Table of Contents |
---|
...
Property | Type | Default Authn Property | Function |
---|---|---|---|
idp.attribute.resolver.LDAP.ldapURL | URL | idp.authn.LDAP.ldapURL | Connection URL for the LDAP directory |
idp.attribute.resolver.LDAP.baseDN | String | idp.authn.LDAP.baseDN | Base DN to search against, |
idp.attribute.resolver.LDAP.bindDN | String | idp.authn.LDAP.bindDN | DN to bind as before performing the search |
idp.attribute.resolver.LDAP.bindDNCredentialbindDNCredential | String | idp.authn.LDAP.bindDNCredential | Password to bind with before performing the search |
idp.attribute.resolver.LDAP.useStartTLS | Boolean | idp.authn.LDAP.useStartTLS (defaults true) | Whether StartTLS should be used immediately after connecting to the LDAP |
idp.attribute.resolver.LDAP.trustCertificates | Resource | idp.authn.LDAP.trustCertificates | A resource to load trust anchors from, usually a local file in %{idp.home}/credentials |
idp.attribute.resolver.LDAP.connectTimeout | Integer | idp.authn.LDAP.connectTimeout (defaults PT3S) | Connection timeout in milliseconds |
idp.attribute.resolver.LDAP.responseTimeout 3.3 | Duration | idp.authn.LDAP.responseTimeout (defaults PT3S) | Time to wait for response |
...
Name | Req? | Type | Default | Description |
---|---|---|---|---|
Commonly Used Attributes | ||||
ldapURL | Y | Space-delimited list of URLs | URL(s) to the LDAP server. Each listed URL is tried according to the | |
| Y | String | Base DN from which the LDAP search will be executed. | |
| Y | String | User name (service DN) that the connector will use to bind to the LDAP directory | |
principalCredential | Y | String | Password used to authenticate as the principal (service DN) | |
| Boolean | false | Whether all attribute IDs from the LDAP should be lower-cased. This can be important since Shibboleth attribute IDs are case-sensitive while LDAP attribute IDs are not | |
trustFile 3.3 | N | String (filename) | Path to a file containing the X.509 trust information to use when connecting to the directory over LDAPS or startTLS. Replaces the deprecated use of <StartTLSTrustCredential> | |
Other Attributes | ||||
| One of ROUND_ROBIN, DEFAULT, RANDOM, ACTIVE_PASSIVE | ACTIVE_PASSIVE | If Multiple URLs were provided as the ldapURL this describes how each URL will be processed.
| |
| One of DIGEST_MD5, CRAM_MD5, GSSAPI | A SASL mechanism to be used for the Bind operation | ||
| One of SUBTREE, ONELEVEL, OBJECT | SUBTREE | The scope of the search.
| |
derefAliases 3.4.5 | One of NEVER, SEARCHING, FINDING, ALWAYS | NEVER | How aliases should be dereferenced. See the Oracle JNDI docs for more details on these options. | |
| Boolean | false | Whether to use startTLS when connecting to the LDAP | |
| number of milliseconds | 3000 | Length of time in milliseconds that a search operation should execute; a value of 0 means execute indefinitely; when time limit arrives the result will contain any entires returned up to that point | |
| Integer | 1 | Maximum number of entries to include in the search result; a value of 0 means includes all entries | |
| Boolean | false | Whether an empty result set is an error | |
| Boolean | false | Whether a result set with more than one result is an error | |
| Bean ID | The ID of a Spring bean defining a org.apache.velocity.app.VelocityEngine | ||
| Bean ID | The ID of a Spring bean defining a MappingStrategy<org.ldaptive.SearchResult> | ||
executableSearchBuilderRef 3.4 | Bean ID | The ID of a Spring bean defining an ExecutableSearchBuilder<ExecutableSearchFilter> | ||
validatorRef 3.2
| Bean ID | Bean ID of a Validator to control what constitutes an initialization failure (set this to "shibboleth.NonFailFastValidator" to bypass connection attempt at config load time) | ||
connectTimeout | Integer | 3000 (PT3S) 3.3 | Connection timeout in milliseconds | |
| Duration | PT3S | Time to wait for response | |
authCert 3.4 | String (filename) | Path to the file containing the X. 509 certificate to provide when connecting to the directory over LDAPS or startTLS | ||
authKey 3.4 | String (filename) | Path to the file containing the X. 509 key to provide when connecting to the directory over LDAPS or startTLS | ||
authKeyPassword 3.4 | String | Password to use on the authKey file | ||
Deprecated Attributes | ||||
| Use the <ConnectionPool> element | |||
| Use the <ConnectionPool> element |
...
Name | Cardinality | Description |
---|---|---|
0 or 1 | The template of the search filter to be sent to the LDAP directory server | |
0 or 1 | A list of attributes to be returned from the LDAP directory server; this may help the server respond more quickly | |
<BinaryAttributes> 3.4.5 | 0 or 1 | A list of attributes whose values contain binary data and must be base64 encoded; format is a space delimited list of attribute names |
0 or more | Custom LDAP configuration properties | |
0 or 1 | X.509 trust information to use when connecting to the directory over LDAPS or startTLS, DEPRECATED in favor of the trustFile attribute | |
0 or 1 | X.509 client authentication information to provide when connecting to the directory over LDAPS or startTLS, DEPRECATED in favor of the authCert, authKey and authKeyPassword attributes | |
0 or 1 | Describes how the LDAP connection may be pooled | |
0 or more | Allows for remapping of LDAP Attributes into alternately named IdPAttributes within the resolver | |
0 or 1 | The definition of how results should be cached | |
| The definition of how results should be cached as an externally defined com.google.common.cache.Cache<String,Map<String,IdPAttribute>>, the Spring bean ID of which is supplied as the content of the element |
Externally (Spring) Defined Content
...
In practice, the data connector may be supplied with Spring-defined beans of the following types:
org.ldaptive.ConnectionFactory
org.ldaptive.SearchExecutor
com.google.common.cache.Cache<String,Map<String,IdPAttribute>>
Validator
MappingStrategy<SearchResult>
ExecutableSearchBuilder<ExecutableSearchFilter>