Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
...
Expand |
---|
title | conf/attribute-resolver.xml |
---|
|
Code Block |
---|
| <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
noResultIsError="%{idp.attribute.resolver.LDAP.noResultsIsError:false}"
multipleResultsIsError="%{idp.attribute.resolver.LDAP.multipleResultsIsError:true}">
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
<StartTLSAuthenticationCredential xsi:type="security:X509Filesystem" xmlns:security="urn:mace:shibboleth:2.0:security" id="IdPtoLDAPCredential">
<security:PrivateKey>%{idp.attribute.resolver.LDAP.authenticationKey}</security:PrivateKey>
<security:Certificate>%{idp.attribute.resolver.LDAP.authenticationCertificate}</security:Certificate>
</StartTLSAuthenticationCredential>
<ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize}"
maxPoolSize="%{idp.pool.LDAP.maxSize}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime}"
expirationTime="%{idp.pool.LDAP.expirationTime}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod}"
validateDN="%{idp.pool.LDAP.validateDN}"
validateFilter="%{idp.pool.LDAP.validateFilter}"/>
<ResultCache
elementTimeToLive="%{idp.cache.LDAP.timeToLive}"
maximumCachedElements="%{idp.cache.LDAP.cacheSize}"/>
</DataConnector> |
|
Reference
Localtabgroupexpand |
---|
Localtab live |
---|
title | Specific XML Attributes |
---|
|
Name | Type | Default | Description |
---|
ldapURL | Space-delimited list of URLs | | URL(s) to the LDAP server. Each listed URL is tried according to the connectionStrategy . | baseDN | String | | Base DN from which the LDAP search will be executed | principal | String | | Username (service DN) that the connector will use to bind to the LDAP directory | principalCredential | String | | Password used to authenticate as the principal (service DN) | lowercaseAttributeNames | Boolean | false | Whether all attribute IDs from the LDAP should be lower-cased. This can be important since Shibboleth attribute IDs are case-sensitive while LDAP attribute IDs are not. | trustFile | File pathname |
| Path to a file containing the X.509 trust information to use when connecting to the directory over LDAPS or startTLS. Replaces the deprecated use of <StartTLSTrustCredential> | failFastInitialize | Boolean | false | Whether a failure when verifying the LDAP server's availability during startup is fatal (stops the Attribute Resolver service from starting) | connectTimeout | Duration | PT3S | Time to wait for a connection to be established | responseTimeout | Duration | PT3S | Time to wait for a response before failing | searchTimeLimit | Duration | PT3S | Length of time that a search operation should execute; a value of 0 means execute indefinitely; when time limit arrives the result will contain any entires returned up to that point | maxResultSize | Integer | 1 | Maximum number of entries to allow in the search result; a value of 0 means includes all entries. Exceeding this value will result in a failure of the connector. | noResultIsError | Boolean | false | Whether an empty result set is an error | multipleResultsIsError | Boolean | false | Whether a result set with more than one result is an error | connectionStrategy | One of ROUND_ROBIN, RANDOM, ACTIVE_PASSIVE | ACTIVE_PASSIVE
| If Multiple URLs were provided as the ldapURL this describes how each URL will be processed. ACTIVE_PASSIVE (default value) - Indicates that the first LDAP URL will be used for every request unless it fails and then the next LDAP URL will be used. ROUND_ROBIN - Indicates that for each new connection the next LDAP url in the list (circling back to the start of the list when the end is reached) will be used RANDOM - Indicates that for each new connection a random LDAP url will be selected
| searchScope | One of SUBTREE, ONELEVEL, OBJECT | SUBTREE
| The scope of the search. SUBTREE: The entire LDAP directory subtree below the search baseDN will be searched. ONELEVEL: Only the immediate children of LDAP object corresponding to the search baseDN will be searched. OBJECT: Only the LDAP object itself is searched.
| derefAliases | One of NEVER, SEARCHING, FINDING, ALWAYS | NEVER | How aliases should be dereferenced. See the Oracle JNDI docs for more details on these options. | followReferrals 4.0.1 | Boolean | false | Whether to follow search referrals and references when they are encountered in search results. | useStartTLS | Boolean | false | Whether to use startTLS when connecting to the LDAP | disableHostnameVerification | Boolean | false | Whether to enforce certificate name checking during TLS, only change if you understand the implications | authCert | File pathname | | Path to the file containing the X.509 certificate to provide when connecting to the directory over LDAPS or startTLS | authKey | File pathname | | Path to the file containing the private key to provide when connecting to the directory over LDAPS or startTLS | authKeyPassword | String | | Password to use for the private key file | templateEngine | Bean ID | | The ID of a Spring bean defining a org.apache.velocity.app.VelocityEngine | mappingStrategyRef | Bean ID | | The ID of a Spring bean defining a Mapping Strategy (which converts the result of an LDAP search into a list of IdP Attributes). | executableSearchBuilderRef | Bean ID | | The ID of a Spring bean defining an ExecutableSearchBuilder<ExecutableSearchFilter> | validatorRef | Bean ID | | Bean ID of a Validator to control what constitutes an initialization failure if failFastInitialize is not sufficient |
localtab-live |
Expand |
---|
title | Specific XML Elements |
---|
|
Name | Cardinality | Description |
---|
<FilterTemplate> | 0 or 1 | The template of the search filter to be sent to the LDAP directory server | <ReturnAttributes> | 0 or 1 | A list of attributes to be returned from the LDAP directory server; this may help the server respond more quickly | <BinaryAttributes>
| 0 or 1 | A list of attributes whose values contain binary data and must be base64 encoded; format is a space-delimited list of attribute names, which MUST match the directory source exactly (including case and any LDAP options) | <StartTLSTrustCredential> | 0 or 1 | X.509 trust information to use when connecting to the directory over LDAPS or startTLS, DEPRECATED in favor of the trustFile attribute | <StartTLSAuthenticationCredential> | 0 or 1 | X.509 client authentication information to provide when connecting to the directory over LDAPS or startTLS, DEPRECATED in favor of the authCert , authKey , and authKeyPassword attributes | <ConnectionPool> | 0 or 1 | Describes how the LDAP connection may be pooled | <SASLConfig> 4.0.1 | 0 or 1 | SASL configuration to provide when binding to the directory. | <Column> | 0 or more | Allows for remapping of LDAP Attributes into alternately named IdPAttributes within the resolver | <ResultCache> | 0 or 1 | The definition of how results should be cached | <ResultCacheBean> | The definition of how results should be cached as an externally defined Cache<String,Map<String,IdPAttribute>>, the Spring bean ID of which is supplied as the content of the element |
localtab-live |
Expand |
---|
title | Common XML Attributes |
---|
|
Include Page |
---|
| DataConnectorCommonAttributes |
---|
| DataConnectorCommonAttributes |
---|
| localtab-live
|
Expand |
---|
|
Include Page |
---|
| DataConnectorCommonChildElements |
---|
| DataConnectorCommonChildElements |
---|
|
|
...
Spring Example
Expand |
---|
title | Example of a springResources file |
---|
|
Code Block |
---|
| <!-- In this case the definition would be <DataConnector" xsi:type="LDAPDatabase" springResources="....." /> -->
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<!-- each bean is set on LDAPDataConnector -->
<bean class="org.ldaptive.pool.PooledConnectionFactory">
<property name="connectionPool">
<bean class="org.ldaptive.pool.BlockingConnectionPool" init-method="initialize" p:blockWaitTime="${connectionPool.blockWaitTime}">
<constructor-arg index="0">
<bean class="org.ldaptive.pool.PoolConfig"
p:minPoolSize="%{idp.pool.LDAP.minSize}"
p:maxPoolSize="%{idp.pool.LDAP.maxSize}"
p:validateOnCheckIn="%{idp.pool.LDAP.validateOnCheckin}"
p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout}"
p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically}"
p:validatePeriod="%{idp.pool.LDAP.validatePeriod}" />
</constructor-arg>
<constructor-arg index="1">
<bean class="org.ldaptive.DefaultConnectionFactory">
<property name="connectionConfig">
<bean class="org.ldaptive.ConnectionConfig" p:ldapUrl="%{idp.attribute.resolver.LDAP.ldapURL}"
p:connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
p:responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
p:useSSL="%{idp.attribute.resolver.LDAP.useSSL}"
p:useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}">
<property name="connectionInitializer">
<bean class="org.ldaptive.BindConnectionInitializer"
p:bindDn="%{idp.attribute.resolver.LDAP.bindDN}"
p:bindCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" />
</property>
<property name="sslConfig">
<bean class="org.ldaptive.ssl.SslConfig">
<property name="credentialConfig">
<bean class="org.ldaptive.ssl.X509CredentialConfig"
p:trustCertificates="%{idp.attribute.resolver.LDAP.trustCertificates}"
p:authenticationCertificate="%{idp.attribute.resolver.LDAP.authCertificate}"
p:authenticationKey="%{idp.attribute.resolver.LDAP.authKey}" />
</property>
</bean>
</property>
</bean>
</property>
</bean>
</constructor-arg>
<property name="validator">
<bean class="org.ldaptive.pool.SearchValidator">
<property name="searchRequest">
<bean class="org.ldaptive.SearchRequest">
<constructor-arg value="%{idp.pool.LDAP.validatorBaseDN}" />
<constructor-arg value="%{idp.pool.LDAP.validatorFilter}" />
</bean>
</property>
</bean>
</property>
<property name="pruneStrategy">
<bean class="org.ldaptive.pool.IdlePruneStrategy"
p:prunePeriod="%{idp.pool.LDAP.prunePeriod}"
p:idleTime="%{idp.pool.LDAP.idleTime}" />
</property>
</bean>
</property>
</bean>
<bean class="org.ldaptive.SearchExecutor"
p:baseDn="%{idp.attribute.resolver.LDAP.baseDN}"
p:returnAttributes="%{idp.attribute.resolver.LDAP.returnAttributes}" />
<bean id="cacheBuilder" class="com.google.common.cache.CacheBuilder" factory-method="from">
<constructor-arg value="expireAfterAccess=10s,maximumSize=25" />
</bean>
<bean id="cache" class="com.google.common.cache.Cache" factory-bean="cacheBuilder" factory-method="build" />
<bean class="net.shibboleth.idp.attribute.resolver.dc.ldap.impl.TemplatedExecutableSearchFilterBuilder"
p:templateText="%{idp.attribute.resolver.LDAP.searchFilter}" p:velocityEngine-ref="shibboleth.VelocityEngine"
init-method="initialize" />
</beans> |
|
...