Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
...
| Expand |
|---|
| title | Specific XML Attributes |
|---|
|
Name | Type | Default | Description |
|---|
ldapURL | Space-delimited list of URLs | | URL(s) to the LDAP server. Each listed URL is tried according to the connectionStrategy. | baseDN | String | | Base DN from which the LDAP search will be executed | principal | String | | Username (service DN) that the connector will use to bind to the LDAP directory | principalCredential | String | | Password used to authenticate as the principal (service DN) | lowercaseAttributeNames | Boolean | false | Whether all attribute IDs from the LDAP should be lower-cased. This can be important since Shibboleth attribute IDs are case-sensitive while LDAP attribute IDs are not. | trustFile | File pathname |
| Path to a file containing the X.509 trust information to use when connecting to the directory over LDAPS or startTLS. Replaces the deprecated use of <StartTLSTrustCredential> | failFastInitialize | Boolean | true | Whether a failure when verifying the LDAP server's availability during startup is fatal (stops the Attribute Resolver service from starting) | connectTimeout | Duration | PT3S | Time to wait for a connection to be established | responseTimeout | Duration | PT3S | Time to wait for a response before failing | searchTimeLimit | Duration | PT3S | Length of time that a search operation should execute; a value of 0 means execute indefinitely; when time limit arrives the result will contain any entires returned up to that point | maxResultSize | Integer | 1 | Maximum number of entries to allow in the search result; a value of 0 means includes all entries. Exceeding this value will result in a failure of the connector. | noResultIsError | Boolean | false | Whether an empty result set is an error | multipleResultsIsError | Boolean | false | Whether a result set with more than one result is an error | connectionStrategy | One of ROUND_ROBIN, RANDOM, ACTIVE_PASSIVE | ACTIVE_PASSIVE
| If Multiple URLs were provided as the ldapURL this describes how each URL will be processed. ACTIVE_PASSIVE (default value) - Indicates that the first LDAP URL will be used for every request unless it fails and then the next LDAP URL will be used. ROUND_ROBIN - Indicates that for each new connection the next LDAP url in the list (circling back to the start of the list when the end is reached) will be used RANDOM - Indicates that for each new connection a random LDAP url will be selected
| searchScope | One of SUBTREE, ONELEVEL, OBJECT | SUBTREE
| The scope of the search. SUBTREE: The entire LDAP directory subtree below the search baseDN will be searched. ONELEVEL: Only the immediate children of LDAP object corresponding to the search baseDN will be searched. OBJECT: Only the LDAP object itself is searched.
| derefAliases | One of NEVER, SEARCHING, FINDING, ALWAYS | NEVER | How aliases should be dereferenced. See the Oracle JNDI docs for more details on these options. | followReferrals 4.0.1 | Boolean | false | Whether to follow search referrals and references when they are encountered in search results. | useStartTLS | Boolean | false | Whether to use startTLS when connecting to the LDAP | disableHostnameVerification | Boolean | false | Whether to enforce certificate name checking during TLS, only change if you understand the implications | authCert | File pathname | | Path to the file containing the X.509 certificate to provide when connecting to the directory over LDAPS or startTLS | authKey | File pathname | | Path to the file containing the private key to provide when connecting to the directory over LDAPS or startTLS | authKeyPassword | String | | Password to use for the private key file | templateEngine | Bean ID | | The ID of a Spring bean defining a org.apache.velocity.app.VelocityEngine | searchExecutorRef 4.3 | Bean ID | | The ID of a Spring bean defining an org.ldaptive.SearchExecutor | connectionFactoryRef 4.3 | Bean ID | | The ID of a Spring bean defining a org.ldaptive.ConnectionFactory | mappingStrategyRef | Bean ID | | The ID of a Spring bean defining a Mapping Strategy (which converts the result of an LDAP search into a list of IdP Attributes). | executableSearchBuilderRef | Bean ID | | The ID of a Spring bean defining an ExecutableSearchBuilder<ExecutableSearchFilter> | validatorRef | Bean ID | | Bean ID of a Validator to control what constitutes an initialization failure if failFastInitialize is not sufficient |
|
...
| Expand |
|---|
|
| Include Page |
|---|
| VelocityTemplateProperties |
|---|
| VelocityTemplateProperties |
|---|
|
|
Spring Configuration
| Note |
|---|
This is The springResource and springResourceRef attributes DEPRECATED in V4.3 and will not work in V5 |
...
Spring Example
| Expand |
|---|
| title | Example of a springResources file |
|---|
|
| Code Block |
|---|
| <!-- In this case the definition would be <DataConnector" xsi:type="LDAPDatabase" springResources="....." /> -->
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<!-- each bean is set on LDAPDataConnector -->
<bean id="connectionFactory" class="org.ldaptive.pool.PooledConnectionFactory">
<property name="connectionPool">
<bean class="org.ldaptive.pool.BlockingConnectionPool" init-method="initialize" p:blockWaitTime="${connectionPool.blockWaitTime}">
<constructor-arg index="0">
<bean class="org.ldaptive.pool.PoolConfig"
p:minPoolSize="%{idp.pool.LDAP.minSize}"
p:maxPoolSize="%{idp.pool.LDAP.maxSize}"
p:validateOnCheckIn="%{idp.pool.LDAP.validateOnCheckin}"
p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout}"
p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically}"
p:validatePeriod="%{idp.pool.LDAP.validatePeriod}" />
</constructor-arg>
<constructor-arg index="1">
<bean class="org.ldaptive.DefaultConnectionFactory">
<property name="connectionConfig">
<bean class="org.ldaptive.ConnectionConfig" p:ldapUrl="%{idp.attribute.resolver.LDAP.ldapURL}"
p:connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
p:responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
p:useSSL="%{idp.attribute.resolver.LDAP.useSSL}"
p:useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}">
<property name="connectionInitializer">
<bean class="org.ldaptive.BindConnectionInitializer"
p:bindDn="%{idp.attribute.resolver.LDAP.bindDN}"
p:bindCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" />
</property>
<property name="sslConfig">
<bean class="org.ldaptive.ssl.SslConfig">
<property name="credentialConfig">
<bean class="org.ldaptive.ssl.X509CredentialConfig"
p:trustCertificates="%{idp.attribute.resolver.LDAP.trustCertificates}"
p:authenticationCertificate="%{idp.attribute.resolver.LDAP.authCertificate}"
p:authenticationKey="%{idp.attribute.resolver.LDAP.authKey}" />
</property>
</bean>
</property>
</bean>
</property>
</bean>
</constructor-arg>
<property name="validator">
<bean class="org.ldaptive.pool.SearchValidator">
<property name="searchRequest">
<bean class="org.ldaptive.SearchRequest">
<constructor-arg value="%{idp.pool.LDAP.validatorBaseDN}" />
<constructor-arg value="%{idp.pool.LDAP.validatorFilter}" />
</bean>
</property>
</bean>
</property>
<property name="pruneStrategy">
<bean class="org.ldaptive.pool.IdlePruneStrategy"
p:prunePeriod="%{idp.pool.LDAP.prunePeriod}"
p:idleTime="%{idp.pool.LDAP.idleTime}" />
</property>
</bean>
</property>
</bean>
<bean classid="searchExecutor" class="org.ldaptive.SearchExecutor"
p:baseDn="%{idp.attribute.resolver.LDAP.baseDN}"
p:returnAttributes="%{idp.attribute.resolver.LDAP.returnAttributes}" />
<bean id="cacheBuilder" class="com.google.common.cache.CacheBuilder" factory-method="from">
<constructor-arg value="expireAfterAccess=10s,maximumSize=25" />
</bean>
<bean id="cache" class="com.google.common.cache.Cache" factory-bean="cacheBuilder" factory-method="build" />
<bean id="searchBuilder" class="net.shibboleth.idp.attribute.resolver.dc.ldap.impl.TemplatedExecutableSearchFilterBuilder"
p:templateText="%{idp.attribute.resolver.LDAP.searchFilter}" p:velocityEngine-ref="shibboleth.VelocityEngine"
init-method="initialize" />
</beans>>
<bean id="mappings" class="net.shibboleth.idp.attribute.resolver.dc.ldap.StringAttributeValueMappingStrategy"
p:noResultAnError="true" p:multipleResultsAnError="true">
<property name="resultRenamingMap">
<map>
<entry key="homephone" value="phonenumber" />
</map>
</property>
</bean>
<bean id="validator" class="net.shibboleth.idp.attribute.resolver.dc.ldap.impl.ConnectionFactoryValidator"
p:connectionFactory-ref="connectionFactory" p:throwValidateError="true" />
</beans> |
|
| Expand |
|---|
| title | Data connector using the deprecated springResources attribute |
|---|
|
| Code Block |
|---|
<DataConnector id="myLDAP" xsi:type="LDAPDirectory" noRetryDelay="PT5M" springResources="%{idp.home}/cong/ldap-attribute-resolver-spring-context.xml"/> |
|
| Expand |
|---|
| title | Data connector using the bean references |
|---|
|
| Code Block |
|---|
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
executableSearchBuilderRef="searchBuilder"
noRetryDelay="PT5M"
mappingStrategyRef="mappings"
connectionFactoryRef="connectionFactory""
searchExecutorRef="searchExecutor"
validatorRef="validator">
<ResultCache cacheManagerRef="cache"/>
</DataConnector> |
|