Skip to content

uaa job from cf/201

The UAA is the identity management service for Cloud Foundry. It's primary role is as an OAuth2 provider, issuing tokens for client applications to use when they act on behalf of Cloud Foundry users. It can also authenticate users with their Cloud Foundry credentials, and can act as an SSO service using those credentials (or others). It has endpoints for managing user accounts and for registering OAuth2 clients, as well as various other management functions.

Github source: 57248e3a or master branch

Properties

domain

The domain name for this CloudFoundry deploy

env

http_proxy

The http_proxy accross the VMs

https_proxy

The https_proxy accross the VMs

no_proxy

Set No_Proxy accross the VMs

login

ldap

localPasswordCompare

See uaa.ldap.localPasswordCompare - login.ldap prefix is used for backwards compatibility to enable ldap from login config

Default
"true"
passwordAttributeName

See uaa.ldap.passwordAttributeName - login.ldap prefix is used for backwards compatibility to enable ldap from login config

Default
userPassword
passwordEncoder

See uaa.ldap.passwordEncoder - login.ldap prefix is used for backwards compatibility to enable ldap from login config

Default
org.cloudfoundry.identity.uaa.login.ldap.DynamicPasswordComparator
profile_type

See uaa.ldap.profile_type - login.ldap prefix is used for backwards compatibility to enable ldap from login config

searchBase

See uaa.ldap.searchBase - login.ldap prefix is used for backwards compatibility to enable ldap from login config

Default
""
searchFilter

See uaa.ldap.searchFilter - login.ldap prefix is used for backwards compatibility to enable ldap from login config

Default
cn={0}
sslCertificate

See uaa.ldap.sslCertificate - login.ldap prefix is used for backwards compatibility to enable ldap from login config

sslCertificateAlias

See uaa.ldap.sslCertificateAlias - login.ldap prefix is used for backwards compatibility to enable ldap from login config

url

See uaa.ldap.url - login.ldap prefix is used for backwards compatibility to enable ldap from login config

userDN

See uaa.ldap.userDN - login.ldap prefix is used for backwards compatibility to enable ldap from login config

userDNPattern

See uaa.ldap.userDNPattern - login.ldap prefix is used for backwards compatibility to enable ldap from login config

userPassword

See uaa.ldap.userPassword - login.ldap prefix is used for backwards compatibility to enable ldap from login config

protocol

The protocol that the Login Server uses. http/https

spring_profiles

See uaa.spring_profiles - login.spring_profiles is used for backwards compatibility to enable ldap from login config

nats

machines

IP of each NATS cluster member.

password

Password for NATS login

port

TCP port of NATS server

user

User name for NATS login

networks

apps

The App network name

uaa

admin

client_secret

authentication

policy
countFailuresWithinSeconds

Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked

lockoutAfterFailures

Number of allowed failures before account is locked

lockoutPeriodSeconds

Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded

catalina_opts

Default
-Xmx768m -XX:MaxPermSize=256m

cc

client_secret
token_secret

client

autoapprove

clients

login
secret

Login client secret - overrides uaa.login.client_secret

dump_requests

jwt

signing_key
verification_key

ldap

enabled

Set to true to enable LDAP

Default
false
groups
autoAdd

Set to true when profile_type=groups_as_scopes to auto create scopes for a user. Ignored for other profiles.

Default
"true"
groupRoleAttribute

Used with groups-as-scopes, defines the attribute that holds the scope name(s).

groupSearchFilter

Search query filter to find groups a user belongs to, or for a nested search, groups that a group belongs to

Default
member={0}
maxSearchDepth

Set to number of levels a nested group search should go. Set to 1 to disable nested groups (default)

Default
"1"
profile_type

What type of group integration should be used. Values are no-groups, groups-as-scopes and groups-map-to-scopes

Default
no-groups
searchBase

Search start point for a user group membership search

Default
""
searchSubtree

Boolean value, set to true to search below the search base

Default
"true"
localPasswordCompare

Used with search-and-compare only. Set to true if passwords are retrieved by the search, and should be compared in the login server.

Default
"true"
mailAttributeName

The name of the LDAP attribute that contains the users email address

Default
mail
mailSubstitute

Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication

Default
""
mailSubstituteOverridesLdap

Set to true if you wish to override an LDAP user email address with a generated one

Default
false
passwordAttributeName

Used with search-and-compare only. The name of the password attribute in the LDAP directory

Default
userPassword
passwordEncoder

Used with search-and-compare only. The encoder used to properly encode user password to match the one in the LDAP directory.

Default
org.cloudfoundry.identity.uaa.ldap.DynamicPasswordComparator
profile_type

The file to be used for configuring the LDAP authentication. options are simple-bind, search-and-bind and search-and-compare

Default
search-and-bind
searchBase

Used with search-and-bind and search-and-compare. Define a base where the search starts at.

Default
""
searchFilter

Used with search-and-bind and search-and-compare. Search filter used. Takes one parameter, user ID defined as {0}

Default
cn={0}
sslCertificate

Used with ldaps:// URLs. The certificate, if self signed, to be trusted by this connection.

sslCertificateAlias

Used with ldaps:// URLs. The certificate alias, to be trusted by this connection and stored in the keystore.

url

The URL to the ldap server, must start with ldap:// or ldaps://

userDN

Used with search-and-bind and search-and-compare. A valid LDAP ID that has read permissions to perform a search of the LDAP tree for user information.

userDNPattern

Used with simple-bind only. A semi-colon separated lists of DN patterns to construct a DN direct from the user ID without performing a search.

userDNPatternDelimiter

The delimiter character in between user DN patterns for simple bind authentication

Default
;
userPassword

Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.

login

client_secret

Deprecated. Default login client secret if no login client is defined

no_ssl

when true, uaa uses http, otherwise it uses https

Default
false

openid

fallbackToAuthcode

When using the hybrid flow to get a id_token, suppress the exception if the client doesn’t have the implicit grant. Defaults to false.

Default
true

port

Port that uaa will accept connections on

Default
8080

require_https

restricted_ips_regex

A pipe delimited set of regular expressions of IP addresses that can reach the listening HTTP port of the server.

Default
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}

scim

external_groups

A list of external group mappings. Pipe delimited. A value may look as ‘- internal.read|cn=developers,ou=scopes,dc=test,dc=com’

user
override
userids_enabled
Default
false
users

spring_profiles

Deprecated. Use ‘uaa.ldap.enabled’. Sets the Spring profiles on the UAA web application. This gets combined with the ‘uaadb.db_scheme’ property if and only if the value is exactly ‘ldap’ in order to setup the database, for example ‘ldap,mysql’. If spring_profiles contains more than just ‘ldap’ it will be used to overwrite spring_profiles and db_scheme ignored. See uaa.yml.erb.

url

user

authorities

Contains a list of the default authorities/scopes assigned to a user.

Default
  - openid
  - scim.me
  - cloud_controller.read
  - cloud_controller.write
  - cloud_controller_service_permissions.read
  - password.write
  - uaa.user
  - approvals.me
  - oauth.approvals
  - notification_preferences.read
  - notification_preferences.write

uaadb

address

The UAA database IP address

databases

The list of databases used in UAA database including tag/name

db_scheme

Database scheme for UAA DB

port

The UAA database Port

roles

The list of database Roles used in UAA database including tag/name/password

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/uaa/ directory (learn more).

  • bin/install_crt (from install_crt.erb)
  • bin/uaa_cf-registrar_ctl (from cf-registrar_ctl)
  • bin/uaa_ctl (from uaa_ctl.erb)
  • config/cf-registrar/config.yml (from cf-registrar.config.yml.erb)
  • config/ldap.crt (from ldap.crt.erb)
  • config/log4j.properties (from log4j.properties.erb)
  • config/tomcat/logging.properties (from tomcat.logging.properties)
  • config/tomcat/server.xml (from tomcat.server.xml.erb)
  • config/uaa.yml (from uaa.yml.erb)
  • config/varz.log4j.properties (from varz.log4j.properties.erb)
  • config/varz.yml (from varz.yml.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.