Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
...
Expand |
---|
title | Specific XML Attributes |
---|
|
Name | Type | Default | Description |
---|
ldapURL | Space-delimited list of URLs | | URL(s) to the LDAP server. Each listed URL is tried according to the connectionStrategy . | baseDN | String | | Base DN from which the LDAP search will be executed | principal | String | | Username (service DN) that the connector will use to bind to the LDAP directory | principalCredential | String | | Password used to authenticate as the principal (service DN) | lowercaseAttributeNames | Boolean | false | Whether all attribute IDs from the LDAP should be lower-cased. This can be important since Shibboleth attribute IDs are case-sensitive while LDAP attribute IDs are not. | trustFile | File pathname |
| Path to a file containing the X.509 trust information to use when connecting to the directory over LDAPS or startTLS. Replaces the deprecated use of <StartTLSTrustCredential> | failFastInitialize | Boolean | true | Whether a failure when verifying the LDAP server's availability during startup is fatal (stops the Attribute Resolver service from starting) | connectTimeout | Duration | PT3S | Time to wait for a connection to be established | responseTimeout | Duration | PT3S | Time to wait for a response before failing | searchTimeLimit | Duration | PT3S | Length of time that a search operation should execute; a value of 0 means execute indefinitely; when time limit arrives the result will contain any entires returned up to that point | maxResultSize | Integer | 1 | Maximum number of entries to allow in the search result; a value of 0 means includes all entries. Exceeding this value will result in a failure of the connector. | noResultIsError | Boolean | false | Whether an empty result set is an error | multipleResultsIsError | Boolean | false | Whether a result set with more than one result is an error | connectionStrategy | One of ROUND_ROBIN, RANDOM, ACTIVE_PASSIVE | ACTIVE_PASSIVE
| If Multiple URLs were provided as the ldapURL this describes how each URL will be processed. ACTIVE_PASSIVE (default value) - Indicates that the first LDAP URL will be used for every request unless it fails and then the next LDAP URL will be used. ROUND_ROBIN - Indicates that for each new connection the next LDAP url in the list (circling back to the start of the list when the end is reached) will be used RANDOM - Indicates that for each new connection a random LDAP url will be selected
| searchScope | One of SUBTREE, ONELEVEL, OBJECT | SUBTREE
| The scope of the search. SUBTREE: The entire LDAP directory subtree below the search baseDN will be searched. ONELEVEL: Only the immediate children of LDAP object corresponding to the search baseDN will be searched. OBJECT: Only the LDAP object itself is searched.
| derefAliases | One of NEVER, SEARCHING, FINDING, ALWAYS | NEVER | How aliases should be dereferenced. See the Oracle JNDI docs for more details on these options. | followReferrals 4.0.1 | Boolean | false | Whether to follow search referrals and references when they are encountered in search results. | useStartTLS | Boolean | false | Whether to use startTLS when connecting to the LDAP | disableHostnameVerification | Boolean | false | Whether to enforce certificate name checking during TLS, only change if you understand the implications | authCert | File pathname | | Path to the file containing the X.509 certificate to provide when connecting to the directory over LDAPS or startTLS | authKey | File pathname | | Path to the file containing the private key to provide when connecting to the directory over LDAPS or startTLS | authKeyPassword | String | | Password to use for the private key file | templateEngine | Bean ID | | The ID of a Spring bean defining a org.apache.velocity.app.VelocityEngine | searchExecutorRef 4.3 | Bean ID | | The ID of a Spring bean defining an org.ldaptive.SearchExecutor | connectionFactoryRef 4.3 | Bean ID | | The ID of a Spring bean defining a org.ldaptive.ConnectionFactory | mappingStrategyRef | Bean ID | | The ID of a Spring bean defining a Mapping Strategy (which converts the result of an LDAP search into a list of IdP Attributes). | executableSearchBuilderRef | Bean ID | | The ID of a Spring bean defining an ExecutableSearchBuilder<ExecutableSearchFilter> | validatorRef | Bean ID | | Bean ID of a Validator to control what constitutes an initialization failure if failFastInitialize is not sufficient |
|
...
Expand |
---|
|
Include Page |
---|
| VelocityTemplateProperties |
---|
| VelocityTemplateProperties |
---|
|
|
Spring Configuration
...
...
and springResourceRef attributes DEPRECATED in V4.3 and will not work in V5 |
If the springResource
or springResourceRef
attributes are specified, then the configuration of the DataConnector bean is delegated to the supplied resources. The system will create a factory for an LDAPDataConnector object, and look for beans in the Spring resource(s) supplied that match the types of properties supported by that type and its parent classes.
...
Spring Example
Expand |
---|
title | Example of a springResources file |
---|
|
Code Block |
---|
| <!-- In this case the definition would be <DataConnector" xsi:type="LDAPDatabase" springResources="....." /> -->
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<!-- each bean is set on LDAPDataConnector -->
<bean id="connectionFactory" class="org.ldaptive.pool.PooledConnectionFactory">
<property name="connectionPool">
<bean class="org.ldaptive.pool.BlockingConnectionPool" init-method="initialize" p:blockWaitTime="${connectionPool.blockWaitTime}">
<constructor-arg index="0">
<bean class="org.ldaptive.pool.PoolConfig"
p:minPoolSize="%{idp.pool.LDAP.minSize}"
p:maxPoolSize="%{idp.pool.LDAP.maxSize}"
p:validateOnCheckIn="%{idp.pool.LDAP.validateOnCheckin}"
p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout}"
p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically}"
p:validatePeriod="%{idp.pool.LDAP.validatePeriod}" />
</constructor-arg>
<constructor-arg index="1">
<bean class="org.ldaptive.DefaultConnectionFactory">
<property name="connectionConfig">
<bean class="org.ldaptive.ConnectionConfig" p:ldapUrl="%{idp.attribute.resolver.LDAP.ldapURL}"
p:connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
p:responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
p:useSSL="%{idp.attribute.resolver.LDAP.useSSL}"
p:useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}">
<property name="connectionInitializer">
<bean class="org.ldaptive.BindConnectionInitializer"
p:bindDn="%{idp.attribute.resolver.LDAP.bindDN}"
p:bindCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" />
</property>
<property name="sslConfig">
<bean class="org.ldaptive.ssl.SslConfig">
<property name="credentialConfig">
<bean class="org.ldaptive.ssl.X509CredentialConfig"
p:trustCertificates="%{idp.attribute.resolver.LDAP.trustCertificates}"
p:authenticationCertificate="%{idp.attribute.resolver.LDAP.authCertificate}"
p:authenticationKey="%{idp.attribute.resolver.LDAP.authKey}" />
</property>
</bean>
</property>
</bean>
</property>
</bean>
</constructor-arg>
<property name="validator">
<bean class="org.ldaptive.pool.SearchValidator">
<property name="searchRequest">
<bean class="org.ldaptive.SearchRequest">
<constructor-arg value="%{idp.pool.LDAP.validatorBaseDN}" />
<constructor-arg value="%{idp.pool.LDAP.validatorFilter}" />
</bean>
</property>
</bean>
</property>
<property name="pruneStrategy">
<bean class="org.ldaptive.pool.IdlePruneStrategy"
p:prunePeriod="%{idp.pool.LDAP.prunePeriod}"
p:idleTime="%{idp.pool.LDAP.idleTime}" />
</property>
</bean>
</property>
</bean>
<bean id="searchExecutor" class="org.ldaptive.SearchExecutor"
p:baseDn="%{idp.attribute.resolver.LDAP.baseDN}"
p:returnAttributes="%{idp.attribute.resolver.LDAP.returnAttributes}" />
<bean id="cacheBuilder" class="com.google.common.cache.CacheBuilder" factory-method="from">
<constructor-arg value="expireAfterAccess=10s,maximumSize=25" />
</bean>
<bean id="cache" class="com.google.common.cache.Cache" factory-bean="cacheBuilder" factory-method="build" />
<bean id="searchBuilder" class="net.shibboleth.idp.attribute.resolver.dc.ldap.impl.TemplatedExecutableSearchFilterBuilder"
p:templateText="%{idp.attribute.resolver.LDAP.searchFilter}" p:velocityEngine-ref="shibboleth.VelocityEngine"
init-method="initialize" />
</beans>
<bean id="mappings" class="net.shibboleth.idp.attribute.resolver.dc.ldap.StringAttributeValueMappingStrategy"
p:noResultAnError="true" p:multipleResultsAnError="true">
<property name="resultRenamingMap">
<map>
<entry key="homephone" value="phonenumber" />
</map>
</property>
</bean>
<bean id="validator" class="net.shibboleth.idp.attribute.resolver.dc.ldap.impl.ConnectionFactoryValidator"
p:connectionFactory-ref="connectionFactory" p:throwValidateError="true" />
</beans> |
|
Expand |
---|
title | Data connector using the deprecated springResources attribute |
---|
|
Code Block |
---|
<DataConnector id="myLDAP" xsi:type="LDAPDirectory" noRetryDelay="PT5M" springResources="%{idp.home}/cong/ldap-attribute-resolver-spring-context.xml"/> |
|
Expand |
---|
title | Data connector using the bean references |
---|
|
Code Block |
---|
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
executableSearchBuilderRef="searchBuilder"
noRetryDelay="PT5M"
mappingStrategyRef="mappings"
connectionFactoryRef="connectionFactory""
searchExecutorRef="searchExecutor"
validatorRef="validator">
<ResultCache cacheManagerRef="cache"/>
</DataConnector> |
|