoryService&lt;/literal&gt;
+ &lt;/para&gt;
+
+ &lt;variablelist&gt;
+  &lt;varlistentry&gt;
+   &lt;term&gt;Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Name for the data store configuration
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Load schema when finished&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Add appropriate LDAP schema to the directory server
+     when saving the configuration.
+     The LDAP Bind DN user must have access to perform this operation.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;idRepoLoadSchema&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     false
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Server&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     &lt;literal&gt;&lt;replaceable&gt;host&lt;/replaceable&gt;:&lt;replaceable&gt;port&lt;/replaceable&gt;&lt;/literal&gt;
 +     to contact the directory server, with optional
+     &lt;literal&gt;|&lt;replaceable&gt;server_ID&lt;/replaceable&gt;|&lt;replaceable&gt;site_ID&lt;/replaceable&gt;&lt;/literal&gt;
 +     for deployments with multiple servers and sites
+    &lt;/para&gt;
+
+    &lt;orderedlist&gt;
+     &lt;para&gt;
+      OpenAM uses the optional settings to determine
+      which directory server to contact first.
+      OpenAM tries to contact directory servers
+      in the following priority order, with highest priority first.
+     &lt;/para&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the list
+       whose &lt;replaceable&gt;server_ID&lt;/replaceable&gt;
+       matches the current OpenAM server
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the list
+       whose &lt;replaceable&gt;site_ID&lt;/replaceable&gt;
+       matches the current OpenAM server
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+
+     &lt;listitem&gt;
+      &lt;para&gt;
+       The first directory server in the remaining list
+      &lt;/para&gt;
+     &lt;/listitem&gt;
+    &lt;/orderedlist&gt;
+
+    &lt;para&gt;
+     If the directory server is not available,
+     OpenAM proceeds to the next directory server in the list.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-ldap-server&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;host&lt;/replaceable&gt;:&lt;replaceable&gt;port&lt;/replaceable&gt;&lt;/literal&gt;
 +     of the initial directory server configured for this OpenAM server
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Bind DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Bind DN for connecting to the directory server.
+     Some OpenAM capabilities require write access to directory entries.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-authid&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Bind Password&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Bind password for connecting to the directory server
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-authpw&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Organization DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     The base DN under which to find user and group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-organization_name&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;base-dn&lt;/replaceable&gt;&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP SSL/TLS Enabled&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Whether to use LDAPS or StartTLS to connect to the directory server.
+     If you enable SSL/TLS, OpenAM must be able to trust server certificates,
+     either because the server certificates were signed by a CA
+     whose certificate is already included in the trust store
+     used by the container where OpenAM runs,
+     or because you imported the certificates into the trust store.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-ssl-enabled&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     false
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Pool Maximum Size&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum number of connections to the directory server.
+     Make sure the directory service can cope
+     with the maximum number of client connections across all servers.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-connection_pool_max_size&lt;/literal&gt;
 +    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Heartbeat Interval&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     How often to send a heartbeat request to the directory server
+     to ensure that the connection does not remain idle.
+     Some network administrators configure firewalls
+     and load balancers to drop connections that are idle for too long.
+     You can turn this off by setting the value to 0 or to a negative number.
+     To set the units for the interval use LDAP Connection Heartbeat Time Unit.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;openam-idrepo-ldapv3-heartbeat-interval&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Connection Heartbeat Time Unit&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Time unit for the LDAP Connection Heartbeat Interval setting
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;openam-idrepo-ldapv3-heartbeat-timeunit&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;second&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Maximum Results Returned from Search&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     A cap for the number of search results to request.
+     For example when using the Subjects tab to view profiles,
+     even if you set
+     Configuration &gt; Console &gt; Administration &gt; Maximum Results Returned \
from Search +     to a larger number, OpenAM does not exceed this setting.
+     Rather than raise this number,
+     consider narrowing your search to match fewer directory entries.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-max-result&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1000
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Search Timeout&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum time to wait for search results in seconds.
+     Does not apply to persistent searches.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-time-limit&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     10
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Plug-in Search Scope&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP searches can apply to a single entry (SCOPE_BASE),
+     entries directly below the search DN (SCOPE_ONE),
+     or all entries below the search DN (SEARCH_SUB)
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-search-scope&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;SCOPE_SUB&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Repository Plug-in Class Name&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     OpenAM identity repository implementation
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoClass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name Mapping&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Map of OpenAM profile attribute names to directory server attribute names
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoAttributeMapping&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAPv3 Plug-in Supported Types and Operations&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Map of OpenAM operations that can be performed in the specified OpenAM contexts
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sunIdRepoSupportedOperations&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;group=read,create,edit,delete&lt;/literal&gt;,
+     &lt;literal&gt;realm=read,create,edit,delete,service&lt;/literal&gt;,
+     &lt;literal&gt;user=read,create,edit,delete,service&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Users Search Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for a user by name, match values against this attribute
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-users-search-attribute&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Users Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for users, apply this LDAP search filter as well
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-users-search-filter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(objectclass=inetorgperson)&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP People Container Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute of the LDAP base DN which contains user profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-people-container-name&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;ou&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP People Container Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute value of the LDAP base DN which contains user profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-people-container-value&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP User Object Class&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     User profiles have these LDAP object classes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     OpenAM handles only those attributes listed in this setting.
+     OpenAM discards any unlisted attributes from requests
+     and the request proceeds without the attribute.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     For example, with default settings
+     if you request that OpenAM execute a search that asks for
+     the &lt;literal&gt;mailAlternateAddress&lt;/literal&gt; attribute,
+     OpenAM does the search, but does not request
+     &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;.
+     In the same way, OpenAM does perform an update operation
+     with a request to set the value of an unlisted attribute
+     like &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;,
+     but it drops the unlisted attribute from the update request.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-user-objectclass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;devicePrintProfilesContainer&lt;/literal&gt;,
+     &lt;literal&gt;forgerock-am-dashboard-service&lt;/literal&gt;,
+     &lt;literal&gt;inetorgperson&lt;/literal&gt;,
+     &lt;literal&gt;inetuser&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-auth-configuration-service&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-managed-person&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-service&lt;/literal&gt;,
+     &lt;literal&gt;iPlanetPreferences&lt;/literal&gt;,
+     &lt;literal&gt;organizationalperson&lt;/literal&gt;,
+     &lt;literal&gt;person&lt;/literal&gt;,
+     &lt;literal&gt;sunAMAuthAccountLockout&lt;/literal&gt;,
+     &lt;literal&gt;sunFederationManagerDataStore&lt;/literal&gt;,
+     &lt;literal&gt;sunFMSAML2NameIdentifier&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerLibertyPPService&lt;/literal&gt;,
+     &lt;literal&gt;top&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP User Attributes&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     User profiles have these LDAP attributes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     OpenAM handles only those attributes listed in this setting.
+     OpenAM discards any unlisted attributes from requests
+     and the request proceeds without the attribute.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     For example, with default settings
+     if you request that OpenAM execute a search that asks for
+     the &lt;literal&gt;mailAlternateAddress&lt;/literal&gt; attribute,
+     OpenAM does the search, but does not request
+     &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;.
+     In the same way, OpenAM does perform an update operation
+     with a request to set the value of an unlisted attribute
+     like &lt;literal&gt;mailAlternateAddress&lt;/literal&gt;,
+     but it drops the unlisted attribute from the update request.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-user-attributes&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;adminRole&lt;/literal&gt;,
+     &lt;literal&gt;assignedDashboard&lt;/literal&gt;,
+     &lt;literal&gt;authorityRevocationList&lt;/literal&gt;,
+     &lt;literal&gt;caCertificate&lt;/literal&gt;,
+     &lt;literal&gt;cn&lt;/literal&gt;,
+     &lt;literal&gt;devicePrintProfiles&lt;/literal&gt;,
+     &lt;literal&gt;distinguishedName&lt;/literal&gt;,
+     &lt;literal&gt;dn&lt;/literal&gt;,
+     &lt;literal&gt;employeeNumber&lt;/literal&gt;,
+     &lt;literal&gt;givenName&lt;/literal&gt;,
+     &lt;literal&gt;inetUserHttpURL&lt;/literal&gt;,
+     &lt;literal&gt;inetUserStatus&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-auth-configuration&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-add-session-listener-on-all-sessions&lt;/literal&gt;,
 +     &lt;literal&gt;iplanet-am-session-destroy-sessions&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-get-valid-sessions&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-max-caching-time&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-max-idle-time&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-max-session-time&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-quota-limit&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-session-service-status&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-account-life&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-admin-start-dn&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-alias-list&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-auth-config&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-auth-modules&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-failure-url&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-federation-info-key&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-federation-info&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-login-status&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-password-reset-force-reset&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-password-reset-options&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-password-reset-question-answer&lt;/literal&gt;,
+     &lt;literal&gt;iplanet-am-user-success-url&lt;/literal&gt;,
+     &lt;literal&gt;mail&lt;/literal&gt;,
+     &lt;literal&gt;manager&lt;/literal&gt;,
+     &lt;literal&gt;memberOf&lt;/literal&gt;,
+     &lt;literal&gt;objectClass&lt;/literal&gt;,
+     &lt;literal&gt;postalAddress&lt;/literal&gt;,
+     &lt;literal&gt;preferredlanguage&lt;/literal&gt;,
+     &lt;literal&gt;preferredLocale&lt;/literal&gt;,
+     &lt;literal&gt;preferredtimezone&lt;/literal&gt;,
+     &lt;literal&gt;sn&lt;/literal&gt;,
+     &lt;literal&gt;sun-fm-saml2-nameid-info&lt;/literal&gt;,
+     &lt;literal&gt;sun-fm-saml2-nameid-infokey&lt;/literal&gt;,
+     &lt;literal&gt;sunAMAuthInvalidAttemptsData&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityMSISDNNumber&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerDiscoEntries&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPAddressCard&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameAltCN&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameCN&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameFN&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameMN&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNamePT&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPCommonNameSN&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsAge&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsBirthDay&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsDisplayLanguage&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsLanguage&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPDemographicsTimeZone&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmergencyContact&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmploymentIdentityAltO&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmploymentIdentityJobTitle&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEmploymentIdentityOrg&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPEncryPTKey&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadegreetmesound&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeGreetSound&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeMugShot&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeNamePronounced&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPFacadeWebSite&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPInformalName&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityAltIdType&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityAltIdValue&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityDOB&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityGender&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityLegalName&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityMaritalStatus&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityVATIdType&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPLegalIdentityVATIdValue&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPMsgContact&lt;/literal&gt;,
+     &lt;literal&gt;sunIdentityServerPPSignKey&lt;/literal&gt;,
+     &lt;literal&gt;telephoneNumber&lt;/literal&gt;,
+     &lt;literal&gt;uid&lt;/literal&gt;,
+     &lt;literal&gt;userCertificate&lt;/literal&gt;,
+     &lt;literal&gt;userPassword&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Create User Attribute Mapping&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When creating a user profile,
+     apply this map of OpenAM profile attribute names
+     to directory server attribute names.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Attributes not mapped to another attribute
+     (for example, &lt;literal&gt;cn&lt;/literal&gt;)
+     and attributes mapped to themselves
+     (for example, &lt;literal&gt;cn=cn&lt;/literal&gt;)
+     take the value of the username
+     unless the attribute values are provided when creating the profile.
+     The object classes for user profile LDAP entries
+     generally require Common Name (cn) and Surname (sn) attributes,
+     so this prevents an LDAP constraint violation
+     when performing the add operation.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-createuser-attr-mapping&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;, &lt;literal&gt;sn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name of User Status&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Attribute to check/set user status
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-isactive&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;inetuserstatus&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;User Status Active Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Active users have the user status attribute set to this value.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-active&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;Active&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;User Status Inactive Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Inactive users have the user status attribute set to this value.
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-inactive&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;Inactive&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Authentication Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute for building the bind DN when given a username and password
+     to authenticate a user against the directory server
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-auth-naming-attr&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Search Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for a group by name, match values against this attribute
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-groups-search-attribute&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     When searching for groups, apply this LDAP search filter as well
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-groups-search-filter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(objectclass=groupOfNames)&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Container Naming Attribute&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute of the LDAP base DN which contains group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-container-name&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;ou&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Container Value&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     RDN attribute value of the LDAP base DN which contains group profiles
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-container-value&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Object Class&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Group profiles have these LDAP object classes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-objectclass&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;groupofnames&lt;/literal&gt;, &lt;literal&gt;top&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;LDAP Groups Attributes&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Group profiles have these LDAP attributes
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-group-attributes&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;cn&lt;/literal&gt;,
+     &lt;literal&gt;description&lt;/literal&gt;,
+     &lt;literal&gt;dn&lt;/literal&gt;,
+     &lt;literal&gt;member&lt;/literal&gt;,
+     &lt;literal&gt;objectclass&lt;/literal&gt;,
+     &lt;literal&gt;ou&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name for Group Membership&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP attribute in the member's LDAP entry
+     whose values are the groups to which a member belongs
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-memberof&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Attribute Name of Unique Member&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Attribute in the group's LDAP entry
+     whose values are the members of the group
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-uniquemember&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;member&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Default Group Member's User DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     DN of member added to all newly created groups
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-dftgroupmember&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Persistent Search Base DN&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Base DN for LDAP persistent searches used
+     to receive notification of changes in directory server data
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-psearchbase&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;&lt;replaceable&gt;base-dn&lt;/replaceable&gt;&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Persistent Search Filter&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP filter to apply when performing persistent searches
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-psearch-filter&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;(objectclass=*)&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;Persistent Search Scope&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     LDAP searches can apply to a single entry (SCOPE_BASE),
+     entries directly below the search DN (SCOPE_ONE),
+     or all entries below the search DN (SEARCH_SUB)
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-config-psearch-scope&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     &lt;literal&gt;SCOPE_SUB&lt;/literal&gt;
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;The Delay Time Between Retries&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     How long to wait after receiving an error result
+     that indicates OpenAM should try the LDAP operation again
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;com.iplanet.am.ldap.connection.delay.between.retries&lt;/literal&gt;
 +    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1000 milliseconds
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;DN Cache Enabled&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Whether to enable the DN cache, which is used to cache DN lookups
+     that can happen in bursts during authentication.
+     As the cache can become stale when a user is moved or renamed,
+     enable DN caching when the directory service allows move/rename operations (Mod \
DN), +     and when OpenAM uses persistent searches to obtain notification of such \
updates. +    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-dncache-enabled&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     true
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+
+  &lt;varlistentry&gt;
+   &lt;term&gt;DN Cache Size&lt;/term&gt;
+   &lt;listitem&gt;
+    &lt;para&gt;
+     Maximum number of DNs cached when caching is enabled
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     &lt;command&gt;ssoadm&lt;/command&gt; attribute:
+     &lt;literal&gt;sun-idrepo-ldapv3-dncache-size&lt;/literal&gt;
+    &lt;/para&gt;
+
+    &lt;para&gt;
+     Default:
+     1500 items
+    &lt;/para&gt;
+   &lt;/listitem&gt;
+  &lt;/varlistentry&gt;
+ &lt;/variablelist&gt;
+&lt;/section&gt;
</ins></span></pre>
</div>
</div>
<div id="footer">Copyright (c) by ForgeRock. All rights reserved.</div>

</body>
</html>


_______________________________________________
CommitOpenAM mailing list
CommitOpenAM@forgerock.org
https://lists.forgerock.org/mailman/listinfo/commitopenam


[prev in list] [next in list] [prev in thread] [next in thread]