Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd

...

Expand
titleSpecific XML Attributes

Name

Type

Default

Description

ldapURL

Space-delimited list of URLs

URL(s) to the LDAP server. Each listed URL is tried according to the connectionStrategy.

baseDN

String

Base DN from which the LDAP search will be executed

principal

String

Username (service DN) that the connector will use to bind to the LDAP directory

principalCredential 

String

Password used to authenticate as the principal (service DN)

lowercaseAttributeNames

Boolean

false

Whether all attribute IDs from the LDAP should be lower-cased. This can be important since Shibboleth attribute IDs are case-sensitive while LDAP attribute IDs are not.

trustFile

File pathname


Path to a file containing the X.509 trust information to use when connecting to the directory over LDAPS or startTLS. Replaces the deprecated use of <StartTLSTrustCredential>

failFastInitialize

Boolean

true

Whether a failure when verifying the LDAP server's availability during startup is fatal (stops the Attribute Resolver service from starting)

connectTimeout

Duration

PT3S

Time to wait for a connection to be established

responseTimeout

Duration

PT3S

Time to wait for a response before failing

searchTimeLimit

Duration

PT3S

Length of time that a search operation should execute; a value of 0 means execute indefinitely; when time limit arrives the result will contain any entires returned up to that point

maxResultSize

Integer

1

Maximum number of entries to allow in the search result; a value of 0 means includes all entries. Exceeding this value will result in a failure of the connector.

noResultIsError

Boolean

false

Whether an empty result set is an error

multipleResultsIsError

Boolean

false

Whether a result set with more than one result is an error

connectionStrategy

One of ROUND_ROBIN, RANDOM, ACTIVE_PASSIVE

ACTIVE_PASSIVE

If Multiple URLs were provided as the ldapURL this describes how each URL will be processed.

  • ACTIVE_PASSIVE (default value) - Indicates that the first LDAP URL will be used for every request unless it fails and then the next LDAP URL will be used.

  • ROUND_ROBIN - Indicates that for each new connection the next LDAP url in the list (circling back to the start of the list when the end is reached) will be used

  • RANDOM - Indicates that for each new connection a random LDAP url will be selected

searchScope

One of SUBTREE, ONELEVEL, OBJECT

SUBTREE

The scope of the search.

  • SUBTREE: The entire LDAP directory subtree below the search baseDN will be searched.

  • ONELEVEL: Only the immediate children of LDAP object corresponding to the search baseDN will be searched.

  • OBJECT: Only the LDAP object itself is searched.

derefAliases

One of NEVER, SEARCHING, FINDING, ALWAYS

NEVER

How aliases should be dereferenced. See the Oracle JNDI docs for more details on these options.

followReferrals 4.0.1

Boolean

false

Whether to follow search referrals and references when they are encountered in search results.

useStartTLS

Boolean

false

Whether to use startTLS when connecting to the LDAP

disableHostnameVerification

Boolean

false

Whether to enforce certificate name checking during TLS, only change if you understand the implications

authCert

File pathname

Path to the file containing the X.509 certificate to provide when connecting to the directory over LDAPS or startTLS

authKey

File pathname

Path to the file containing the private key to provide when connecting to the directory over LDAPS or startTLS

authKeyPassword

String

Password to use for the private key file

templateEngine

Bean ID

The ID of a Spring bean defining a org.apache.velocity.app.VelocityEngine

searchExecutorRef 4.3

Bean ID

The ID of a Spring bean defining an org.ldaptive.SearchExecutor

connectionFactoryRef 4.3

Bean ID

The ID of a Spring bean defining a org.ldaptive.ConnectionFactory

mappingStrategyRef

Bean ID

The ID of a Spring bean defining a Mapping Strategy (which converts the result of an LDAP search into a list of IdP Attributes).

executableSearchBuilderRef

Bean ID

The ID of a Spring bean defining an ExecutableSearchBuilder<ExecutableSearchFilter>

validatorRef

Bean ID

Bean ID of a Validator to control what constitutes an initialization failure if failFastInitialize is not sufficient

...

Expand
titleProperties
Include Page
VelocityTemplateProperties
VelocityTemplateProperties

Spring Configuration

Note

This is The springResource and springResourceRef attributes DEPRECATED in V4.3 and will not work in V5

...

Spring Example

Expand
titleExample of a springResources file
Code Block
languagexml
<!-- In this case the definition would be <DataConnector" xsi:type="LDAPDatabase" springResources="....." /> --> 
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:context="http://www.springframework.org/schema/context"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">

    <!-- each bean is set on LDAPDataConnector -->
    <bean id="connectionFactory" class="org.ldaptive.pool.PooledConnectionFactory">
        <property name="connectionPool">
            <bean class="org.ldaptive.pool.BlockingConnectionPool" init-method="initialize" p:blockWaitTime="${connectionPool.blockWaitTime}">
                <constructor-arg index="0">
                    <bean class="org.ldaptive.pool.PoolConfig"
                        p:minPoolSize="%{idp.pool.LDAP.minSize}"
                        p:maxPoolSize="%{idp.pool.LDAP.maxSize}"
                        p:validateOnCheckIn="%{idp.pool.LDAP.validateOnCheckin}"
                        p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout}"
                        p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically}"
                        p:validatePeriod="%{idp.pool.LDAP.validatePeriod}" />
                </constructor-arg>
                <constructor-arg index="1">
                    <bean class="org.ldaptive.DefaultConnectionFactory">
                        <property name="connectionConfig">
                            <bean class="org.ldaptive.ConnectionConfig" p:ldapUrl="%{idp.attribute.resolver.LDAP.ldapURL}"
                                p:connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
                                p:responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
                                p:useSSL="%{idp.attribute.resolver.LDAP.useSSL}"
                                p:useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}">
                                <property name="connectionInitializer">
                                    <bean class="org.ldaptive.BindConnectionInitializer"
                                        p:bindDn="%{idp.attribute.resolver.LDAP.bindDN}"
                                        p:bindCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" />
                                </property>
                                <property name="sslConfig">
                                    <bean class="org.ldaptive.ssl.SslConfig">
                                        <property name="credentialConfig">
                                            <bean class="org.ldaptive.ssl.X509CredentialConfig"
                                                p:trustCertificates="%{idp.attribute.resolver.LDAP.trustCertificates}"
                                                p:authenticationCertificate="%{idp.attribute.resolver.LDAP.authCertificate}"
                                                p:authenticationKey="%{idp.attribute.resolver.LDAP.authKey}" />
                                        </property>
                                    </bean>
                                </property>
                            </bean>
                        </property>
                    </bean>
                </constructor-arg>
                <property name="validator">
                    <bean class="org.ldaptive.pool.SearchValidator">
                        <property name="searchRequest">
                            <bean class="org.ldaptive.SearchRequest">
                                <constructor-arg value="%{idp.pool.LDAP.validatorBaseDN}" />
                                <constructor-arg value="%{idp.pool.LDAP.validatorFilter}" />
                            </bean>
                        </property>
                    </bean>
                </property>
                <property name="pruneStrategy">
                    <bean class="org.ldaptive.pool.IdlePruneStrategy"
                        p:prunePeriod="%{idp.pool.LDAP.prunePeriod}"
                        p:idleTime="%{idp.pool.LDAP.idleTime}" />
                </property>
            </bean>
        </property>
    </bean>

    <bean classid="searchExecutor" class="org.ldaptive.SearchExecutor"
        p:baseDn="%{idp.attribute.resolver.LDAP.baseDN}"
        p:returnAttributes="%{idp.attribute.resolver.LDAP.returnAttributes}" />

    <bean id="cacheBuilder" class="com.google.common.cache.CacheBuilder" factory-method="from">
        <constructor-arg value="expireAfterAccess=10s,maximumSize=25" />
    </bean>

    <bean id="cache" class="com.google.common.cache.Cache" factory-bean="cacheBuilder" factory-method="build" />

    <bean id="searchBuilder" class="net.shibboleth.idp.attribute.resolver.dc.ldap.impl.TemplatedExecutableSearchFilterBuilder"
        p:templateText="%{idp.attribute.resolver.LDAP.searchFilter}" p:velocityEngine-ref="shibboleth.VelocityEngine"
        init-method="initialize" />
</beans>>

<bean id="mappings" class="net.shibboleth.idp.attribute.resolver.dc.ldap.StringAttributeValueMappingStrategy"
        p:noResultAnError="true" p:multipleResultsAnError="true">
        <property name="resultRenamingMap">
            <map>
                <entry key="homephone" value="phonenumber" />
            </map>
        </property>
    </bean>
    <bean id="validator" class="net.shibboleth.idp.attribute.resolver.dc.ldap.impl.ConnectionFactoryValidator"
      p:connectionFactory-ref="connectionFactory" p:throwValidateError="true" />
</beans>
Expand
titleData connector using the deprecated springResources attribute
Code Block
<DataConnector id="myLDAP" xsi:type="LDAPDirectory" noRetryDelay="PT5M" springResources="%{idp.home}/cong/ldap-attribute-resolver-spring-context.xml"/>
Expand
titleData connector using the bean references
Code Block
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
        executableSearchBuilderRef="searchBuilder"
        noRetryDelay="PT5M"
        mappingStrategyRef="mappings"
        connectionFactoryRef="connectionFactory""
        searchExecutorRef="searchExecutor"
        validatorRef="validator">
    <ResultCache cacheManagerRef="cache"/>
</DataConnector>