Versions Compared

Old Version 8

changes.mady.by.user Daniel Fisher

Saved on

compared with

New Version Current

changes.mady.by.user Vlad Mencl

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: update Multiple Directories example for IDP5

Current File(s): conf/authn/password-authn-config.xml, conf/ldap.properties, conf/authn/authn.properties
Format: Native Spring, Properties

...

The idp.authn.LDAP.authenticator property controls the workflow for how authentication occurs against the LDAP directory for most “simple” cases by automatically configuring a number of underlying objects based on a set of built-in “authenticator types” supported by the ldaptive library.

anonSearchAuthenticator

Performs an anonymous search for the user's DN

bindSearchAuthenticator

Binds with a configured DN as a service account, then searches for the user's DN

directAuthenticator

User DNs are of a known format. i.e. CN=user_name,ou=accounts,dc=domain,dc=edu. No DN search is performed.

adAuthenticator

Configuration that leverages the AD specific @domain.com format. No DN search is performed since AD supports binding directly with that user name.

Depending on the choice above, various other properties must be set (see the reference section below).

...

If StartTLS or SSL are used, a source of trust anchors must be configured to control certificate validation, using the idp.authn.LDAP.sslConfig property:

certificateTrust

Uses the idp.authn.LDAP.trustCertificates property to load a resource containing the trust anchors (such as a file of PEM-format certificates)

keyStoreTrust

Uses the idp.authn.LDAP.trustStore property to load a keystore containing the trust anchors

jvmTrust

Uses the default JVM trust anchors (the JVM-wide "cacerts" file)

disabled

Does not allow SSL or startTLS connections.

We have tentative plans to deprecate the “jvmTrust” option, which has already been removed from the attribute resolution side of the software, as it is bad practice and has been a source of serious security flaws.

...

Expand
titleProperties

A number of properties are found in ldap.properties to configure LDAP authentication global defaults. Most of the time, this is sufficient to deal with most configurations without having to delve into modifying any beans, unless you're trying to chain together separately configured back-ends.

Note that the big "override everything" hook tends to be the idp.authn.LDAP.authenticator property, as most of the other properties auto-configure specific aspects of one of the built-in Authenticator beans.

Property

Type

Default

Function

idp.authn.LDAP.authenticator

Enumeration

anonSearchAuthenticator

Controls the workflow for how authentication occurs against the LDAP, one of: anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator

idp.authn.LDAP.ldapURL

LDAP URI

Connection URI for LDAP directory.

idp.authn.LDAP.useStartTLS

Boolean

true

Whether StartTLS should be used after connecting with LDAP alone.

idp.authn.LDAP.connectTimeout

Duration

PT3S

Time to wait for the TCP connection to occur.

idp.authn.LDAP.responseTimeout

Duration

PT3S

Time to wait for an LDAP response message. (Applies to every request except startTLS)

idp.authn.LDAP.startTLSTimeout

Duration

PT3S

Time to wait for a startTLS response message.

idp.authn.LDAP.autoReconnect

Boolean

true

Whether lost connections should be automatically reopened.

idp.authn.LDAP.reconnectTimeout

Duration

PT10S

Time to wait for a connection to reconnect.

idp.authn.LDAP.connectionStrategy

Enumeration

ACTIVE_PASSIVE

Connection strategy to use when multiple URLs are supplied, one of ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM

idp.authn.LDAP.sslConfig

Enumeration

certificateTrust

How to establish trust in the server's TLS certificate, one of: jvmTrust, certificateTrust, or keyStoreTrust

idp.authn.LDAP.trustCertificates

Resource path

A resource to load trust anchors from, usually a local file in %{idp.home}/credentials

idp.authn.LDAP.trustStore

Resource path

A resource to load a Java keystore containing trust anchors, usually a local file in %{idp.home}/credentials

idp.authn.LDAP.returnAttributes

Comma-sep'd Strings

List of attributes to request during authentication. NOTE: Do not set this property if using the adAuthenticator, it is not supported and you will get a WARN message in the log each time a user authenticates. (Authentication still works, though.)

idp.authn.LDAP.baseDN

String

Base DN to search against, used by anonSearchAuthenticator, bindSearchAuthenticator

idp.authn.LDAP.subtreeSearch

Boolean

false

Whether to search recursively, used by anonSearchAuthenticator, bindSearchAuthenticator

idp.authn.LDAP.userFilter

String

LDAP search filter, used by anonSearchAuthenticator, bindSearchAuthenticator

idp.authn.LDAP.bindDN

String

DN to bind with during search, used by bindSearchAuthenticator

idp.authn.LDAP.bindDNCredential

String

Password to bind with during search, used by bindSearchAuthenticator, usually set via %{idp.home}/credentials/secrets.properties

idp.authn.LDAP.dnFormat

String

A formatting string to generate the user DNs to authenticate, used by directAuthenticator, adAuthenticator

idp.authn.LDAP.resolveEntryOnFailure

Boolean

false

Whether the user's LDAP entry should be returned in the authentication response even when the user bind fails.

idp.authn.LDAP.resolveEntryWithBindDN

Boolean

false

Whether the user's LDAP entry should be resolved with the bindDN credentials rather than as the authenticated user.

idp.authn.LDAP.usePasswordPolicy

Boolean

false

Whether to use the Password Policy Control.

idp.authn.LDAP.usePasswordExpiration

Boolean

false

Whether to use the Password Expired Control.

idp.authn.LDAP.activeDirectory

Boolean

false

If you are using Active Directory, this switch will attempt to use the account states defined by AD. Note that this flag is unnecessary if you are using the 'adAuthenticator', although it is necessary to use the accountStateExpirationPeriod and accountStateWarningPeriod properties. It is meant to be specified with one of the other authenticator types.

idp.authn.LDAP.freeIPADirectory

Boolean

false

If you are using the FreeIPA LDAP, this switch will attempt to use the account states defined by that product.

idp.authn.LDAP.eDirectory

Boolean

false

If you are using the EDirectory LDAP, this switch will attempt to use the account states defined by that product.

idp.authn.LDAP.disablePooling

Boolean

false

Whether connection pools should be used for LDAP connections used for authentication.

idp.pool.LDAP.minSize

Integer

3

Minimum LDAP connection pool size

idp.pool.LDAP.maxSize

Integer

10

Maximum LDAP connection pool size

idp.pool.LDAP.validateOnCheckout

Boolean

false

Whether to validate connections when checking them out of the pool

idp.pool.LDAP.validatePeriodically

Boolean

true

Whether to validate connections in the background

idp.pool.LDAP.validatePeriod

Duration

PT5M

Duration between validation, if idp.pool.LDAP.validatePeriodically is true

idp.pool.LDAP.validateDN

String

DN to search with the validateFilter, default is the rootDSE

idp.pool.LDAP.validateFilter

String

(objectClass=*)

Search filter to execute in order to validate a pooled connection

idp.pool.LDAP.prunePeriod

Duration

PT5M

Duration between looking for idle connections to reduce the pool back to its minimum size

idp.pool.LDAP.idleTime

Duration

PT10M

Duration connections must be idle to be eligible for pruning

idp.pool.LDAP.blockWaitTime

Duration

PT3S

Duration to wait for a free connection in the pool

idp.authn.LDAP.bindPoolPassivator

Enumeration

none

Controls how connections in the bind pool are passivated. Connections in the bind pool may be in an authenticated state that will not allow validation searches to succeed. This property controls how bind connections are placed back into the pool. If your directory requires searches to be performed by the idp.authn.LDAP.bindDN or anonymously, this property controls that behavior. one of: none, bind, anonymousBind.

...

Expand
titleAttribute Retrieval

LDAP attributes are returned as part of the authentication process and exposed in the LDAPResponseContext. (As noted in the Properties reference above, this feature is not supported by the adAuthenticator. If you set it, it will result in a WARN message in the logs for each authentication attempt.)

Property

Sample

Result

idp.authn.LDAP.returnAttributes

uid,

eduPersonAffiliation

Returns the uid and

eduPersonAffiliation attributes.

*

Returns all user attributes on the entry.

*,+

Returns all user and operational attributes on the entry.

1.1

No attribute returned. No search performed.

By default, attributes will be searched for using the same connection the user authenticated on. Therefore the user must have read on any attributes for those to be returned.

If you need access to attributes that user does not have read access to, then you must configure a connection pool that is authorized to read that data. The easiest way to that is to use the idp.authn.LDAP.resolveEntryWithBindDN=true property. This will configure a separate connection pool using the bind credentials. However, if the attributes you need require different credentials, then following configuration demonstrates how to add a new connection pool for that purpose.

Spring Configuration
Code Block
languagexml
<!-- Modify the authenticator to use the entry resolver -->
<bean name="anonSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:entryResolver-ref="bindSearchEntryResolver">
...
 
<bean id="bindSearchEntryResolver" class="org.ldaptive.auth.SearchEntryResolver" p:connectionFactory-ref="entryResolverPooledConnectionFactory" />
<bean id="entryResolverPooledConnectionFactory" class="org.ldaptive.PooledConnectionFactory" p:connectionConfig-ref="entryResolverConnectionConfig" p:name="entry-resolver-pool" />
<bean id="entryResolverConnectionConfig" parent="connectionConfig" p:connectionInitializers-ref="entryResolverConnectionInitializer" />
<bean id="entryResolverConnectionInitializer" class="org.ldaptive.BindConnectionInitializer" p:bindDn="%{idp.authn.LDAP.entryResolver.bindDN}">
  <property name="bindCredential">
    <bean class="org.ldaptive.Credential">
      <constructor-arg value="%{idp.authn.LDAP.entryResolver.bindDNCredential}" />
    </bean>
  </property>
</bean>

Add the idp.authn.LDAP.entryResolver.bindDN and idp.authn.LDAP.entryResolver.bindDNCredential properties to conf/ldap.properties and credentials/secrets.properties respectively. Then set idp.authn.LDAP.authenticator to anonSearchAuthenticator. to complete the configuration.

Expand
titleDN Resolution

Single Directory with Multiple Branches

Extensible Matching

If your directory supports extensible matching, this is the easiest way to find users that are distributed over multiple branches.

Property

Value

Result

idp.authn.LDAP.userFilter

(&(|(ou:dn:=people)(ou:dn:=guests))(uid={user}))

Returns the entry that matches uid on either the people or guests branch.

idp.authn.LDAP.baseDN

dc=example,dc=org

The branch containing both ou=people and ou=guests.

idp.authn.LDAP.subtreeSearch

true

Enable subtree searching on the dc=example,dc=org branch.

Aggregate DN Resolver

This authenticator combines the results of multiple DN resolvers.

Spring Configuration
Code Block
languagexml
<!-- Connection Configuration -->
<bean id="connectionConfig" class="org.ldaptive.ConnectionConfig" abstract="true"
      p:ldapUrl="%{idp.authn.LDAP.ldapURL}"
      p:useStartTLS="%{idp.authn.LDAP.useStartTLS:true}"
      p:connectTimeout="%{idp.authn.LDAP.connectTimeout:PT3S}"
      p:responseTimeout="%{idp.authn.LDAP.responseTimeout:PT3S}"
      p:sslConfig-ref="sslConfig" />

<alias name="%{idp.authn.LDAP.sslConfig:certificateTrust}" alias="sslConfig" />

<bean id="jvmTrust" class="org.ldaptive.ssl.SslConfig" />
<bean id="certificateTrust" class="org.ldaptive.ssl.SslConfig">
  <property name="credentialConfig">
    <bean parent="shibboleth.X509ResourceCredentialConfig" p:trustCertificates="%{idp.authn.LDAP.trustCertificates:undefined}" />
  </property>
</bean>
<bean id="keyStoreTrust" class="org.ldaptive.ssl.SslConfig">
  <property name="credentialConfig">
    <bean parent="shibboleth.KeystoreResourceCredentialConfig" p:truststore="%{idp.authn.LDAP.trustStore:undefined}" />
  </property>
</bean>

<!-- Pool Configuration -->
<bean id="connectionPool" class="org.ldaptive.PooledConnectionFactory" abstract="true"
      p:blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
      p:minPoolSize="%{idp.pool.LDAP.minSize:3}"
      p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
      p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}"
      p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
      p:pruneStrategy-ref="pruneStrategy"
      p:validator-ref="searchValidator"
      p:failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
<bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
      p:prunePeriod="%{idp.pool.LDAP.prunePeriod:PT5M}"
      p:idleTime="%{idp.pool.LDAP.idleTime:PT10M}" />
<bean id="searchValidator" class="org.ldaptive.SearchConnectionValidator" p:validatePeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"/>

<!-- Authentication handler -->
<bean id="authHandler" class="org.ldaptive.auth.SimpleBindAuthenticationHandler" p:connectionFactory-ref="bindPooledConnectionFactory" />
<bean id="bindPooledConnectionFactory" class="org.ldaptive.PooledConnectionFactory" parent="connectionPool"
      p:name="bind-pool"
      p:connectionConfig-ref="bindConnectionConfig" />
<bean id="bindConnectionConfig" parent="connectionConfig" />

<!-- Anonymous Search Configuration -->
<bean name="anonSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
  <constructor-arg index="0" ref="anonSearchDnResolver" />
  <constructor-arg index="1" ref="authHandler" />
</bean>
<bean id="anonSearchDnResolver" class="net.shibboleth.idp.authn.TemplateSearchDnResolver"
      p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
      p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
      p:connectionFactory-ref="anonSearchPooledConnectionFactory" >
  <constructor-arg index="0" ref="shibboleth.VelocityEngine" />
  <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" />
</bean>
<bean id="anonSearchPooledConnectionFactory" class="org.ldaptive.PooledConnectionFactory" parent="connectionPool"
      p:name="search-pool"
      p:connectionConfig-ref="anonSearchConnectionConfig" />
<bean id="anonSearchConnectionConfig" parent="connectionConfig" />

<bean name="aggregateAuthenticator" class="org.ldaptive.auth.Authenticator">
  <constructor-arg index="0" ref="aggregateDnResolver" />
  <constructor-arg index="1" ref="aggregateAuthHandler" />
</bean>
<bean id="aggregateDnResolver" class="org.ldaptive.auth.AggregateDnResolver">
  <constructor-arg index="0">
    <util:map id="dnResolvers">
      <entry key="filter1" value-ref="dnResolver1" />
      <entry key="filter2" value-ref="dnResolver2" />
    </util:map>
  </constructor-arg>
</bean>
<bean id="aggregateAuthHandler" class="org.ldaptive.auth.AggregateAuthenticationHandler">
  <constructor-arg index="0">
    <!-- Use the same authentication handler for both DN resolvers -->
    <util:map id="authHandlers">
      <entry key="filter1" value-ref="authHandler" />
      <entry key="filter2" value-ref="authHandler" />
    </util:map>
  </constructor-arg>
</bean>

<!-- Define two DN resolvers that use anonymous search against the same directory -->
<bean id="dnResolver1" class="org.ldaptive.auth.SearchDnResolver" p:baseDn="%{idp.authn.LDAP.baseDN1}"
      p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}" p:userFilter="%{idp.authn.LDAP.userFilter1}"
      p:connectionFactory-ref="anonSearchPooledConnectionFactory" />
<bean id="dnResolver2" class="org.ldaptive.auth.SearchDnResolver" p:baseDn="%{idp.authn.LDAP.baseDN2}"
      p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}" p:userFilter="%{idp.authn.LDAP.userFilter2}"
      p:connectionFactory-ref="anonSearchPooledConnectionFactory" />

Add the idp.authn.LDAP.baseDN[12] and idp.authn.LDAP.userFilter[12] properties to conf/ldap.properties. The key values used in dnResolvers and authHandlers can be anything, but must tie a single DN resolver to a single auth handler. By default an error will occur if more than (1) DN is resolved.

In addition to these beans, the aggregateAuthenticator bean (in the example above) must be injected into the LDAP credential validator in password-authn-config.xml:

Code Block
<util:list id="shibboleth.authn.Password.Validators">
    <!-- Default bean uses the settings defined in ldap.properties -->
    <bean parent="shibboleth.LDAPValidator" p:authenticator-ref="aggregateAuthenticator" />
</util:list>

Multiple Directories

Aggregate DN Resolver

This authenticator combines the results of multiple DN resolvers that connect to multiple directories.

Spring Configuration
Code Block
languagexml
<bean name="aggregateAuthenticator" class="org.ldaptive.auth.Authenticator">
  <constructor-arg index="0" ref="aggregateDnResolver" />
  <constructor-arg index="1" ref="aggregateAuthHandler" />
</bean>
<bean id="aggregateDnResolver" class="org.ldaptive.auth.AggregateDnResolver">
  <constructor-arg index="0">
    <util:map id="dnResolvers">
      <entry key="directory1" value-ref="dnResolver1" />
      <entry key="directory2" value-ref="dnResolver2" />
    </util:map>
  </constructor-arg>
</bean>
<bean id="aggregateAuthHandler" class="org.ldaptive.auth.AggregateAuthenticationHandler">
  <constructor-arg index="0">
    <util:map id="authHandlers">
      <entry key="directory1" value-ref="authHandler1" />
      <entry key="directory2" value-ref="authHandler2" />
    </util:map>
  </constructor-arg>
</bean>
<!-- define DN resolvers and authentication handlers for each directory... -->

Complete example with DN resolvers and authentication handlers for bindSearch

Code Block
languagexml
<!-- Properties:
- idp.authn.LDAP.authenticator = aggregateAuthenticator
- idp.authn.LDAP.ldapURL1
- idp.authn.LDAP.ldapURL2
- idp.authn.LDAP.baseDN1
- idp.authn.LDAP.baseDN2
- idp.authn.LDAP.userFilter1
- idp.authn.LDAP.userFilter2
- idp.authn.LDAP.bindDN1
- idp.authn.LDAP.bindDN2
- idp.authn.LDAP.bindDNCredential1
- idp.authn.LDAP.bindDNCredential2
-->
<bean id="aggregateAuthenticator" class="org.ldaptive.auth.Authenticator"
      c:resolver-ref="aggregateDnResolver"
      c:handler-ref="aggregateAuthHandler" />

<!-- Aggregate DN resolution -->
<bean id="aggregateDnResolver" class="org.ldaptive.auth.AggregateDnResolver" p:allowMultipleDns="true">
  <constructor-arg index="0">
    <util:map id="dnResolvers">
      <entry key="directory1" value-ref="bindSearchDnResolver1" />
      <entry key="directory2" value-ref="bindSearchDnResolver2" />
    </util:map>
  </constructor-arg>
</bean>

<!-- DN resolver 1 reusable PooledConnectionFactory parent bean with pool settings -->
<bean id="bindSearchDnResolver1pooledConnectionFactory" class="org.ldaptive.auth.SearchDnResolverPooledConnectionFactory"
      p:baseDnblockWaitTime="#%{'%{idp.authnpool.LDAP.baseDN1blockWaitTime:undefined}'.trim()}"
 PT3S}"
    p:pruneStrategy-ref="pruneStrategy"
    p:validator-ref="searchValidator"
    p:subtreeSearchfailFastInitialize="%{idp.authnpool.LDAP.subtreeSearchfailFastInitialize:false}"
      p:userFilterminPoolSize="#{'%{idp.authnpool.LDAP.userFilter1:undefined}'.trim()minSize:3}"
      p:connectionFactory-ref="bindSearchPooledConnectionFactory" />
<bean id="bindSearchPooledConnectionFactory1" class="org.ldaptive.PooledConnectionFactory" parent="connectionPool"
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
      p:name="search-pool1"
      p:connectionConfig-ref="bindSearchConnectionConfig1" />
<bean id="bindSearchConnectionConfig1" parent="connectionConfig"
      p:connectionInitializers-ref="bindConnectionInitializer1"
      p:ldapUrlvalidateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}"
    p:validatePeriodically="%{idp.authnpool.LDAP.ldapURL1validatePeriodically:true}" />

<!-- DN resolver 1 -->
<bean id="bindConnectionInitializer1bindSearchDnResolver1" class="org.ldaptive.BindConnectionInitializernet.shibboleth.idp.authn.TemplateSearchDnResolver"
      p:bindDnbaseDn="#{'%{idp.authn.LDAPLDAP1.bindDN1baseDN:undefined}'.trim()}">
  <property name="bindCredential">
    <bean class="org.ldaptive.Credential" c:passwordp:subtreeSearch="%{idp.authn.LDAPLDAP1.bindDNCredential1subtreeSearch:undefinedfalse}"
 />   </property>
</bean>
<!-- DN resolver 2 -->
<bean id="bindSearchDnResolver2" class="org.ldaptive.auth.SearchDnResolver"
p:connectionFactory-ref="bindSearchPooledConnectionFactory1" >
    <constructor-arg index="0" ref="shibboleth.VelocityEngine" />
     p:baseDn<constructor-arg index="1" value="#{'%{idp.authn.LDAPLDAP1.baseDN2userFilter:undefined}'.trim()}" />
</bean>
<bean    p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
 id="bindSearchPooledConnectionFactory1" parent="pooledConnectionFactory"
    p:userFilter="#{'%{idp.authn.LDAP.userFilter2:undefined}'.trim()}"
      p:connectionFactoryconnectionConfig-ref="bindSearchConnectionConfig1" />
<bean id="bindSearchConnectionConfig1" parent="connectionConfig1" p:connectionInitializers-ref="bindSearchPooledConnectionFactorybindConnectionInitializer1" />
<bean id="bindSearchPooledConnectionFactory2bindConnectionInitializer1" class="org.ldaptive.PooledConnectionFactoryBindConnectionInitializer"
 parent="connectionPool"       p:name="search-pool2"bindDn="#{'%{idp.authn.LDAP1.bindDN:undefined}'.trim()}">
    <property  p:connectionConfig-ref="bindSearchConnectionConfig2" />name="bindCredential">
        <bean idclass="bindSearchConnectionConfig2org.ldaptive.Credential">
parent="connectionConfig"       p:connectionInitializers-ref="bindConnectionInitializer2"       p:ldapUrl<constructor-arg value="%{idp.authn.LDAPLDAP1.ldapURL2bindDNCredential:undefined}" />
        </bean>
    </property>
</bean>

<bean id="bindConnectionInitializer2connectionConfig1" class="org.ldaptive.BindConnectionInitializerConnectionConfig" abstract="true" p:ldapUrl="%{idp.authn.LDAP1.ldapURL}"
    p:bindDnuseStartTLS="#{'%{idp.authn.LDAPLDAP1.bindDN2:undefined}'.trim()useStartTLS:true}">
   <property namep:connectTimeout="bindCredential">%{idp.authn.LDAP.connectTimeout:PT3S}"
    <bean class="org.ldaptive.Credential" c:passwordp:responseTimeout="%{idp.authn.LDAP.bindDNCredential2responseTimeout:undefinedPT3S}"
 />   </property>
</bean>p:sslConfig-ref="sslConfig" />

<!-- DN Aggregateresolver authentication2 -->
<bean id="aggregateAuthHandlerbindSearchDnResolver2" class="orgnet.shibboleth.ldaptiveidp.authauthn.AggregateAuthenticationHandlerTemplateSearchDnResolver">
  <constructor-arg index="0">
    <util:map id="authHandlers">
      <entry key="directory1" value-ref="authHandler1" />
      <entry key="directory2" value-ref="authHandler2" />
    </util:map>
  </constructor-arg>
</bean>

<!-- Authentication handler 1 -->
<bean id="authHandler1" class="org.ldaptive.auth.SimpleBindAuthenticationHandler"
      p:connectionFactory-ref="bindPooledConnectionFactory1" />
<bean id="bindPooledConnectionFactory1 p:baseDn="#{'%{idp.authn.LDAP2.baseDN:undefined}'.trim()}"
    p:subtreeSearch="%{idp.authn.LDAP2.subtreeSearch:false}"
    p:connectionFactory-ref="bindSearchPooledConnectionFactory2" >
    <constructor-arg index="0" ref="shibboleth.VelocityEngine" />
    <constructor-arg index="1" value="#{'%{idp.authn.LDAP2.userFilter:undefined}'.trim()}" />
</bean>
<bean id="bindSearchPooledConnectionFactory2" parent="pooledConnectionFactory"
    p:connectionConfig-ref="bindSearchConnectionConfig2" />
<bean id="bindSearchConnectionConfig2" parent="connectionConfig2" p:connectionInitializers-ref="bindConnectionInitializer2" />
<bean id="bindConnectionInitializer2" class="org.ldaptive.BindConnectionInitializer"
        p:bindDn="#{'%{idp.authn.LDAP2.bindDN:undefined}'.trim()}">
    <property name="bindCredential">
        <bean class="org.ldaptive.Credential">
            <constructor-arg value="%{idp.authn.LDAP2.bindDNCredential:undefined}" />
        </bean>
    </property>
</bean>

<bean id="connectionConfig2" class="org.ldaptive.ConnectionConfig" abstract="true" p:ldapUrl="%{idp.authn.LDAP2.ldapURL}"
    p:useStartTLS="%{idp.authn.LDAP2.useStartTLS:true}"
    p:connectTimeout="%{idp.authn.LDAP.connectTimeout:PT3S}"
    p:responseTimeout="%{idp.authn.LDAP.responseTimeout:PT3S}"
    p:sslConfig-ref="sslConfig" />

<!-- Aggregate authentication -->
<bean id="aggregateAuthHandler" class="org.ldaptive.auth.AggregateAuthenticationHandler">
  <constructor-arg index="0">
    <util:map id="authHandlers">
      <entry key="directory1" value-ref="authHandler1" />
      <entry key="directory2" value-ref="authHandler2" />
    </util:map>
  </constructor-arg>
</bean>

<!-- Authentication handler 1 -->

<bean id="authHandler1" class="org.ldaptive.auth.SimpleBindAuthenticationHandler" p:connectionFactory-ref="bindPooledConnectionFactory1" />
<bean id="bindPooledConnectionFactory1" parent="pooledConnectionFactory" p:connectionConfig-ref="bindConnectionConfig1" />
<bean id="bindConnectionConfig1" parent="connectionConfig1" />

<!-- Authentication handler 2 -->
<bean id="authHandler2" class="org.ldaptive.auth.SimpleBindAuthenticationHandler" p:connectionFactory-ref="bindPooledConnectionFactory2" />
<bean id="bindPooledConnectionFactory2" parent="pooledConnectionFactory" p:connectionConfig-ref="bindConnectionConfig2" />
<bean id="bindConnectionConfig2" parent="connectionConfig2" />

<!-- shared definitions -->

<alias name="%{idp.authn.LDAP.sslConfig:certificateTrust}" alias="sslConfig" />

<bean id="jvmTrust" class="org.ldaptive.PooledConnectionFactoryssl.SslConfig" />
<bean id="certificateTrust" parentclass="connectionPool"org.ldaptive.ssl.SslConfig">
    <property  p:name="bind-pool1"credentialConfig">
        <bean parent="shibboleth.X509ResourceCredentialConfig" p:connectionConfig-reftrustCertificates="bindConnectionConfig1%{idp.authn.LDAP.trustCertificates:undefined}" />
    </property>
</bean>
<bean id="bindConnectionConfig1keyStoreTrust" parentclass="connectionConfig"org.ldaptive.ssl.SslConfig">
    <property  p:ldapUrlname="%{idp.authn.LDAP.ldapURL1}" />
<!-- Authentication handler 2 -->
<bean id="authHandler2" class="org.ldaptive.auth.SimpleBindAuthenticationHandler"
credentialConfig">
        <bean parent="shibboleth.KeystoreResourceCredentialConfig" p:truststore="%{idp.authn.LDAP.trustStore:undefined}" />
     p:connectionFactory-ref="bindPooledConnectionFactory2" /></property>
</bean>

<bean id="bindPooledConnectionFactory2pruneStrategy" class="org.ldaptive.PooledConnectionFactorypool.IdlePruneStrategy"
parent="connectionPool"
      p:nameprunePeriod="bind-pool2"
 %{idp.pool.LDAP.prunePeriod:PT5M}"
    p:connectionConfig-refidleTime="bindConnectionConfig2%{idp.pool.LDAP.idleTime:PT10M}" />

<bean id="bindConnectionConfig2searchValidator" parentclass="connectionConfigorg.ldaptive.SearchConnectionValidator"
      p:ldapUrlvalidatePeriod="%{idp.authnpool.LDAP.ldapURL2validatePeriod:PT5M}" />

DN resolvers are invoked asynchronously, so all resolvers will be used for each authentication request.

...