Page Comparison

Current File(s): conf/authn/password-authn-config.xml, conf/ldap.properties, conf/authn/authn.properties
Format: Native Spring, Properties

...

The idp.authn.LDAP.authenticator property controls the workflow for how authentication occurs against the LDAP directory for most “simple” cases by automatically configuring a number of underlying objects based on a set of built-in “authenticator types” supported by the ldaptive library.

anonSearchAuthenticator	Performs an anonymous search for the user's DN
bindSearchAuthenticator	Binds with a configured DN as a service account, then searches for the user's DN
directAuthenticator	User DNs are of a known format. i.e. CN=user_name,ou=accounts,dc=domain,dc=edu. No DN search is performed.
adAuthenticator	Configuration that leverages the AD specific @domain.com format. No DN search is performed since AD supports binding directly with that user name.

Depending on the choice above, various other properties must be set (see the reference section below).

...

If StartTLS or SSL are used, a source of trust anchors must be configured to control certificate validation, using the idp.authn.LDAP.sslConfig property:

certificateTrust	Uses the idp.authn.LDAP.trustCertificates property to load a resource containing the trust anchors (such as a file of PEM-format certificates)
keyStoreTrust	Uses the idp.authn.LDAP.trustStore property to load a keystore containing the trust anchors
jvmTrust	Uses the default JVM trust anchors (the JVM-wide "cacerts" file)
disabled	Does not allow SSL or startTLS connections.

We have tentative plans to deprecate the “jvmTrust” option, which has already been removed from the attribute resolution side of the software, as it is bad practice and has been a source of serious security flaws.

...

Expand

title	Properties

A number of properties are found in ldap.properties to configure LDAP authentication global defaults. Most of the time, this is sufficient to deal with most configurations without having to delve into modifying any beans, unless you're trying to chain together separately configured back-ends.

Note that the big "override everything" hook tends to be the idp.authn.LDAP.authenticator property, as most of the other properties auto-configure specific aspects of one of the built-in Authenticator beans.

Property	Type	Default	Function
idp.authn.LDAP.authenticator	Enumeration	anonSearchAuthenticator	Controls the workflow for how authentication occurs against the LDAP, one of: anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
idp.authn.LDAP.ldapURL	LDAP URI		Connection URI for LDAP directory.
idp.authn.LDAP.useStartTLS	Boolean	true	Whether StartTLS should be used after connecting with LDAP alone.
idp.authn.LDAP.connectTimeout	Duration	PT3S	Time to wait for the TCP connection to occur.
idp.authn.LDAP.responseTimeout	Duration	PT3S	Time to wait for an LDAP response message. (Applies to every request except startTLS)
idp.authn.LDAP.startTLSTimeout	Duration	PT3S	Time to wait for a startTLS response message.
idp.authn.LDAP.autoReconnect	Boolean	true	Whether lost connections should be automatically reopened.
idp.authn.LDAP.reconnectTimeout	Duration	PT10S	Time to wait for a connection to reconnect.
idp.authn.LDAP.connectionStrategy	Enumeration	ACTIVE_PASSIVE	Connection strategy to use when multiple URLs are supplied, one of ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM
idp.authn.LDAP.sslConfig	Enumeration	certificateTrust	How to establish trust in the server's TLS certificate, one of: jvmTrust, certificateTrust, or keyStoreTrust
idp.authn.LDAP.trustCertificates	Resource path		A resource to load trust anchors from, usually a local file in %{idp.home}/credentials
idp.authn.LDAP.trustStore	Resource path		A resource to load a Java keystore containing trust anchors, usually a local file in %{idp.home}/credentials
idp.authn.LDAP.returnAttributes	Comma-sep'd Strings		List of attributes to request during authentication. NOTE: Do not set this property if using the adAuthenticator, it is not supported and you will get a WARN message in the log each time a user authenticates. (Authentication still works, though.)
idp.authn.LDAP.baseDN	String		Base DN to search against, used by anonSearchAuthenticator, bindSearchAuthenticator
idp.authn.LDAP.subtreeSearch	Boolean	false	Whether to search recursively, used by anonSearchAuthenticator, bindSearchAuthenticator
idp.authn.LDAP.userFilter	String		LDAP search filter, used by anonSearchAuthenticator, bindSearchAuthenticator
idp.authn.LDAP.bindDN	String		DN to bind with during search, used by bindSearchAuthenticator
idp.authn.LDAP.bindDNCredential	String		Password to bind with during search, used by bindSearchAuthenticator, usually set via %{idp.home}/credentials/secrets.properties
idp.authn.LDAP.dnFormat	String		A formatting string to generate the user DNs to authenticate, used by directAuthenticator, adAuthenticator
idp.authn.LDAP.resolveEntryOnFailure	Boolean	false	Whether the user's LDAP entry should be returned in the authentication response even when the user bind fails.
idp.authn.LDAP.resolveEntryWithBindDN	Boolean	false	Whether the user's LDAP entry should be resolved with the bindDN credentials rather than as the authenticated user.
idp.authn.LDAP.usePasswordPolicy	Boolean	false	Whether to use the Password Policy Control.
idp.authn.LDAP.usePasswordExpiration	Boolean	false	Whether to use the Password Expired Control.
idp.authn.LDAP.activeDirectory	Boolean	false	If you are using Active Directory, this switch will attempt to use the account states defined by AD. Note that this flag is unnecessary if you are using the 'adAuthenticator', although it is necessary to use the accountStateExpirationPeriod and accountStateWarningPeriod properties. It is meant to be specified with one of the other authenticator types.
idp.authn.LDAP.freeIPADirectory	Boolean	false	If you are using the FreeIPA LDAP, this switch will attempt to use the account states defined by that product.
idp.authn.LDAP.eDirectory	Boolean	false	If you are using the EDirectory LDAP, this switch will attempt to use the account states defined by that product.
idp.authn.LDAP.disablePooling	Boolean	false	Whether connection pools should be used for LDAP connections used for authentication.
idp.pool.LDAP.minSize	Integer	3	Minimum LDAP connection pool size
idp.pool.LDAP.maxSize	Integer	10	Maximum LDAP connection pool size
idp.pool.LDAP.validateOnCheckout	Boolean	false	Whether to validate connections when checking them out of the pool
idp.pool.LDAP.validatePeriodically	Boolean	true	Whether to validate connections in the background
idp.pool.LDAP.validatePeriod	Duration	PT5M	Duration between validation, if idp.pool.LDAP.validatePeriodically is true
idp.pool.LDAP.validateDN	String		DN to search with the validateFilter, default is the rootDSE
idp.pool.LDAP.validateFilter	String	(objectClass=*)	Search filter to execute in order to validate a pooled connection
idp.pool.LDAP.prunePeriod	Duration	PT5M	Duration between looking for idle connections to reduce the pool back to its minimum size
idp.pool.LDAP.idleTime	Duration	PT10M	Duration connections must be idle to be eligible for pruning
idp.pool.LDAP.blockWaitTime	Duration	PT3S	Duration to wait for a free connection in the pool
idp.authn.LDAP.bindPoolPassivator	Enumeration	none	Controls how connections in the bind pool are passivated. Connections in the bind pool may be in an authenticated state that will not allow validation searches to succeed. This property controls how bind connections are placed back into the pool. If your directory requires searches to be performed by the idp.authn.LDAP.bindDN or anonymously, this property controls that behavior. one of: none, bind, anonymousBind.

...

Expand

title	Attribute Retrieval

LDAP attributes are returned as part of the authentication process and exposed in the LDAPResponseContext. (As noted in the Properties reference above, this feature is not supported by the adAuthenticator. If you set it, it will result in a WARN message in the logs for each authentication attempt.)

Property	Sample	Result
idp.authn.LDAP.returnAttributes	uid, eduPersonAffiliation	Returns the uid and eduPersonAffiliation attributes.
	*	Returns all user attributes on the entry.
	*,+	Returns all user and operational attributes on the entry.
	1.1	No attribute returned. No search performed.

By default, attributes will be searched for using the same connection the user authenticated on. Therefore the user must have read on any attributes for those to be returned.

If you need access to attributes that user does not have read access to, then you must configure a connection pool that is authorized to read that data. The easiest way to that is to use the idp.authn.LDAP.resolveEntryWithBindDN=true property. This will configure a separate connection pool using the bind credentials. However, if the attributes you need require different credentials, then following configuration demonstrates how to add a new connection pool for that purpose.

Spring Configuration

Code Block

language	xml

<!-- Modify the authenticator to use the entry resolver -->
<bean name="anonSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:entryResolver-ref="bindSearchEntryResolver">
...
 
<bean id="bindSearchEntryResolver" class="org.ldaptive.auth.SearchEntryResolver" p:connectionFactory-ref="entryResolverPooledConnectionFactory" />
<bean id="entryResolverPooledConnectionFactory" class="org.ldaptive.PooledConnectionFactory" p:connectionConfig-ref="entryResolverConnectionConfig" p:name="entry-resolver-pool" />
<bean id="entryResolverConnectionConfig" parent="connectionConfig" p:connectionInitializers-ref="entryResolverConnectionInitializer" />
<bean id="entryResolverConnectionInitializer" class="org.ldaptive.BindConnectionInitializer" p:bindDn="%{idp.authn.LDAP.entryResolver.bindDN}">
  <property name="bindCredential">
    <bean class="org.ldaptive.Credential">
      <constructor-arg value="%{idp.authn.LDAP.entryResolver.bindDNCredential}" />
    </bean>
  </property>
</bean>

Add the idp.authn.LDAP.entryResolver.bindDN and idp.authn.LDAP.entryResolver.bindDNCredential properties to conf/ldap.properties and credentials/secrets.properties respectively. Then set idp.authn.LDAP.authenticator to anonSearchAuthenticator. to complete the configuration.

Expand

title	DN Resolution

Single Directory with Multiple Branches

Extensible Matching

If your directory supports extensible matching, this is the easiest way to find users that are distributed over multiple branches.

Property	Value	Result
idp.authn.LDAP.userFilter	(&(\|(ou:dn:=people)(ou:dn:=guests))(uid={user}))	Returns the entry that matches uid on either the people or guests branch.
idp.authn.LDAP.baseDN	dc=example,dc=org	The branch containing both ou=people and ou=guests.
idp.authn.LDAP.subtreeSearch	true	Enable subtree searching on the dc=example,dc=org branch.

Aggregate DN Resolver

This authenticator combines the results of multiple DN resolvers.

Spring Configuration

Code Block

language	xml

<!-- Connection Configuration -->
<bean id="connectionConfig" class="org.ldaptive.ConnectionConfig" abstract="true"
      p:ldapUrl="%{idp.authn.LDAP.ldapURL}"
      p:useStartTLS="%{idp.authn.LDAP.useStartTLS:true}"
      p:connectTimeout="%{idp.authn.LDAP.connectTimeout:PT3S}"
      p:responseTimeout="%{idp.authn.LDAP.responseTimeout:PT3S}"
      p:sslConfig-ref="sslConfig" />

<alias name="%{idp.authn.LDAP.sslConfig:certificateTrust}" alias="sslConfig" />

<bean id="jvmTrust" class="org.ldaptive.ssl.SslConfig" />
<bean id="certificateTrust" class="org.ldaptive.ssl.SslConfig">
  <property name="credentialConfig">
    <bean parent="shibboleth.X509ResourceCredentialConfig" p:trustCertificates="%{idp.authn.LDAP.trustCertificates:undefined}" />
  </property>
</bean>
<bean id="keyStoreTrust" class="org.ldaptive.ssl.SslConfig">
  <property name="credentialConfig">
    <bean parent="shibboleth.KeystoreResourceCredentialConfig" p:truststore="%{idp.authn.LDAP.trustStore:undefined}" />
  </property>
</bean>

<!-- Pool Configuration -->
<bean id="connectionPool" class="org.ldaptive.PooledConnectionFactory" abstract="true"
      p:blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
      p:minPoolSize="%{idp.pool.LDAP.minSize:3}"
      p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
      p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}"
      p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
      p:pruneStrategy-ref="pruneStrategy"
      p:validator-ref="searchValidator"
      p:failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
<bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
      p:prunePeriod="%{idp.pool.LDAP.prunePeriod:PT5M}"
      p:idleTime="%{idp.pool.LDAP.idleTime:PT10M}" />
<bean id="searchValidator" class="org.ldaptive.SearchConnectionValidator" p:validatePeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"/>

<!-- Authentication handler -->
<bean id="authHandler" class="org.ldaptive.auth.SimpleBindAuthenticationHandler" p:connectionFactory-ref="bindPooledConnectionFactory" />
<bean id="bindPooledConnectionFactory" class="org.ldaptive.PooledConnectionFactory" parent="connectionPool"
      p:name="bind-pool"
      p:connectionConfig-ref="bindConnectionConfig" />
<bean id="bindConnectionConfig" parent="connectionConfig" />

<!-- Anonymous Search Configuration -->
<bean name="anonSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
  <constructor-arg index="0" ref="anonSearchDnResolver" />
  <constructor-arg index="1" ref="authHandler" />
</bean>
<bean id="anonSearchDnResolver" class="net.shibboleth.idp.authn.TemplateSearchDnResolver"
      p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
      p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
      p:connectionFactory-ref="anonSearchPooledConnectionFactory" >
  <constructor-arg index="0" ref="shibboleth.VelocityEngine" />
  <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" />
</bean>
<bean id="anonSearchPooledConnectionFactory" class="org.ldaptive.PooledConnectionFactory" parent="connectionPool"
      p:name="search-pool"
      p:connectionConfig-ref="anonSearchConnectionConfig" />
<bean id="anonSearchConnectionConfig" parent="connectionConfig" />

<bean name="aggregateAuthenticator" class="org.ldaptive.auth.Authenticator">
  <constructor-arg index="0" ref="aggregateDnResolver" />
  <constructor-arg index="1" ref="aggregateAuthHandler" />
</bean>
<bean id="aggregateDnResolver" class="org.ldaptive.auth.AggregateDnResolver">
  <constructor-arg index="0">
    <util:map id="dnResolvers">
      <entry key="filter1" value-ref="dnResolver1" />
      <entry key="filter2" value-ref="dnResolver2" />
    </util:map>
  </constructor-arg>
</bean>
<bean id="aggregateAuthHandler" class="org.ldaptive.auth.AggregateAuthenticationHandler">
  <constructor-arg index="0">
    <!-- Use the same authentication handler for both DN resolvers -->
    <util:map id="authHandlers">
      <entry key="filter1" value-ref="authHandler" />
      <entry key="filter2" value-ref="authHandler" />
    </util:map>
  </constructor-arg>
</bean>

<!-- Define two DN resolvers that use anonymous search against the same directory -->
<bean id="dnResolver1" class="org.ldaptive.auth.SearchDnResolver" p:baseDn="%{idp.authn.LDAP.baseDN1}"
      p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}" p:userFilter="%{idp.authn.LDAP.userFilter1}"
      p:connectionFactory-ref="anonSearchPooledConnectionFactory" />
<bean id="dnResolver2" class="org.ldaptive.auth.SearchDnResolver" p:baseDn="%{idp.authn.LDAP.baseDN2}"
      p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}" p:userFilter="%{idp.authn.LDAP.userFilter2}"
      p:connectionFactory-ref="anonSearchPooledConnectionFactory" />

Add the idp.authn.LDAP.baseDN[12] and idp.authn.LDAP.userFilter[12] properties to conf/ldap.properties. The key values used in dnResolvers and authHandlers can be anything, but must tie a single DN resolver to a single auth handler. By default an error will occur if more than (1) DN is resolved.

In addition to these beans, the aggregateAuthenticator bean (in the example above) must be injected into the LDAP credential validator in password-authn-config.xml:

Code Block

<util:list id="shibboleth.authn.Password.Validators">
    <!-- Default bean uses the settings defined in ldap.properties -->
    <bean parent="shibboleth.LDAPValidator" p:authenticator-ref="aggregateAuthenticator" />
</util:list>

Multiple Directories

Aggregate DN Resolver

This authenticator combines the results of multiple DN resolvers that connect to multiple directories.

Spring Configuration

Code Block

language	xml

<bean name="aggregateAuthenticator" class="org.ldaptive.auth.Authenticator">
 
  <constructor-arg index="0" ref="aggregateDnResolver" />
 
  <constructor-arg index="1" ref="aggregateAuthHandler" />
</bean>
<bean id="aggregateDnResolver" class="org.ldaptive.auth.AggregateDnResolver">
    <constructor-arg index="0">
 ref="dnResolvers" /> </bean>
<bean <util:map id="aggregateAuthHandlerdnResolvers" class="org.ldaptive.auth.AggregateDnResolver$AuthenticationHandler" p:authenticationHandlers-ref="authHandlers" />
<util:map id="dnResolvers">
    >
      <entry key="directory1" value-ref="dnResolver1" />
      <entry key="directory2" value-ref="dnResolver2" />
    </util:map>
  </constructor-arg>
</bean>
<bean id="aggregateAuthHandler" class="org.ldaptive.auth.AggregateAuthenticationHandler">
  <constructor-arg index="0">
    <util:map id="authHandlers">
      <entry key="directory1" value-ref="authHandler1" />
      <entry key="directory2" value-ref="authHandler2" />
    </util:map>
  </constructor-arg>
</bean>
<!-- define DN resolvers and authentication handlers for each directory... -->

Complete example with DN resolvers and authentication handlers for bindSearch

Code Block

language	xml

<!-- Properties:
- idp.authn.LDAP.authenticator = aggregateAuthenticator
- idp.authn.LDAP.ldapURL1
- idp.authn.LDAP.ldapURL2
- idp.authn.LDAP.baseDN1
- idp.authn.LDAP.baseDN2
- idp.authn.LDAP.userFilter1
- idp.authn.LDAP.userFilter2
- idp.authn.LDAP.bindDN1
- idp.authn.LDAP.bindDN2
- idp.authn.LDAP.bindDNCredential1
- idp.authn.LDAP.bindDNCredential2
-->
<bean id="aggregateAuthenticator" class="org.ldaptive.auth.Authenticator"
      c:resolver-ref="aggregateDnResolver"
      c:handler-ref="aggregateAuthHandler" />

<!-- Aggregate DN resolution -->
<bean id="aggregateDnResolver" class="org.ldaptive.auth.AggregateDnResolver"  p:allowMultipleDns="true">
    c:resolvers-ref<constructor-arg index="dnResolvers0"
  >
   p:allowMultipleDns="true" />
<util:map id="dnResolvers">
      <entry key="directory1" value-ref="bindSearchDnResolver1" />
      <entry key="directory2" value-ref="bindSearchDnResolver2" />
    </util:map>
  </constructor-arg>
</bean>

<!-- DN resolver 1 reusable PooledConnectionFactory parent bean with pool settings -->
<bean id="bindSearchDnResolver1pooledConnectionFactory" class="org.ldaptive.auth.PooledSearchDnResolverPooledConnectionFactory"
 
    p:baseDnblockWaitTime="#{'%{idp.authnpool.LDAP.baseDN1blockWaitTime:undefined}'.trim()}"
 PT3S}"
    p:subtreeSearchpruneStrategy-ref="%{idp.authn.LDAP.subtreeSearch:false}pruneStrategy"
      p:userFiltervalidator-ref="searchValidator"
    p:failFastInitialize="#{'%{idp.authnpool.LDAP.userFilter1failFastInitialize:undefined}'.trim()}"
 false}"
    p:connectionFactory-refminPoolSize="bindSearchPooledConnectionFactory" />
<bean id="bindSearchPooledConnectionFactory1" class="org.ldaptive.pool.PooledConnectionFactory%{idp.pool.LDAP.minSize:3}"
    p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
      p:connectionPool-refvalidateOnCheckOut="bindSearchConnectionPool1" />
<bean id="bindSearchConnectionPool1" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
      p:connectionFactory-ref="bindSearchConnectionFactory1"
%{idp.pool.LDAP.validateOnCheckout:false}"
    p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" />

<!-- DN resolver 1 -->
<bean id="bindSearchDnResolver1" class="net.shibboleth.idp.authn.TemplateSearchDnResolver"
     p:name="search-pool1" />
<bean id="bindSearchConnectionFactory1" class="org.ldaptive.DefaultConnectionFactory"
 baseDn="#{'%{idp.authn.LDAP1.baseDN:undefined}'.trim()}"
    p:subtreeSearch="%{idp.authn.LDAP1.subtreeSearch:false}"
    p:connectionConfigconnectionFactory-ref="bindSearchConnectionConfig1bindSearchPooledConnectionFactory1" />
<bean id="bindSearchConnectionConfig1" parent="connectionConfig"       p:connectionInitializer-ref="bindConnectionInitializer1"
      p:ldapUrl="%{idp.authn.LDAP.ldapURL1}<constructor-arg index="0" ref="shibboleth.VelocityEngine" />
   <bean id="bindConnectionInitializer1" class="org.ldaptive.BindConnectionInitializer"
      p:bindDn <constructor-arg index="1" value="#{'%{idp.authn.LDAPLDAP1.bindDN1userFilter:undefined}'.trim()}" />
</bean>
<bean   <property nameid="bindSearchPooledConnectionFactory1" parent="bindCredentialpooledConnectionFactory">
    <bean classp:connectionConfig-ref="org.ldaptive.Credential" c:password="%{idp.authn.LDAP.bindDNCredential1:undefined}" />
    </property>
</bean>
<!-- DN resolver 2 --bindSearchConnectionConfig1" />
<bean id="bindSearchConnectionConfig1" parent="connectionConfig1" p:connectionInitializers-ref="bindConnectionInitializer1" />
<bean id="bindSearchDnResolver2bindConnectionInitializer1" class="org.ldaptive.auth.PooledSearchDnResolverBindConnectionInitializer"
        p:baseDnbindDn="#{'%{idp.authn.LDAPLDAP1.baseDN2bindDN:undefined}'.trim()}">
    <property  p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"name="bindCredential">
        <bean p:userFilterclass="#{'%{idp.authn.LDAP.userFilter2:undefined}'.trim()}"org.ldaptive.Credential">
            p:connectionFactory-ref="bindSearchPooledConnectionFactory<constructor-arg value="%{idp.authn.LDAP1.bindDNCredential:undefined}" />
 <bean id="bindSearchPooledConnectionFactory2" class="org.ldaptive.pool.PooledConnectionFactory"
        </bean>
    p:connectionPool-ref="bindSearchConnectionPool2" /></property>
</bean>

<bean id="bindSearchConnectionPool2connectionConfig1" class="org.ldaptive.pool.BlockingConnectionPoolConnectionConfig" parentabstract="connectionPool"
     true" p:connectionFactory-refldapUrl="bindSearchConnectionFactory2%{idp.authn.LDAP1.ldapURL}"
      p:nameuseStartTLS="search-pool2" />
<bean id="bindSearchConnectionFactory2" class="org.ldaptive.DefaultConnectionFactory"
 %{idp.authn.LDAP1.useStartTLS:true}"
    p:connectTimeout="%{idp.authn.LDAP.connectTimeout:PT3S}"
    p:responseTimeout="%{idp.authn.LDAP.responseTimeout:PT3S}"
    p:connectionConfigsslConfig-ref="bindSearchConnectionConfig2sslConfig" />
<bean id="bindSearchConnectionConfig2" parent="connectionConfig"
      p:connectionInitializer-ref="bindConnectionInitializer2"

<!-- DN resolver 2 -->
<bean id="bindSearchDnResolver2" class="net.shibboleth.idp.authn.TemplateSearchDnResolver"
     p:ldapUrlbaseDn="#{'%{idp.authn.LDAPLDAP2.ldapURL2}" />
<bean id="bindConnectionInitializer2" class="org.ldaptive.BindConnectionInitializerbaseDN:undefined}'.trim()}"
      p:bindDnsubtreeSearch="#{'%{idp.authn.LDAPLDAP2.bindDN2:undefined}'.trim()subtreeSearch:false}">
    <property namep:connectionFactory-ref="bindCredentialbindSearchPooledConnectionFactory2" >
    <constructor-arg index="0" ref="shibboleth.VelocityEngine" />
    <bean<constructor-arg classindex="org.ldaptive.Credential1" c:passwordvalue="#{'%{idp.authn.LDAPLDAP2.bindDNCredential2userFilter:undefined}" '.trim()}" />
 
  </property>
</bean>

<!-- Aggregate authentication -->
<bean id="aggregateAuthHandlerbindSearchPooledConnectionFactory2" classparent="org.ldaptive.auth.AggregateDnResolver$AuthenticationHandlerpooledConnectionFactory"
      p:authenticationHandlersconnectionConfig-ref="authHandlersbindSearchConnectionConfig2" />
<util:map<bean id="authHandlersbindSearchConnectionConfig2">
    <entry key parent="directory1connectionConfig2" valuep:connectionInitializers-ref="authHandler1bindConnectionInitializer2" />
    <entry key<bean id="directory2bindConnectionInitializer2" value-refclass="authHandler2org.ldaptive.BindConnectionInitializer"
/>
</util:map>  <!-- Authentication handler 1 --> <bean id="authHandler1" class="org.ldaptive.auth.PooledBindAuthenticationHandler"p:bindDn="#{'%{idp.authn.LDAP2.bindDN:undefined}'.trim()}">
      p:connectionFactory-ref<property name="bindPooledConnectionFactory1" />
<bean id="bindPooledConnectionFactory1"bindCredential">
        <bean class="org.ldaptive.pool.PooledConnectionFactory"Credential">
            p:connectionPool-ref="bindConnectionPool1<constructor-arg value="%{idp.authn.LDAP2.bindDNCredential:undefined}" />
        </bean>
    </property>
</bean>

<bean id="bindConnectionPool1connectionConfig2" class="org.ldaptive.pool.BlockingConnectionPoolConnectionConfig" parentabstract="connectionPooltrue"  p:ldapUrl="%{idp.authn.LDAP2.ldapURL}"
    p:connectionFactory-refuseStartTLS="bindConnectionFactory1"
 %{idp.authn.LDAP2.useStartTLS:true}"
    p:nameconnectTimeout="bind-pool1" />
<bean id="bindConnectionFactory1" class="org.ldaptive.DefaultConnectionFactory"
 %{idp.authn.LDAP.connectTimeout:PT3S}"
    p:responseTimeout="%{idp.authn.LDAP.responseTimeout:PT3S}"
    p:connectionConfigsslConfig-ref="bindConnectionConfig1sslConfig" />

<!-- Aggregate authentication -->
<bean id="bindConnectionConfig1aggregateAuthHandler" parentclass="connectionConfig"org.ldaptive.auth.AggregateAuthenticationHandler">
      p:ldapUrl="%{idp.authn.LDAP.ldapURL1}" />
<!-- Authentication handler 2 -->
<bean<constructor-arg index="0">
    <util:map id="authHandler2authHandlers" class="org.ldaptive.auth.PooledBindAuthenticationHandler">
      <entry  p:connectionFactorykey="directory1" value-ref="bindPooledConnectionFactory2authHandler1" />
<bean
id="bindPooledConnectionFactory2" class="org.ldaptive.pool.PooledConnectionFactory"     <entry  p:connectionPoolkey="directory2" value-ref="bindConnectionPool2authHandler2" />
 <bean  id="bindConnectionPool2" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
      p:connectionFactory-ref="bindConnectionFactory2"
      p:name="bind-pool2 </util:map>
  </constructor-arg>
</bean>

<!-- Authentication handler 1 -->

<bean id="authHandler1" class="org.ldaptive.auth.SimpleBindAuthenticationHandler" p:connectionFactory-ref="bindPooledConnectionFactory1" />
<bean id="bindConnectionFactory2bindPooledConnectionFactory1" classparent="org.ldaptive.DefaultConnectionFactory"
     pooledConnectionFactory" p:connectionConfig-ref="bindConnectionConfig2bindConnectionConfig1" />
<bean id="bindConnectionConfig2bindConnectionConfig1" parent="connectionConfigconnectionConfig1" />

<!-- Authentication handler 2 -->
<bean p:ldapUrl="%id="authHandler2" class="org.ldaptive.auth.SimpleBindAuthenticationHandler" p:connectionFactory-ref="bindPooledConnectionFactory2" />
<bean id="bindPooledConnectionFactory2" parent="pooledConnectionFactory" p:connectionConfig-ref="bindConnectionConfig2" />
<bean id="bindConnectionConfig2" parent="connectionConfig2" />

<!-- shared definitions -->

<alias name="%{idp.authn.LDAP.ldapURL2}sslConfig:certificateTrust}" alias="sslConfig" />

DN resolvers are invoked asynchronously, so all resolvers will be used for each authentication request.

Expand

title	Account State

The ldaptive LDAP library has the ability to extract detailed account status information from the directory during authentication. According to the Ldaptive documentation, no standard for exposing account state data has been universally adopted by LDAP vendors, but the library uses a handler which encapsulates account state information. This state contains Warning and Error types that are common to the most popular policy implementations.

Password Policy Control

The Password Policy for LDAP Directories (draft) standard is implemented by several LDAP directories, including OpenLDAP and Oracle DSEE. The Password Policy Control is used during an LDAP bind operation to request information about the user's account state.

To enable the Password Policy Control handlers in ldaptive, add the following to conf/ldap.properties:

conf/ldap.properties

Code Block

language	xml

# Use password policy control
idp.authn.LDAP.usePasswordPolicy = true

The user will be informed on the login page if there are any Password Policy warnings or errors (messages can be customized in messages/messages.properties).

Password expiration warnings have been confirmed to work with Oracle DSEE. Please notify us or edit this page if you test successfully with other directory products.

Locked Accounts

To inform the user of a locked account, some configuration is needed to detect the error code returned by the LDAP bind request.

In authn/password-authn-config.xml, add an entry to the message clasification rules defined by shibboleth.authn.Password.ClassifiedMessageMap

password-authn-config.xml

Code Block

language	xml

<entry key="AccountLocked

<bean id="jvmTrust" class="org.ldaptive.ssl.SslConfig" />
<bean id="certificateTrust" class="org.ldaptive.ssl.SslConfig">
    <property name="credentialConfig">
        <bean parent="shibboleth.X509ResourceCredentialConfig" p:trustCertificates="%{idp.authn.LDAP.trustCertificates:undefined}" />
    </property>
</bean>
<bean id="keyStoreTrust" class="org.ldaptive.ssl.SslConfig">
    <property name="credentialConfig">
    <list>    <bean     <value>ACCOUNT_LOCKED</value>parent="shibboleth.KeystoreResourceCredentialConfig" p:truststore="%{idp.authn.LDAP.trustStore:undefined}" />
    </list>property>
</entry>

This maps the error code to a AccountLocked event. It will run the empty user flow authn/conditions/account-locked and then pass control back to the form. With this configuration, the user gets the message "Your account is locked".

Debug information

Details of the AuthenticationResponse received, including the password policy controls, can be viewed using the TRACE log level in the logger of name "net.shibboleth.idp" (edit logback.xml).

Active Directory Configuration

The system comes with definitions to configure Active Directory authentication response handlers against a single directory.

Active Directory does not fully support extensible match rules (https://msdn.microsoft.com/en-us/library/cc223241.aspx).

Active Directory (by default) does not support anonymous queries (https://technet.microsoft.com/en-us/library/Cc755809%28v=WS.10%29.aspx).

Using an entry resolver to generate password expiration warnings

Spring Configuration

Code Block

language	xml

<!-- authenticator with entry resolver-->
<bean id="adAuthenticator" class="org.ldaptive.auth.Authenticator" p:entryResolver-ref="bindSearchEntryResolver" p:authenticationResponseHandlers-ref="authenticationResponseHandler" p:resolveEntryOnFailure="false">
    <constructor-arg index="0" ref="formatDnResolver" />
    <constructor-arg index="1" ref="authHandler" />
</bean>
 
<!-- authentication response handler that defines a password expiration period and warning period -->
<!-- expiration period is the amount of time since a password was set that it will expire in period notation -->
<!-- expiration period is only used if the msDS-UserPasswordExpiryTimeComputed attributes cannot be read and pwdLastSet can be read -->
<!-- warning period is the amount of time before expiration to produce a warning in period notation. Warning period is only applied if an expiration period can be resolved. -->
<!-- note that this response handler has a default constructor without these properties if you don't want to override the defaults -->
<bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler" >
    <constructor-arg index="0">
        <bean factory-method="parse" class="java.time.Period">
            <constructor-arg value="%{idp.authn.LDAP.expirationPeriod}" />
        </bean>
    </constructor-arg>
    <constructor-arg index="1">
        <bean factory-method="parse" class="java.time.Period">
            <constructor-arg value="%{idp.authn.LDAP.warningPeriod}" />bean>

<bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
    p:prunePeriod="%{idp.pool.LDAP.prunePeriod:PT5M}"
    p:idleTime="%{idp.pool.LDAP.idleTime:PT10M}" />

<bean id="searchValidator" class="org.ldaptive.SearchConnectionValidator"
    p:validatePeriod="%{idp.pool.LDAP.validatePeriod:PT5M}" />

DN resolvers are invoked asynchronously, so all resolvers will be used for each authentication request.

Expand

title	Account State

The ldaptive LDAP library has the ability to extract detailed account status information from the directory during authentication. According to the Ldaptive documentation, no standard for exposing account state data has been universally adopted by LDAP vendors, but the library uses a handler which encapsulates account state information. This state contains Warning and Error types that are common to the most popular policy implementations.

Password Policy Control

The Password Policy for LDAP Directories (draft) standard is implemented by several LDAP directories, including OpenLDAP and Oracle DSEE. The Password Policy Control is used during an LDAP bind operation to request information about the user's account state.

To enable the Password Policy Control handlers in ldaptive, add the following to conf/ldap.properties:

conf/ldap.properties

Code Block

language	xml

# Use password policy control
idp.authn.LDAP.usePasswordPolicy = true

The user will be informed on the login page if there are any Password Policy warnings or errors (messages can be customized in messages/messages.properties).

Password expiration warnings have been confirmed to work with Oracle DSEE. Please notify us or edit this page if you test successfully with other directory products.

Locked Accounts

To inform the user of a locked account, some configuration is needed to detect the error code returned by the LDAP bind request.

In authn/password-authn-config.xml, add an entry to the message clasification rules defined by shibboleth.authn.Password.ClassifiedMessageMap

password-authn-config.xml

Code Block

language	xml

<entry key="AccountLocked">
    <list>
        <<value>ACCOUNT_LOCKED</bean>value>
    </constructor-arg>list>
</bean>
 
<!-- Add an entry resolver to read the pwdLastSet, must be included in idp.authn.LDAP.returnAttributes -->
<bean id="bindSearchEntryResolver" class="org.ldaptive.auth.PooledSearchEntryResolver" p:connectionFactory-ref="entryResolverPooledConnectionFactory" />
<bean id="entryResolverPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" p:connectionPool-ref="entryResolverConnectionPool" />
<bean id="entryResolverConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool" p:connectionFactory-ref="entryResolverConnectionFactory" p:name="entry-resolver-pool" /entry>

This maps the error code to a AccountLocked event. It will run the empty user flow authn/conditions/account-locked and then pass control back to the form. With this configuration, the user gets the message "Your account is locked".

Debug information

Details of the AuthenticationResponse received, including the password policy controls, can be viewed using the TRACE log level in the logger of name "net.shibboleth.idp" (edit logback.xml).

Active Directory Configuration

The system comes with definitions to configure Active Directory authentication response handlers against a single directory.

Active Directory does not fully support extensible match rules (https://msdn.microsoft.com/en-us/library/cc223241.aspx).

Active Directory (by default) does not support anonymous queries (https://technet.microsoft.com/en-us/library/Cc755809%28v=WS.10%29.aspx).

Using an entry resolver to generate password expiration warnings

Spring Configuration

Code Block

language	xml

<!-- authenticator with entry resolver-->
<bean id="entryResolverConnectionFactoryadAuthenticator" class="org.ldaptive.auth.DefaultConnectionFactoryAuthenticator" p:connectionConfigentryResolver-ref="entryResolverConnectionConfig" />
<bean id="entryResolverConnectionConfig" parent="connectionConfig" p:connectionInitializerbindSearchEntryResolver" p:responseHandlers-ref="entryResolverConnectionInitializer" />
<bean id="entryResolverConnectionInitializer" class="org.ldaptive.BindConnectionInitializer" p:bindDn="%{idp.authn.LDAP.entryResolver.bindDN}authenticationResponseHandler" p:resolveEntryOnFailure="false">
    <property name<constructor-arg index="bindCredential0">
        <bean class="org.ldaptive.Credential">
          ref="formatDnResolver" />
  <constructor-arg value="%{idp.authn.LDAP.entryResolver.bindDNCredential}index="1" ref="authHandler" />
</bean>

<!-- authentication response handler that defines a password </bean>expiration period and warning  </property>
</bean>

Example for two Active Directories with two DN Resolvers for each

This example uses directed BaseDN's with LDAP filters, and binds the queries.

Spring Configuration

Code Block

language	xml

<!-- Define Directory1 connection pool -->
    <bean id="adConnectionPool1" class="org.ldaptive.pool.BlockingConnectionPool" abstract="true"
        p:blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
        p:poolConfig-ref="adPoolConfig1"
        p:pruneStrategy-ref="adPruneStrategy1"
        p:validator-ref="adSearchValidator1"
        p:failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
    <bean id="adPoolConfig1" class="org.ldaptive.pool.PoolConfig"
        p:minPoolSize="%{idp.pool.LDAP.minSize:3}"
        p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
        p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}"
        p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
        p:validatePeriod="%{idp.pool.LDAP.validatePeriod:PT5M}" /period -->
<!-- expiration period is the amount of time since a password was set that it will expire in period notation -->
<!-- expiration period is only used if the msDS-UserPasswordExpiryTimeComputed attributes cannot be read and pwdLastSet can be read -->
<!-- warning period is the amount of time before expiration to produce a warning in period notation. Warning period is only applied if an expiration period can be resolved. -->
<!-- note that this response handler has a default constructor without these properties if you don't want to override the defaults -->
<bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler" >
  <constructor-arg index="0">
    <bean factory-method="parse" class="java.time.Period">
      <constructor-arg value="%{idp.authn.LDAP.expirationPeriod}" />
    </bean>
  </constructor-arg>
  <constructor-arg index="1">
    <bean idfactory-method="adPruneStrategy1parse" class="orgjava.ldaptivetime.pool.IdlePruneStrategyPeriod">
        p:prunePeriod<constructor-arg value="%{idp.poolauthn.LDAP.prunePeriod:PT5MwarningPeriod}" />
    </bean>
  p:idleTime="%{idp.pool.LDAP.idleTime:PT10M}" />
    <bean id="adSearchValidator1" class="org.ldaptive.pool.SearchValidator" />
<!-- Directory1 connection pool settings</constructor-arg>
</bean>

<!-- Add an entry resolver to read the pwdLastSet, must be included in idp.authn.LDAP.returnAttributes -->
    <bean id="adConnectionConfig1bindSearchEntryResolver" class="org.ldaptive.ConnectionConfigauth.SearchEntryResolver" abstractp:connectionFactory-ref="trueentryResolverPooledConnectionFactory" />
<bean       p:ldapUrl="%{idp.authn.LDAP.ldapURL1}"
        p:useStartTLS="%{idp.authn.LDAP.useStartTLS1:true}"
        p:connectTimeout="%{idp.authn.LDAP.connectTimeout1:PT3S}"
        p:sslConfig-ref="adSslConfig1id="entryResolverPooledConnectionFactory" class="org.ldaptive.PooledConnectionFactory" parent="connectionPool" p:name="entry-resolver-pool" p:connectionConfig-ref="entryResolverConnectionConfig" />
<bean    <alias name="%{idp.authn.LDAP.sslConfig:certificateTrust}" alias="adSslConfig1" />
<!-- Define Directory2 connection pool -->
    id="entryResolverConnectionConfig" parent="connectionConfig" p:connectionInitializers-ref="entryResolverConnectionInitializer" />
<bean id="adConnectionPool2entryResolverConnectionInitializer" class="org.ldaptive.pool.BlockingConnectionPool" abstract="true"
       BindConnectionInitializer" p:blockWaitTimebindDn="%{idp.poolauthn.LDAP.blockWaitTime:PT3S}"
        p:poolConfig-ref="adPoolConfig2"entryResolver.bindDN}">
        p:pruneStrategy-ref<property name="adPruneStrategy2bindCredential">
        p:validator-ref="adSearchValidator2"<bean class="org.ldaptive.Credential">
        p:failFastInitialize<constructor-arg value="%{idp.poolauthn.LDAP.entryResolver.failFastInitialize:falsebindDNCredential}" />
    </bean>
  </property>
</bean>

Example for two Active Directories with two DN Resolvers for each

This example uses directed BaseDN's with LDAP filters, and binds the queries.

Spring Configuration

Code Block

language	xml

<!-- Define Directory1 connection pool -->
<bean id="adPoolConfig2adConnectionPool1" class="org.ldaptive.pool.PoolConfigPooledConnectionFactory"         p:minPoolSize="%{idp.pool.LDAP.minSize:3}"
 abstract="true"
      p:maxPoolSizeblockWaitTime="%{idp.pool.LDAP.maxSizeblockWaitTime:10PT3S}"
 
      p:validateOnCheckOutminPoolSize="%{idp.pool.LDAP.validateOnCheckoutminSize:false3}"

       p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
        p:validatePeriod="%{idp.pool.LDAP.validatePeriod:PT5M}" />
    <bean id="adPruneStrategy2" class="org.ldaptive.pool.IdlePruneStrategy p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
        p:prunePeriodvalidateOnCheckOut="%{idp.pool.LDAP.prunePeriodvalidateOnCheckout:PT5Mfalse}"
        p:idleTimevalidatePeriodically="%{idp.pool.LDAP.idleTimevalidatePeriodically:PT10Mtrue}"
/>     <bean idp:pruneStrategy-ref="adSearchValidator2" class="org.ldaptive.pool.SearchValidator" />
<!-- Directory2 connection pool settings -->
   adPruneStrategy1"
      p:validator-ref="adSearchValidator1"
      p:failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
<bean id="adConnectionConfig2adPruneStrategy1" class="org.ldaptive.ConnectionConfig" abstract="true"
 .pool.IdlePruneStrategy"
      p:ldapUrlprunePeriod="%{idp.authnpool.LDAP.ldapURL3prunePeriod:PT5M}"
        p:useStartTLSidleTime="%{idp.authnpool.LDAP.useStartTLS3idleTime:truePT10M}" />
<bean id="adSearchValidator1" class="org.ldaptive.SearchConnectionValidator"
      p:connectTimeoutvalidatePeriod="%{idp.authnpool.LDAP.connectTimeout3validatePeriod:PT3SPT5M}" />
<!-- Directory1 connection pool settings -->
<bean p:sslConfig-refid="adSslConfig2adConnectionConfig1" />
    <alias nameclass="%{idporg.authn.LDAP.sslConfig:certificateTrust}ldaptive.ConnectionConfig" aliasabstract="adSslConfig2true"
   />  <!-- ldap.properties " p:ldapUrl="%{idp.authn.LDAP.authenticator = adAggregateAuthenticatorldapURL1}"
-->     <bean idp:useStartTLS="adAggregateAuthenticator" class="org.ldaptive.auth.Authenticator"
%{idp.authn.LDAP.useStartTLS1:true}"
       p:authenticationResponseHandlers-refconnectTimeout="adAuthenticationResponseHandler">%{idp.authn.LDAP.connectTimeout1:PT3S}"
        <constructor-arg index="0" p:sslConfig-ref="adAggregateDnResolveradSslConfig1" />
        <constructor-arg index="1" ref="adAggregateAuthHandler<alias name="%{idp.authn.LDAP.sslConfig:certificateTrust}" alias="adSslConfig1" />
    </bean>
   <!-- Define Directory2 connection pool -->
<bean id="adAuthenticationResponseHandleradConnectionPool2" class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandlerPooledConnectionFactory" abstract="true"
/>     <bean idp:blockWaitTime="adAggregateDnResolver" class="org.ldaptive.auth.AggregateDnResolver">%{idp.pool.LDAP.blockWaitTime:PT3S}"
      p:minPoolSize="%{idp.pool.LDAP.minSize:3}"
        <constructor-arg index="0" ref="adDnResolvers" />
    </bean>p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
      p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}"
     <bean idp:validatePeriodically="adAggregateAuthHandler" class="org.ldaptive.auth.AggregateDnResolver$AuthenticationHandler"
 %{idp.pool.LDAP.validatePeriodically:true}"
      p:authenticationHandlerspruneStrategy-ref="adAuthHandlersadPruneStrategy2"
 />     <util:map idp:validator-ref="adDnResolversadSearchValidator2">
      p:failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
<entry<bean keyid="directory1_filter1adPruneStrategy2" value-refclass="adDnResolver1" />
  org.ldaptive.pool.IdlePruneStrategy"
      p:prunePeriod="%{idp.pool.LDAP.prunePeriod:PT5M}"
     <entry key="directory1_filter2" value-ref="adDnResolver2"p:idleTime="%{idp.pool.LDAP.idleTime:PT10M}" />
        <entry key="directory2_filter3" value-ref="adDnResolver3" /><bean id="adSearchValidator2" class="org.ldaptive.SearchConnectionValidator"
         <entry key="directory2_filter4" value-ref="adDnResolver4p:validatePeriod="%{idp.pool.LDAP.validatePeriod:PT5M}" />
   
</util:map>
<!-- Define two DN resolvers that use bind search against the Directory1 directory Directory2 connection pool settings -->
 
  <bean id="adDnResolver1adConnectionConfig2" class="org.ldaptive.auth.PooledSearchDnResolverConnectionConfig"  abstract="true"
      p:baseDnldapUrl="%{idp.authn.LDAP.baseDN1ldapURL3}"
        p:subtreeSearchuseStartTLS="%{idp.authn.LDAP.subtreeSearch1useStartTLS3:falsetrue}"
 
      p:userFilterconnectTimeout="%{idp.authn.LDAP.userFilter1connectTimeout3:PT3S}"

       p:connectionFactorysslConfig-ref="adBindSearchPooledConnectionFactory1adSslConfig2" />
    <bean id="adDnResolver2" class="org.ldaptive.auth.PooledSearchDnResolver"
        p:baseDn<alias name="%{idp.authn.LDAP.baseDN2sslConfig:certificateTrust}" alias="adSslConfig2" />

     p:subtreeSearch="%{<!-- ldap.properties "idp.authn.LDAP.subtreeSearch2:false}"authenticator = adAggregateAuthenticator" -->
<bean     p:userFilter="%{idp.authn.LDAP.userFilter2}"
 id="adAggregateAuthenticator" class="org.ldaptive.auth.Authenticator"
      p:connectionFactoryresponseHandlers-ref="adBindSearchPooledConnectionFactory1adAuthenticationResponseHandler">
 /> <!-- Define two DN resolvers that use bind search against the Directory2 directory -->
    <constructor-arg index="0" ref="adAggregateDnResolver" />
  <constructor-arg index="1" ref="adAggregateAuthHandler" />
</bean>
<bean id="adAuthenticationResponseHandler" class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler" />
<bean id="adDnResolver3adAggregateDnResolver" class="org.ldaptive.auth.PooledSearchDnResolverAggregateDnResolver">
  <constructor-arg index="0" ref="adDnResolvers" />
</bean>
<bean p:baseDnid="%{idp.authn.LDAP.baseDN3}"
        p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch3:false}adAggregateAuthHandler" class="org.ldaptive.auth.AggregateAuthenticationHandler"
        p:userFilterauthenticationHandlers-ref="%{idp.authn.LDAP.userFilter3}adAuthHandlers" />
<util:map id="adDnResolvers">
  <entry   p:connectionFactorykey="directory1_filter1" value-ref="adBindSearchPooledConnectionFactory2adDnResolver1" />
  <entry  <bean idkey="adDnResolver4directory1_filter2" classvalue-ref="org.ldaptive.auth.PooledSearchDnResolveradDnResolver2" />
       p:baseDn="%{idp.authn.LDAP.baseDN4}"
        p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch4:false}"
        p:userFilter="%{idp.authn.LDAP.userFilter4}"
        p:connectionFactory-ref="adBindSearchPooledConnectionFactory2" /><entry key="directory2_filter3" value-ref="adDnResolver3" />
  <entry key="directory2_filter4" value-ref="adDnResolver4" />
</util:map>
<!-- Define Directory1 Search-pooltwo DN resolvers that use bind search against the Directory1 directory -->
 
  <bean id="adBindSearchPooledConnectionFactory1adDnResolver1" class="org.ldaptive.poolauth.PooledConnectionFactorySearchDnResolver"
        p:connectionPool-refbaseDn="adBindSearchConnectionPool1%{idp.authn.LDAP.baseDN1}"
/>     <bean idp:subtreeSearch="adBindSearchConnectionPool1" class="org.ldaptive.pool.BlockingConnectionPool"
        parent="adConnectionPool1"
 %{idp.authn.LDAP.subtreeSearch1:false}"
      p:connectionFactory-refuserFilter="adBindSearchConnectionFactory1"
 %{idp.authn.LDAP.userFilter1}"
      p:nameconnectionFactory-ref="adSearch-pool1adBindSearchPooledConnectionFactory1" />
    <bean id="adBindSearchConnectionFactory1adDnResolver2" class="org.ldaptive.auth.DefaultConnectionFactorySearchDnResolver"
 
      p:connectionConfig-refbaseDn="adBindSearchConnectionConfig1%{idp.authn.LDAP.baseDN2}"
/>     <bean idp:subtreeSearch="adBindSearchConnectionConfig1%{idp.authn.LDAP.subtreeSearch2:false}"
         parent="adConnectionConfig1"
 p:userFilter="%{idp.authn.LDAP.userFilter2}"
      p:connectionInitializerconnectionFactory-ref="adBindConnectionInitializer1adBindSearchPooledConnectionFactory1" />
<!-- Define two DN resolvers that use bind search against the Directory2 directory -->
<bean id="adBindConnectionInitializer1adDnResolver3" class="org.ldaptive.auth.BindConnectionInitializerSearchDnResolver"
 
      p:bindDnbaseDn="%{idp.authn.LDAP.bindDN1baseDN3}">
        <property name="bindCredential">
            <bean class="org.ldaptive.Credential">p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch3:false}"
                <constructor-arg valuep:userFilter="%{idp.authn.LDAP.bindDNCredential1userFilter3}"
/>             </bean>
    p:connectionFactory-ref="adBindSearchPooledConnectionFactory2" />
<bean id="adDnResolver4" class="org.ldaptive.auth.SearchDnResolver"
   </property>   p:baseDn="%{idp.authn.LDAP.baseDN4}"
 </bean> <!-- Define Directory2 Search-pool --> p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch4:false}"
    <bean id="adBindSearchPooledConnectionFactory2" class="org.ldaptive.pool.PooledConnectionFactory"
 p:userFilter="%{idp.authn.LDAP.userFilter4}"
       p:connectionPoolconnectionFactory-ref="adBindSearchConnectionPool2adBindSearchPooledConnectionFactory2" />
<!-- Define Directory1 Search-pool -->
<bean id="adBindSearchConnectionPool2adBindSearchPooledConnectionFactory1" class="org.ldaptive.pool.BlockingConnectionPool"
        parent="adConnectionPool2"
PooledConnectionFactory"
       p:connectionFactory-refparent="adBindSearchConnectionFactory2adConnectionPool1"
 
      p:name="adSearch-pool2pool1"
/>     <bean id="adBindSearchConnectionFactory2" class="org.ldaptive.DefaultConnectionFactory"
        p:connectionConfig-ref="adBindSearchConnectionConfig2adBindSearchConnectionConfig1" />
   
<bean id="adBindSearchConnectionConfig2adBindSearchConnectionConfig1" 
 
      parent="adConnectionConfig2adConnectionConfig1"
        p:connectionInitializerconnectionInitializers-ref="adBindConnectionInitializer2adBindConnectionInitializer1" />

   <bean id="adBindConnectionInitializer2adBindConnectionInitializer1" class="org.ldaptive.BindConnectionInitializer"
 
      p:bindDn="%{idp.authn.LDAP.bindDN3bindDN1}">
    
   <property name="bindCredential">
     
      <bean class="org.ldaptive.Credential">
         
      <constructor-arg value="%{idp.authn.LDAP.bindDNCredential3bindDNCredential1}" />
            </bean>
>
    </bean>
  </property>
  
 </bean>
<!-- Define Directory2  <util:mapSearch-pool -->
<bean id="adAuthHandlersadBindSearchPooledConnectionFactory2">
 class="org.ldaptive.PooledConnectionFactory"
       <entry keyparent="directory1_filter1adConnectionPool2"
value-ref="adAuthHandler1" />     p:name="adSearch-pool2"
    <entry key="directory1_filter2" value p:connectionConfig-ref="adAuthHandler1adBindSearchConnectionConfig2" />
<bean id="adBindSearchConnectionConfig2"
      <entry keyparent="directory2_filter3" value-ref="adAuthHandler2" />
   adConnectionConfig2"
    <entry key="directory2_filter4" value p:connectionInitializers-ref="adAuthHandler2adBindConnectionInitializer2" />
<bean id="adBindConnectionInitializer2" class="org.ldaptive.BindConnectionInitializer"
 </util:map> <!-- Use the same authentication handler for both Directory1 DN resolvers -- p:bindDn="%{idp.authn.LDAP.bindDN3}">
  <property name="bindCredential">
    <bean idclass="adAuthHandler1" class="org.ldaptive.auth.PooledBindAuthenticationHandler"org.ldaptive.Credential">
      <constructor-arg value="%{idp.authn.LDAP.bindDNCredential3}" />
    </bean>
  </property>
</bean>
p:connectionFactory-ref<util:map id="adBindPooledConnectionFactory1adAuthHandlers" />
  <entry  <bean idkey="adBindPooledConnectionFactory1directory1_filter1" classvalue-ref="org.ldaptive.pool.PooledConnectionFactoryadAuthHandler1" />
  <entry     p:connectionPoolkey="directory1_filter2" value-ref="adBindConnectionPool1adAuthHandler1" />
  <entry  <bean idkey="adBindConnectionPool1directory2_filter3" classvalue-ref="org.ldaptive.pool.BlockingConnectionPooladAuthHandler2" />
  <entry     parentkey="adConnectionPool1directory2_filter4"         p:connectionFactoryvalue-ref="adBindConnectionFactory1adAuthHandler2" />
</util:map>
<!-- Use the same authentication handler  p:name="adBind-pool1" />
    for both Directory1 DN resolvers -->
<bean id="adBindConnectionFactory1adAuthHandler1" class="org.ldaptive.auth.DefaultConnectionFactorySimpleBindAuthenticationHandler"
 
      p:connectionConfigconnectionFactory-ref="adBindConnectionConfig1adBindPooledConnectionFactory1" />
   
<bean id="adBindConnectionConfig1adBindPooledConnectionFactory1" class="org.ldaptive.PooledConnectionFactory"
       parent="adConnectionConfig1adConnectionPool1"
 /> <!-- Use the same authentication handler for both Directory2 DN resolvers -->
    p:name="adBind-pool1"
      p:connectionConfig-ref="adBindConnectionConfig1" />
<bean id="adAuthHandler2" class="org.ldaptive.auth.PooledBindAuthenticationHandleradBindConnectionConfig1"
        p:connectionFactory-refparent="adBindPooledConnectionFactory2adConnectionConfig1" />
<!-- Use the same authentication handler for both Directory2 DN resolvers -->
<bean id="adBindPooledConnectionFactory2adAuthHandler2" class="org.ldaptive.poolauth.PooledConnectionFactorySimpleBindAuthenticationHandler"
 
      p:connectionPoolconnectionFactory-ref="adBindConnectionPool2adBindPooledConnectionFactory2" />
   
<bean id="adBindConnectionPool2adBindPooledConnectionFactory2" class="org.ldaptive.pool.BlockingConnectionPoolPooledConnectionFactory"
 
      parent="adConnectionPool2"
        p:connectionFactory-ref="adBindConnectionFactory2"
 
      p:name="adBind-pool2" />
    <bean id="adBindConnectionFactory2" class="org.ldaptive.DefaultConnectionFactory"
 
      p:connectionConfig-ref="adBindConnectionConfig2" />
 
  <bean id="adBindConnectionConfig2"
 
      parent="adConnectionConfig2" />

Add missing Active Directory account state errors

If adAuthenticator is the authenticator set in the idp.authn.LDAP.authenticator property, Short Description values are contained in the response. If bindSearchAuthenticator is the authenticator set in the idp.authn.LDAP.authenticator property, HEX values are contained in the response. It is possible to use either or both as outlined in the following example. (http://ldapwiki.willeke.com/wiki/Common%20Active%20Directory%20Bind%20Errors)

password-authn-config.xml

Code Block

language	xml

   ...
        <entry key="AccountDisabled">
            <list>
                <value>ACCOUNT_DISABLED</value>
                <value>533</value>
            </list>
        </entry>
        <entry key="AccountExpired">
            <list>
                <value>ACCOUNT_EXPIRED</value>
            </list>
        </entry>
        <entry key="AccountLocked">
            <list>
                <value>ACCOUNT_LOCKED_OUT</value>
                <value>775</value>
            </list>
        </entry>
        <entry key="ChangePassword">
            <list>
                <value>PASSWORD_EXPIRED</value>
                <value>PASSWORD_MUST_CHANGE</value>
                <value>532</value>
            </list>
        </entry>
   ...

messages/messages.properties

Code Block

...
AccountDisabled = account-disabled
AccountExpired = account-expired
AccountLocked = account-locked
ChangePassword = change-password

account-disabled.message = Your account is disabled.
account-expired.message = Your account has expired.
account-locked.message = Your account is locked.
change-password.message = You must change your password before authenticating here.
...

...

Versions Compared

Old Version 6

New Version Current

Key

Spring Configuration

Single Directory with Multiple Branches

Extensible Matching

Aggregate DN Resolver

Spring Configuration

Multiple Directories

Aggregate DN Resolver

Spring Configuration

Password Policy Control

conf/ldap.properties

Locked Accounts

password-authn-config.xml

Debug information

Active Directory Configuration

Using an entry resolver to generate password expiration warnings

Spring Configuration

Password Policy Control

conf/ldap.properties

Locked Accounts

password-authn-config.xml

Debug information

Active Directory Configuration

Using an entry resolver to generate password expiration warnings

Spring Configuration

Example for two Active Directories with two DN Resolvers for each

Spring Configuration

Example for two Active Directories with two DN Resolvers for each

Spring Configuration

Add missing Active Directory account state errors

password-authn-config.xml

messages/messages.properties