IBM Verify Directory: Proxy

This page documents the YAML schema which can be used to configure a Verify Directory Proxy container.

The value of each YAML key entry can be provided in the YAML file as either plain text, base-64 encoded text (prefix: 'B64:'), retrieved from an environment variable (prefix: '$'), loaded from a local file (prefix: '@'), retrieved from a Kubernetes secret (format: secret:{name}/{field}), or retrieved from a Kubernetes ConfigMap (format: configmap:{name}/{field}).

In addition to this, each of the YAML keys can also be provided as an environment variable, using a normalized value of the key name as the environment variable name. For example, to set the server port the following environment variable can be set: 'server.port'.

ℹ️ Click on section headers below to expand and view configuration details.

Configuration

advanced array

An array of objects which are used to define specific ibm-slapd properties to be set for the server.

📋 Array Items
attr array required

The attributes of the DN to modify.

📋 Array Items
name string required

The name of the attribute.

operation any

The LDAP operation which is to be performed on the attribute. The options include:
- replace: Replace any existing attribute value with the new value.
- add: Add the additional value to the attribute.
- delete: Delete the specified attribute and value.
Please note that the value is case sensitive.

Default: replace
Allowed values:
replace add delete
values array required

The string value(s) of the property. Please note that if the value is numeric it should be surrounded by quotes.

📋 Array Items
Type: string
dn string required

The DN of the property.

Examples:
Example 1
advanced:
- dn: cn=Configuration
  attr:
  - name: ibm-slapdTimeLimit
    values:
    - '900'

debug object

The configuration entries which can be used to enable debugging within the container.

⚙️ Properties
startup boolean

A boolean which is used to indicate whether debugging should be
enabled while bootstrapping the container.

Default: False
runtime number

Specifies the debug level to assign to the runtime. The value is a bit mask that controls which output is generated, with values from 1 to 65535.

Default: 0
Validation Constraints:
• Minimum: 0
• Maximum: 65535

general object

The general configuration elements of the container.

⚙️ Properties
admin object required

The credential information of the server.

⚙️ Properties
dn string

The distinguished name of the user which can be used to authenticate to the server.

Default: cn=root
pwd string required

The password of the user which can be used to authenticate to the server.

users array

Additional administrative users for this server.

📋 Array Items
cn string required

The common name of the user.

pwd string required

The password of the user. This password must conform to the configured password policy.

role any required

The role assigned to the user. Refer to the official documentation for the permissions assigned to each role. Please note that the value is case sensitive.

Allowed values:
AuditAdmin DirDataAdmin NoAdmin PasswordAdmin ReplicationAdmin SchemaAdmin ServerConfigGroupMember

audit object

The configuration entries associated with the auditing of operations.

⚙️ Properties
enabled boolean

Enable or disable the audit service.

Default: False
log-to-file boolean

If enabled, the audit records will be sent to the '/var/isvd/logs/audit.log' file, otherwise the audit records will be sent to the console of the container.

Default: False
json-format boolean

If enabled, the audit records will be formatted as JSON, otherwise the audit records will created in the legacy auditing format.

Default: True
failure-only boolean

Specifies whether to log all failures.

Default: True
groups-control boolean

Specifies whether to log the groups sent on a group control.

Default: False
group-eval boolean

Specifies whether to log the attributes sent on a group evaluation extended operation.

Default: False
performance boolean

Specifies whether to collect and log performance data in audit logs.

Default: False
pta-bind-info boolean

Specifies whether to log pass-through authentication information related to bind operations.

Default: True
operation object

The operations which can be audited.

⚙️ Properties
add boolean

Specifies whether to log the Add operation.

Default: False
bind boolean

Specifies whether to log the Bind operation.

Default: True
compare boolean

Specifies whether to log the Compare operation.

Default: False
delete boolean

Specifies whether to log the Delete operation.

Default: False
extended-op boolean

Specifies whether to log the Extended operation.

Default: False
extended-op-event boolean

Specifies whether to log the Extended operation event.

Default: False
modify boolean

Specifies whether to log the Modify operation.

Default: False
modify-dn boolean

Specifies whether to log the ModifyRDN operation.

Default: False
search boolean

Specifies whether to log the Search operation.

Default: False
unbind boolean

Specifies whether to log the Unbind operation.

Default: True
Examples:
Example 1
general:
  audit:
    enabled: true
    log-to-file: false
    json-format: true
    failure-only: true
    groups-control: true
    performance: true
    pta-bind-info: true
    operation:
      add: true
      group-eval: true
      bind: true
      compare: true
      delete: true
      extended-op: true
      extended-op-event: true
      modify: true
      modify-dn: true
      search: true
      unbind: true
id string

The identifier of the server. If no identifier is specified the hostname of the container will be used as the identifier.

json-logging boolean

Whether the logging and auditing messages should be formatted in JSON or not.

Default: True
key-stash string

The contents of the key stash file (.ksf) which is used to protect data. This file should be provided if cryptographic synchronisation is required between different servers. The key stash can either be obtained from a software based directory server installation, or a new one can be generated by starting this image with the 'keystash' argument. For example: 'docker run --rm icr.io/isvd/verify-directory-seed:latest keystash'. Please note that this will send a base-64 encoded version of the key stash to the console of the container.

license object required
⚙️ Properties
key string required

The license key, required to run the container.

accept string required

Which license agreement has been accepted, either 'limited' or 'standard' or 'enterprise'. To display a license agreement start the container with the 'license' command, for example: 'docker run --rm icr.io/isvd/verify-directory-server:latest license standard'

Allowed values:
limited standard enterprise
ports object

The ports on which the server will listen for requests.

⚙️ Properties
ldap integer

The port on which the server will listen for LDAP requests. A value of '0' is used to indicate that the server should not listen for LDAP requests. Please note that the server can listen on ports lower than 1024, but in order to do so the container infrastructure must grant the container the necessary permissions.

Default: 0
ldaps integer

The port on which the server will listen for LDAPS requests. A value of '0' is used to indicate that the server should not listen for LDAPS requests. Please note that the server can listen on ports lower than 1024, but in order to do so the container infrastructure must grant the container the necessary permissions.

Default: 9636
pwd-encryption string

The encoding mechanism for the user passwords before they are stored in the directory. Please note that the value is case sensitive.

Default: ssha512
Allowed values:
none aes128 aes192 aes256 crypt sha ssha md5 sha224 sha256 sha384 sha512 ssha224 ssha256 ssha384 ssha512 pbkdf2-sha1 pbkdf2-sha224 pbkdf2-sha256 pbkdf2-sha384 pbkdf2-sha512 scrypt argon2

pwd-policy object

The configuration entries associated with the password policy which is enforced by the server.

⚙️ Properties
enabled boolean

Indicates if the IBM Administrative Password Policy is ON.

Default: True
failure-count-interval number

Specifies the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred.

Default: 0
lockout boolean

Enables replication of security attributes between master and read-only replica so that password policy for account lockout can be strongly enforced in replication topologies.

Default: True
lock-duration number

Specifies the number of seconds that the password cannot be used to authenticate due to too many failed bind attempts.

Default: 300
max-consecutive-repeated-chars number

Specifies the maximum number of consecutive repeated characters in the password field.

Default: 2
max-failures number

Specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate.

Default: 10
max-repeated-chars number

Specifies the maximum number of repeated characters allowed.

Default: 2
min-alpha-chars number

Specifies the minimum number of characters required for a users password.

Default: 2
min-diff-chars number

Specifies the minimum number of different (unique) characters required for a users password.

Default: 2
min-length number

Specifies the minimum number of characters that must be used in a password.

Default: 8
min-other-chars number

Specifies the minimum number of other characters required.

Default: 2
advanced object

The configuration entries associated with rules for advanced password syntax checking.

⚙️ Properties
no-spaces boolean

Specifies whether the password can contain spaces.

no-user-id boolean

Specifies that the password cannot be the same, or contain the value of the configured login attribute. The login attribute is configured by using the login-attribute configuration entry. It is set to the name of the LDAP attribute, such as UID that is used as the user ID attribute for users. Note: Enabling this rule might have a performance impact on the user password update operation. To process this rule, an internal search is done on the user to obtain the value of the login attribute. It then checks whether the specified password is the same, or contains the value of the login attribute.

login-attribute string

The name of the attribute which contains the user identity. This is used by the no-user-id rule.

min-special-chars number

Specifies the minimum number of special characters that a password must contain.

min-numeric-chars number

Specifies the minimum number of numeric characters that a password must contain.

min-lowercase-chars number

Specifies the minimum number of lowercase characters that a password must contain.

min-uppercase-chars number

Specifies the minimum number of uppercase characters that a password must contain.

max-asc-chars number

Specifies the maximum number of ascending characters that a password can contain. The characters can be alphabetic or numeric.

max-dsc-chars number

Specifies the maximum number of descending characters that a password can contain. The characters can be alphabetic or numeric.

custom-policy-script string

Specifies a custom password policy written in the Lua scripting language.

Examples:
Example 1
general:
  pwd-policy:
    enabled: true
    lockout: false
    lock-duration: 1800
    max-failures: 5
    min-length: 5
    failure-count-interval: 0
    max-consecutive-repeated-chars: 2
    max-repeated-chars: 2
    min-alpha-chars: 2
    min-diff-chars: 2
    min-other-chars: 2

schemas array

Any additional schema files (.ot or .at) which will be added to the server. The schema files specified here can also be used to replace the IBM Verify Directory standard schema files. Please note however that if you supply a schema file in the YAML this schema should not be subsequently modified using an LDAP modify operation, otherwise the updates will be lost when the container next starts.

📋 Array Items
Type: string

The name of a schema file (.ot or .at). The file must exist within the container file system.

Examples:
Example 1
general:
  schemas:
  - /volume/data/custom.at
  - /volume/data/custom.oc
  - /volume/data/V3.ibm.at
ssl object

SSL configuration details for the server.

⚙️ Properties
auth string

The authentication type for the ssl connection. The options include:
- ServerAuth: Supports server authentication at the client.
- ServerClientAuth: Supports both server and client authentication.
Please note that the value is case sensitive.

Default: ServerAuth
Allowed values:
ServerAuth ServerClientAuth
cert-label string

The label that identifies the servers Personal Certificate in the key database file. If the field is not specified the default certificate from the key file will be used by the LDAP server for SSL connections.

ciphers array

The allowable encryption/decryption methods for establishing a SSL connection between LDAP client(s) and server. Please note that the value is case sensitive.

📋 Array Items
Type: string
protocols array

The SSL or TLS protocol versions to enable for the connection. The options include: - SSLV3: Secure Sockets Layer version 3.0. - TLS10: Transport Layer Security version 1.0. - TLS11: Transport Layer Security version 1.1. - TLS12: Transport Layer Security version 1.2. - TLS13: Transport Layer Security version 1.3. Please note that the value is case sensitive.

📋 Array Items
Type: string
fips boolean

Should the server operate in FIPS process mode?

Default: False
fips-fallback boolean

The non-FIPS certified crypographic library is loaded as a secondary backup and is used if a requested algorithm is not contained in the certified library. This configuration option is ignored if the 'general.ssl.fips' configuration entry has not been set to 'true'.

Default: False
Examples:
Example 1
general:
  license:
    key: VGVzdDotMTowOjCCAaQG...
    accept: standard
  id: test.ibm.com
  admin:
    pwd: passw0rd1
  ports:
    ldap: 0
    ldaps: 9636

keyfile object

The configuration elements associated with the SSL key file. This will include any keys used by the server, along with any trusted certificates. A self-signed certificate will be created as the default certificate in the key file, with the label: 'self-signed-server'.

⚙️ Properties
keys array

Any private keys used by the server. The private key and associated certificate should be combined into a single configuration entry in PEM format, and the private key should not be protected by a password. By way of example, to create a private key using OpenSSL the following command can be executed:
'openssl req -nodes -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365`

The key and certificate can then be concatenated into a single file.

If this key is to be used as the main certificate served by the server the general.ssl.cert-label configuration entry must be set to the name of the label for the key.

📋 Array Items
key string required

The PEM encoded private key and public certificate.

label string required

The label which will be associated with this key.

trusted-certificates array

Any certificates which should be trusted by the server, in PEM format.

📋 Array Items
Type: string

A certificate which is to be trusted by the server, in PEM format.

Examples:
Example 1
keyfile:
  keys:
  - label: server-key
    key: '@/var/data/key.pem'
  trusted-certificates:
  - '@/var/data/ca_cert.pem'

proxy object

The configuration entries associated with the proxy server, used to define what data is proxied.

⚙️ Properties
allow-distributed-group-evaluation boolean

Enable or disable the evaluation of all groups by the proxy server in a distributed directory environment.

Default: True
allow-dynamic-group-evaluation boolean

Determines whether the proxy allows dynamic group evaluation.

Default: True
allow-non-admin boolean

Whether or not the server should allow non-Administrator bind for paged results requests on a search request. If the value is set to true, the server will process any client request, including those submitted by a user binding anonymously. If the value is set to false, the server will process only those client requests submitted by a user with Administrator authority. If a client requests paged results with a criticality of true or false for a search operation, does not have Administrator authority, and the value is set to false, the server will return to the client with a return code of insufficientAccessRights - no searching or paging will be performed.

Default: True

server-groups array

An array of objects which are used to define the various groupings of proxied servers. Server groupings enable the user to state that several backend servers are mirrors of each other, and proxy server processing can continue even if one or more backend servers in the group are down, assuming that at least one backend server is online.

📋 Array Items
name string required

The name which will be given to the group.

servers array required

The servers which belong to this group.

📋 Array Items
bind-method string

The method used to bind to backend servers. The options include:
- Simple: The simple username and password bind method.
- Digest: The Digest bind method.
- Kerberos: The Kerberos bind method.
Please note that the value is case sensitive.

Default: Simple
Allowed values:
Simple Digest Kerberos
certificate-label string

The label that identifies the private key which will be used when communicating with the proxied server.

connection-pool-size number

The number of connections to be maintained by the proxy server to an individual backend server.

Default: 120
digest object

The credential information when DIGEST is selected as the bind method to the backend server.

⚙️ Properties
realm string required

The realm of the digest MD-5 bind when binding to a backend server.

user-name string required

The username to be used when DIGEST is selected as the bind method to a backend server.

health-check-olimit number

The limit on the number of outstanding requests after which a Proxy Health Check can mark a backend server as hung.

Default: 5
id string required

The identifier of the server.

max-pending-ops-per-client number

The maximum number of operations that could be pending for a single backend server from a single client connection.

Default: 5
name string required

The name which will be given to the server.

status-interval number

The interval between status checks.

Default: 3
target string required

The URL of a backend server. This must be in the form ldap:// or ldaps:// (to indicate SSL use ldaps).

user object required

The credential information of the backend server.

⚙️ Properties
dn string required

The distinguished name of the user which will be used to authenticate to the backend server.

password string required

The password of the user which will be used to authenticate to the backend server.

Examples:
Example 1
proxy:
  server-groups:
  - name: group_a
    servers:
    - name: server_a
      id: server_a_id
      target: ldap://server_a.ibm.com:389
      bind-method: Simple
      user:
        dn: uid=Manager,cn=ibmpolicies
        password: passw0rd
    - name: server_b
      id: server_b_id
      target: ldap://server_b.ibm.com:389
      user:
        dn: uid=Manager,cn=ibmpolicies
        password: passw0rd

suffixes array

An array of objects which are used to define the various suffixes which are proxied by this server. The 'cn=ibmpolicies' suffix is mandatory and if it is not present it will be automatically created using the definition of the first suffix as a template.

📋 Array Items
auto-fail-back boolean

The flag that indicates if auto failback is enabled.

Default: True
base string required

The suffix base.

failback-based-on-queue boolean

Determines if autofailback is done based on the replication queue threshold.

Default: True
failback-queue-threshold number

The maximum replication queue size allowed between current write server and server to failback for autofailback.

Default: 5
high-consistency boolean

Enable or disable High Consistency on a per suffix basis.

name string required

The name which will be given to the suffix.

num-partitions number

Specifies the number of servers a given container is split between.

Default: 1
servers array required

The servers which belong to this group.

📋 Array Items
index number

The unique index a given server is assigned in a suffix container. The value here must be <= the corresponding num-partitions value. The first value begins at 1.

Default: 1
name string required

The name of the server. This name should match a defined proxied server name.

role string

The role that a backend server plays within the distributed directory.

Default: primarywrite
Allowed values:
primarywrite any
tier number

Used for storing the priority of a backend server for a given split. Priority ranges from 1-5, 1 being the maximum priority.

Default: 1
Validation Constraints:
• Minimum: 1
• Maximum: 5
Examples:
Example 1
proxy:
  suffixes:
  - name: split_a
    num-partitions: 1
    base: o=sample.com
    servers:
    - name: server_a
      role: primarywrite
      index: 1
Examples:
Example 1
proxy:
  allow-non-admin: true
  allow-dynamic-group-evaluation: false
  allow-distributed-group-evaluation: false
  server-groups:
  - name: group_a
    servers:
    - name: server_a
      id: server_a
      target: ldap://10.10.10.200:389
      bind-method: Simple
      user:
        dn: cn=root
        password: passw0rd
  suffixes:
  - name: split_a
    num-partitions: 1
    base: dc=ibm.com
    servers:
    - name: server_a
      role: primarywrite
      index: 1

Examples

Example 1
general:
  license:
    key: VGVzdDotMTowOjCCAaQG...
    accept: standard
  id: test.ibm.com
  admin:
    pwd: passw0rd1
  ports:
    ldap: 0
    ldaps: 9636
proxy:
  server-groups:
  - name: group_a
    servers:
    - bind-method: Simple
      id: server_a
      name: server_a
      target: ldap://10.10.10.200:389
      user:
        dn: cn=root
        password: passw0rd
  suffixes:
  - base: dc=ibm.com
    name: split_a
    num-partitions: 1
    servers:
    - index: 1
      name: server_a
      role: primarywrite
Copyright IBM Corp. 2026